Wednesday, August 20, 2008

Authentication & Authorization

Use AD for authentication and DB for authorization

I'm trying to reason out the above statement with best of my knowledge, this may be specific to windows environment. Do leave your thoughts if you know of better reasons.

A company intranet website application can be open to entire domain users and hence don't need any authentication at all. But we may need to restrict access to a phone list application to certain groups, this application may include additional authorization restrictions like certain group of users should not be able to view some section of data say for example "personal mobile numbers". Best approach is to authenticate all users with a AD group and use different authorization data store like a database.

Can we not use db for authentication, like use "authorization data store" and check if user is not authorized to do any steps in the application and redirect to access denied page? Though its a technically possible option, in this case, control on who gets access to phone list application is thro' db. Everyone will agree, access to that is weaker compared to a secure AD group membership which are restricted to AD administrators hands. Inherently. access to application db has wider spread, compared to AD. Also AD authentication blocks unauthorized users at the gate i.e stopped even before entering into application.

In other end of spectrum, why we should not use AD for authorization. For simplicity sake, if we have 3 authorization groups for each application and we have 10 applications and toss in 2 environments (dev/prod), we end up with 60 AD groups. Its work on AD admins that in course of time will become un-manageable, worst-case scenario, someone getting access which they shouldn't.

That said, there is room for all shades of grey, for example any enterprise has to maintain AD groups for something or other, like share folder access. Using the same phone list application, if there is a requirement to restrict users from viewing sr. mgmt contacts. I'd rather make that authorization against AD than have it inside my application db.

1 comment:

Jenice said...

I highly enjoyed reading this article. Authorization and authentication is highly needed in this modern world where data is transferred electronically. I appreciate your knowledge and the solution that you have suggested is impressive one.
digital signature FAQ