One approach is to use LDAP to support relatively high-level role information, but keep very detailed application-specific information for each application.
For example, a user can be a member of LDAP groups (roles), such as "employee", "support desk assistant", "support desk manager", etc., and then individual applications will map high-level roles to application-specific functions. A specific high-level role can mean access to multiple applications, and different roles will have different access levels.
For example, a โhelp desk assistantโ can create tickets, but perhaps only a supervisor can delete them or run reports.
This is one of those areas where there is not a single correct answer. Centralizing everything in LDAP gives you the best opportunity to report / verify access for individuals by complicating your central LDAP scheme with a lot of data related to specific applications. In addition, depending on which existing / commercial applications you are trying to integrate, applications may not support retrieving all fine-grained access information from LDAP.
David gelhar
source share