RBAC (Role-Based Access Control) System with Active Directory and Azman
The most defficult part of designing a new RBAC system for my company was to integrate the network resource control by ACL (Access Control List) and web applications control. Windows Azman was a perfect fit for web application controls using RoleManager but it cannot be connected directly to ACL. My compromised solution was to define special Active Directory groups(“ER Groups“) which corresponds one-to-one to Enterprise Roles (ER).
Here’s a summary of my design
1) Define Enterprise Roles (ER) in SQL database
2) Copy the hierarchical structure and membership of ER to AD groups using a custom code
3) Define Application Roles in Azman
4) Use only AD ER groups in Azman membership definition
5) Let web applications refer Azman for application roles
6) Let IT Infrastructure Management Team (in my company, IT and MIS are two separated teams) try to use ER groups first for ACL whenever possible. If ER Groups are not fine grained enough to control network resource, then create a new AD group for that specific purpose. You should minimize to create non-ER groups.
7) Write a web application for the management of ERs and codes mentioned in 2). Azman is good enough for the user interface for Application Roles.
* Azman API was too slow. My walkaround was to define Azman datastore in Active Directory and write a library using LDAP protocol to read and manipulate Azman data.