As Acıbadem University, we want to change our security infrastructure. Because we have some custom applications, we are going to have different types of users. (E.G Student Affairs, Library, Financials office and etc...)
We had 2 mistakes.
Since now, we onyl had Student Affairs users and we gave them the rights that PS can do. But we want to go to a limitation.
And also all our custom applications for financials office, students, student affairs and etc... are done in the same custom menu.
We are going to make a security administration project. Using LDAP authantication. We think to carry our roles to ldap.
I would like to hear your comments about custom applicaiton management. LDAP and user profile management via ldap.
Where do you store the roles? Do you assign them automatically. and etc... To make us a light on our way.
I could make out 2 points:
1. EITHER you are referring to - how to manage PS security of different profiles using LDAP.
2. OR you are referring to - how to manage overall system security for different profiles using LDAP. Where, the overall system security = PS + other systems.
For point 1 above:
You need not worry to bring roles to LDAP. What you just need is the LDAP should work, the users (of any profile) should be able to access PS by SSO (Single Sign-On) using LDAP authentication.
And PS will take care of the rest of the security. How? -> Every PS user profile will be associated to role and permission lists + row security permission list...
For point 2 above:
In this case, you would need point 1 + have some kind of system directory. The system directory can be used for LDAP authentications and managing security across different profiles. With the help of directory you can control the security + access of the profiles across various systems based on the user id of the user. But you need to use the same user id for any user across all the systems in order to achieve this.
For example: If let say the PS user is USER01 for Person A. Then you need to ensure that the access/user profiles created for Person A across all systems is USER01 only.