Well, here's what I do.
I use Active Directory groups to manage access to different areas of our
intranet. There are a few instances where I create pseudo groups from
our main business system, but in the near future, that's going to change
to use Active Directory as well.
I have an OU, in AD, that contains all groups used for security on my
web site. If someone needs access to an area, then several people in
our dept can add them. Eventually, I will create an interface so that
the primary contacts, across campus, can determine, themselves, who has
access to their online resources. I use the "managedBy" attribute to
tell who is the group's primary contact.
(We have quite a bit of turnover, but accounts don't always get removed
from security groups as they should. By putting some of the group
administration in the hands of the dept heads, they can help keep our AD
up-to-date.)
When a user logs in, I query AD using CFLAP. I store their group
membership in an array, or query object, in their session scope. Then,
where needed, I only have to call a single function that accepts
multiple roles.
It goes something like this:
<cfif isUserInGroup("group1,group2,groupn")>
Most of the intranet is read-only content. However, there are a few
areas where some people have more access to the data. In those, cases,
I only have to create a new domain group and add them.
It has worked great for the last few years and I'm getting ready to do
the same thing on the redesign of our intranet.
M!ke
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four
times a year.
http://www.fusionauthority.com/quarterly
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:260064
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
