You can configure 2 or more AD in weblogic, it works as an authentication chain and for each authentication provider you have a flag to define if it's enough, mandatory etc.
For performance it's not really a issue, you can set the internal one as first and say it's enough, so if the user is found there you don't check the other AD, external users can wait a microsecond longer
For data-level security you make that based on approles, so you map groups to approles and in that way you can easily say: internal full data access, external users limited access.
Thanks for your response. Great - we were also of the opinion that two ADs could be configured in WebLogic, so I appreciate your clarification.
So you wouldn't expect any additional performance implications on the data-level security as a direct impact of the External AD? I agree, logging into the application should be fine (I will hold to your microsecond quote... ) but we just had a few question marks regarding the performance of the query itself. Do you envisage any issues here? Any more so than data-level security without AD?
What kind of rules would you use as data-level security?
Row-level security is based on rules using variables (session variable in general).
So the only security concern you can have is how slow would your init block setting the variables you are going to use? The good thing is that they are executed once only, so it will not be a really big issue.
Of course I expect your external AD to still be a good AD, and not an AD lost on the other side of the planet going through 15 VPN connections with 56Kbps bandwidth.
The performances of queries with data-security applied also depend on how the columns used in your rule are linked with the rest of your model.
In the end the possible performance issues are related to the model itself but I don't see a huge impact because of external AD used (and again the init block setting variables run only once per session, so it's a limited impact).
Performance @AD Level we will not have any issues, we have configured 2 types of authenticators in providers and we don't see any performance issue there.You can configure the two parameters with these values as oracle recommended
Group Membership Searching :- limited Max Group Membership Search Level :- 1