none
Can we migrate this custom schema to Active Directory?

    Question

  • We have a legacy DB that handles authentication and authorization for many Win32 applications. As part of a migration to .NET, we are evaluating whether or not to use Active Directory. (Although our small team is unfamiliar with Active Directory, we realize that it is orthogonal to Win32 and .NET.) Our authorization relies on an authorization schema like this:

    Roles have Rights.

    Roles have Users.

    (Consequently, Users belonging to a Role, have many Rights through that Role.)

    Users may have Roles.

    Users may have Rights other than those inherited through Roles.

    Users have rights only in relation to an Environment. (That is, the association between Users and Rights is tagged with an Environment code.)

    Applications have Rights (which Users must authorize against).

    Can this be modeled in Active Directory? If so, where do we go for more information?

    Thanks,

    coriscus

    Monday, November 08, 2010 7:51 PM

Answers

All replies

  • Hello,

    i think you can't compare it one to one with AD. AD has user accounts (computer accounts, security groups etc.) which can be members of security groups. User accounts and security groups can have permissions on different resources like files, folders, printers etc. on different machines.

    Also users can have different permissions if they belong to different builtin security groups, like domain administrators or domain users and some more.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, November 08, 2010 8:43 PM
  • Thanks for this response. However, I'm a little confused. I was under the impression that AD could play a role in "claims-based" authorization scenarios, where "claims" are arbitrarily defined rights which applications might expect to be associated with a user. If so, this would seem to imply an ability to flexibly model claims and associate them with both applications and users (which is basically what our custom schema provides). Am I barking up the wrong tree?
    Monday, November 08, 2010 9:36 PM
  • Hello,

    as you talk about application integration can AD LDS be an option for you?

    http://technet.microsoft.com/en-us/library/cc755080(WS.10).aspx     http://msdn.microsoft.com/en-us/library/bb897400.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Bruce-Liu Friday, December 03, 2010 12:37 PM
    Monday, November 08, 2010 9:46 PM
  • Thanks for the help. I will look into that. However, I believe I am not formulating my question well and will try again after a little research.
    Tuesday, November 09, 2010 4:26 PM