Application Security

Published on October 31, 2004

I've been reading Craig McMurtry's series on Application Security. It is interesting stuff, especially the use of ADAM as repository for application security information. I certainly can understand why you would want to store user information in a central repository, but I am still struggling with the idea of storing all of the authorization information outside of the application database. What happens in a multi-database scenario? A user may have access rights to certain information in a database for one company, but not in the database for another company. Also, by moving the roles and role assignments out of the database, when I back up the database, I don't back up that information.

I guess if ADAM actually ran in Windows 2000 server I would be a bit more concerned, but at this point it is going to be a few more years before the majority of my clients are running W2K3 server.