1

Currently all our applications are web based and our authentication and authorization mechanism is always through the database. eg database logins and access controls defined at database. However now we are thinking of changing this approach and making use of the active directory for authentication and authorization.

So we need to create AD accounts (even for our users coming through from the internet), and assign access controls using Authorization manager? Is this how it's normally done? What are some pros and cons for this? I believe for the AD method, our internal staff can be given access rights to print to a secret printer for sensitive information (for example), but with database approach it will be difficult ?

Lastly, do I have to keep the same set of access rights roles/groups in the database and AD at the same time? If there is no need to, then does it mean the application can just call an API to verify the required roles from AD direct? thanks

Pang Ser Lark
  • 135
  • 6
  • 1
    Why are you considering the use of Active Directory? What capabilities does it offer above and beyond your current architecture? – Motivated Aug 26 '15 at 07:05
  • You'll have better luck with this question on stackoverflow – Stephane Aug 26 '15 at 07:14
  • @Stephane this is not a coding question, so it doesn't belong on Stackoverflow. It is a question of security architecture and design, so it does belong here - however it is a bit broad and difficult to give a complete answer... Perhaps if Pang can focus the question better? – AviD Aug 26 '15 at 09:09
  • @AviD After having had to implement similar integration myself, I still think this is more a coding question (application design, to be exact) than a security one. That being said, if you want to answer here, be my guest :) – Stephane Aug 26 '15 at 10:03
  • You may want to use ADAM - Active Directory Application Mode https://technet.microsoft.com/en-us/library/cc738377(v=ws.10).aspx – paj28 Sep 02 '15 at 08:34
  • This is security related, but more about the implementation details than it is about the vulnerability/risk aspects. I'm voting for [sf]. – Iszi Sep 02 '15 at 19:01

1 Answers1

3

Biding your applications to your AD can be done by using a single sign on solution (Web seal) such as (among several others) IBM Tivoli Access Management. This requires you to create the objects accounts (users, systems and computers), set the permissions through groups, implement the web seal login and an authentication interface for every single target application.

So we need to create AD accounts (even for our users coming through from the internet), and assign access controls using Authorization manager? Is this how it's normally done? What are some pros and cons for this?

Web seal integration to AD and applications are commonly used for Intra/Extranet users. It is possible to extend this to Internet users too, by creating AD accounts via batch, but I personally wouldn't recommend it. For example, imagine if your AD gets compromised. You would have a much bigger trouble than "only" unauthorized people breaking into a single application.

Another pro for AD is the user maintenance, SoD (from an application level - Imagine if you have two systems, one for sales and another for payments), single password and so on...

Lastly, do I have to keep the same set of access rights roles/groups in the database and AD at the same time? If there is no need to, then does it mean the application can just call an API to verify the required roles from AD direct?

You should either use one or the other. Both would make no sense. IBM TAM has a component which interfaces the application sending customised parameters which could include access level too.

Bob
  • 146
  • 2
  • Hi thanks. In other words, I should go for something like Tivoli access management (or those Oracle Identity management ) solutions.... – Pang Ser Lark Aug 27 '15 at 14:42