Title: groups vs attributes
This thread went all over the place so I came back to the
original post. Right off I am assuming LDAP based apps not running on MS
Platform. If they are running on MS, have them look at the azman stuff.
I would ask the developers specifically what are they
doing. Most likely they aren't doing it correctly. I hit this on a
near weekly basis at one of my previous gigs. You have had several answers
along this line already and they are right. Make the developers show you
specifically how they are doing what they are doing and you will probably see
why it is slower. For the specific purpose you outline below, to verify if a
specific user can access an app, querying the group membership for the user
should be trivial unless you allow nesting at which point it could get painful.
It could also be painful if you have to check various DLGs in different domains.
If they are gathering a list of all users who have access to an app, make sure
they are querying the group's member attribute instead of the memberof of the
users. I had some websphere folks do that once and their app was pretty slow
from it as you can imagine....
I can see the advantage of having your own attrib for app.
However as others have mentioned, this will get out of control. If they truly
need this, push it to an entry linked in an AD/AM or possibly have a single
indexed MV attribute and have each app have a unique value they can have in that
attribute. Of course security on that is fun because you can have someone who
can manipulate it or not manipulate it, they can't just add one value. That is
when provisioning systems come into play.
joe
As our developers (as
well as our 3rd party vendors) continue to create apps that
leverage AD, the question comes up frequently – which is a better
solution…to search AD for a group membership, or for the value of a given
attribute, when validating a user’s access to a custom
application?
Our “standard” has been to use universal groups for this sort of thing, that
is, UserA can access the application, if he is a member of the appropriate
universal group. However, our developers have discovered in their ad hoc
queries that returning a list of users that have a given
value assigned to a custom attribute is much faster that returning a list of
users that are members of a universal group. So they are
asking, shouldn’t we be adding a custom attribute when an application
requires a validation that a user can access the application, rather than using a
group membership?
Any notes from the field
would be much appreciated!
Mark
Creamer
Systems Engineer
Cintas Corporation
The Service Professionals
