Multilevel access control in Active Directory...?

0

I'm trying to solve a problem. The tool i'm trying to use is Active Directory, but i'm not sure if it is the right tool for the job.

Let me try to explain...

I have an application(a website) under development in which i need to design a securitymodel/infrastructure. I would very much like to use AD because so many things about AD fits perfectly with the requirements for the application. In fact, all but one requirements fits like a glove. The problem i have is that i must control multiple instances of the same application within the same active directory and the users must be able to access a subset of these applications with different access rights on the same areas in the application...

Kinda hard to explain, lets give it an example. First the simple and perfect one: I have only one user("User1") and one application("App1"). Inside the application there is a set of areas, each area must be access restricted. One could solve this by giving each area an associated securitygroup in AD in which a user must be member to obtain access to the area....e.g. if UserA should have access to Area1 then he must be a member of the according securitygroup....piece of cake!

Lets add the twist to the example: Continueing the example above, say there is now two applications running, both being controlled by the same AD, there is now App1 and App2. Both applications share the same access area securitygroups and the same sourcecode. Now we are getting to the problem: How does one make UserA member of Area1 in App1 but not in Area1 in App2? the application checks for membership of the securitygroup "Area1" before letting the user into the particular area, but it cannot see if the membership has been assigned for use with App1 or App2...?

So, bottom line: How can i control access to the area's in the applications. It has to be possible to give access to Area1 in App1 but restrict access to Area one in e.g. App2... Note that the Application(a website) cannot have e.g. different configurations(.config of any kind) for each user. Also note that there is tens of thousands of both users and application instances. The amount of areas will be in the hundreds...

How would one solve something like this in AD....? if it is possible at all?

I'm not sure if the explaination above makes any sense, i hope so. If not, please let me know...

Thomas Eg Jørgensen

Posted 2011-05-06T06:43:14.900

Reputation: 1

Answers

0

IIUC you need to have a security group for each combination of application instance and area.

  App1 Area1 -> App1Area1Group
  App1 Area2 -> App1Area2Group

  App2 Area1 -> App2Area1Group
  App2 Area2 -> App2Area2Group

So everything is done by appropriately naming the groups. If you prefer you can separate the groups into OUs.

oleschri

Posted 2011-05-06T06:43:14.900

Reputation: 1 075

Maybe this question should better be asked at StackOverflow – oleschri – 2011-05-06T07:29:46.850

Asked: 2011-05-06T06:43:14.900

Viewed: 344 times

Active: 2011-05-06T07:25:27.117