How to manage custom application specific permissions in AD?

Question

We are planning to let our customers of our software configure users and their permissions entirely in Active Directory.

Once a AD-user is member of the AD-group "SoftwareXyz" he can log in and use our software.

I've seen other software products doing just that.

Now, I'd like to go further. Permissions like "The user is allowed to edit reports" should also be managed in LDAP efficiently.

What's the best or most common way to accomplish that?

Create AD-groups for each permission? Like "SoftwareXyz#Permissions#PermitEditReports"
Or am I able to create custom permissions in AD that my customer can attach to his users?
Or are there other ways to solve that problem?

`am I able to create custom permissions in AD?`. No. – Greg Askew Jul 05 '19 at 17:57 — Greg Askew, Jul 05 '19 at 17:57

score 1 · Answer 1 · answered Jul 05 '19 at 19:26

Unless you have a very limited set of features that you want to manage, you shouldn't create one AD group per feature because you'll hit a lot of problems when the Kerberos ticket becomes too large.

However, you can create a limited set of roles that will be managed via AD groups (like "Reports Viewers") and will in turn give access to a bunch of features (which won't need to be defined in the AD).

If you have a database you can allow the customer to create their own roles and manage AD Group <-> Roles <-> Features relationship in your DB.

How to manage custom application specific permissions in AD?

1 Answers1