�-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 19, 2004 8:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] groups vs attributesPersonally, I think they should have a look at why their queries take longer than they want. Likely they are checking the memberof attribute to find out what the group membership is, right?I think they could use an attribute, but I think that's not guaranteed to be faster either. I think they also may want to consider what the administrative and troubleshooting overhead is if they use an attribute vs. a group membership (why aren't they using Active Directory security again?).That's the way I think though :)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, October 19, 2004 9:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] groups vs attributesAs our developers (as well as our 3rd party vendors) continue to create apps that leverage AD, the question comes up frequently - which is a better solution...to search AD for a group membership, or for the value of a given attribute, when validating a user's access to a custom application?
Our "standard" has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldn't we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership?
Any notes from the field would be much appreciated!
Systems Engineer
Cintas Corporation
The Service Professionals
Title: Message
Al -
could you elaborate on the comment "why aren't they using Active Directory
security again?" ? When I read Mark's question I assumed (maybe
incorrectly) that these were apps on external systems that simply used AD as an
LDAP server, and made access-control decisions based on group membership.
We have several such apps here...
Are
you advocating another approach that's more in line with ACLs on AD objects
? Or something else ? Maybe I'm reading too much into the comment,
but I'm very curious, since I've struggled with some of these issues in the
past...
Anyhow, Mark, for what its worth on the groups vs attributes thing, one
reason to stick with groups is the reality that applications come and go.
A few years from now when the shiny new app is retired, you can just delete the
groups (or reuse them for the replacement app). If you create and populate
a bunch of app-specific attributes, chances are good that they will never get
cleaned up. Another reason is that granting access to resources via group
membership is a well-understood concept, and you likely have defined processes
and tools to do so. Managing custom attributes will involve some code,
very likely buried in the admin interface of the associated application.
The palatability of that probably depends a great deal on how you manage
administration and audit of access to these
applications.
Dave
- RE: [ActiveDir] groups vs attributes Fugleberg, David A
- RE: [ActiveDir] groups vs attributes Gil Kirkpatrick
- RE: [ActiveDir] groups vs attributes Mulnick, Al
- RE: [ActiveDir] groups vs attributes Mulnick, Al
- RE: [ActiveDir] groups vs attributes Renouf, Phil
- RE: [ActiveDir] groups vs attributes Fugleberg, David A
- RE: [ActiveDir] groups vs attributes Mulnick, Al
- RE: [ActiveDir] groups vs attributes Fugleberg, David A
