The relationship between RBAC and SSO should be like this,
- When we start discussing about design of RBAC and SSO, we should discuss RBAC first. After RBAC is clearly defined. It wont be difficult to implemented it in SSO system.
- When we start discussing about SSO implementation, we need to oversee the whole system as a SSO system and think about how RBAC will be implemented in SSO system.
Another cause for them to be confused during design is that they mixed concepts about Group and Roles. There are tons of discussion about difference Group and Roles according to general accepted definitions. Designer will be confused if he mix group and role. For this case, I noticed that they tried to define roles in ActiveDirectory as a hierarchy structure. With this starting point, they were lead to have messy concepts and can not get out of it. However, they immediately have a clear view after I told them that they can think about moving those "group" in AD into a DB2 table as Roles first. Then, they can think about how to implemented their RBAC system. Then, they can move back those roles into AD and only use AD as persistent storage if they really want to do so.
No comments:
Post a Comment