RE: [ActiveDir] groups vs attributes

[Mulnick, Al]

Title: Message

David, see Gil's post.  That's what I had in mind but he articulates the idea better than I was going to I'm sure ;)

 

Al

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Tuesday, October 19, 2004 11:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] groups vs attributes

Al - could you elaborate on the comment "why aren't they using Active Directory security again?" ?  When I read Mark's question I assumed (maybe incorrectly) that these were apps on external systems that simply used AD as an LDAP server, and made access-control decisions based on group membership.  We have several such apps here...

 

Are you advocating another approach that's more in line with ACLs on AD objects ?  Or something else ?  Maybe I'm reading too much into the comment, but I'm very curious, since I've struggled with some of these issues in the past...

 

Anyhow, Mark, for what its worth on the groups vs attributes thing, one reason to stick with groups is the reality that applications come and go.  A few years from now when the shiny new app is retired, you can just delete the groups (or reuse them for the replacement app).  If you create and populate a bunch of app-specific attributes, chances are good that they will never get cleaned up.  Another reason is that granting access to resources via group membership is a well-understood concept, and you likely have defined processes and tools to do so.  Managing custom attributes will involve some code, very likely buried in the admin interface of the associated application.  The palatability of that probably depends a great deal on how you manage administration and audit of access to these applications.

 

Dave

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 19, 2004 8:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] groups vs attributes

Personally, I think they should have a look at why their queries take longer than they want.  Likely they are checking the memberof attribute to find out what the group membership is, right?

 

I think they could use an attribute, but I think that's not guaranteed to be faster either.  I think they also may want to consider what the administrative and troubleshooting overhead is if they use an attribute vs. a group membership (why aren't they using Active Directory security again?).

 

That's the way I think though :)

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, October 19, 2004 9:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] groups vs attributes

As our developers (as well as our 3^rd party vendors) continue to create apps that leverage AD, the question comes up frequently - which is a better solution...to search AD for a group membership, or for the value of a given attribute, when validating a user's access to a custom application?

Our "standard" has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldn't we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership?

Any notes from the field would be much appreciated!

Mark Creamer

Systems Engineer

Cintas Corporation

The Service Professionals