LDAP用于应用程序访问控制,应该控制多少?

发布于 2024-09-12 04:09:51 字数 365 浏览 13 评论 0原文

前言:我现在在两种环境中工作,在这方面的原则相互冲突。我正在概述相互竞争的想法,并想知道在所描述的情况下哪个是“正确的”。

场景:我们的内网上存在多个应用程序。我们正在实施使用 LDAP 的 OpenSSO 作为我们的身份验证控制和用户目录。问题是,通过 LDAP 身份验证,我们知道允许用户访问 Intranet,但哪些应用程序是有问题的。

我们打算使用 LDAP 来控制每个用户可以访问哪些应用程序,即帮助台、顾问审阅、报告生成器、调查创建者等。

问题在于,每个应用程序中都有大量的角色,而且人们可能拥有多个角色角色。

解决第二个领域的最佳方法是什么?应该所有角色都在 ldap 中,还是只是应用程序配额中,每个应用程序数据库都包含更细粒度的角色?

A precursor: I've worked now in two enviroments with conflicting principals on this. I am outlining the competing ideas and would like to know which is 'correct' given the scenario described.

Scenario: Multiple applications exist on our intranet. We are implementing OpenSSO with LDAP as our authentication control and user directory. The issue comes to play is, with the LDAP authentication we know a user is allowed on the intranet but to which applications is questionable.

We intend to use LDAP to control what applications each user can access i.e. helpdesk, consultant review, report generator, survey creator etc.

The question arises in that, within each application are a significant amount of roles, and the fact that people may have multiple roles.

What is the best way to address this second area? Shoudl ALL roles be in the ldap or just the application allowances with each app database containing the more granular roles?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

请持续率性 2024-09-19 04:09:51

一种方法是使用 LDAP 维护相对较高级别的角色信息,但将非常详细的特定于应用程序的信息保留在每个应用程序内部。

例如,一个人可能是 LDAP 组(角色)的成员,例如“员工”、“服务台同事”、“服务台主管”等,然后各个应用程序会将高级角色映射到应用程序中 -具体功能。特定的高级角色可能意味着对多个应用程序的访问,并且不同的角色将具有不同的访问级别。

例如,“帮助台同事”可能能够创建票证,但也许只有主管才能删除它们或运行报告。

这是没有正确答案的领域之一。将所有内容集中在 LDAP 中使您能够更好地报告/审核个人的访问,但代价是使用大量特定于应用程序的数据使中央 LDAP 架构变得复杂。此外,根据您尝试集成的现有/商业应用程序,这些应用程序可能不支持从 LDAP 中提取所有细粒度的访问信息。

One approach is to use LDAP to maintain relatively high-level role information, but keep the very detailed application-specific information internal to each application.

For example, an individual might be members of LDAP groups (roles) like "employee", "help desk associate", "help desk supervisor", etc., and then the individual applications would map the high-level roles into the application-specific functions. A particular high-level role might imply access to multiple applications, and different roles would have different levels of access.

For example, a "help desk associate" might be able to create tickets, but maybe only a supervisor can delete them or run reports.

This is one of those areas where there's no one right answer. Centralizing everything in LDAP gives you better ability to report/audit individuals' access, at the cost of complicating your central LDAP schema with a lot of application-specific data. Also, depending on what existing/commercial applications you're trying to integrate, the applications may not support pulling all their fine-grained access information from LDAP.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文