Permission expansion problems

 

ByYunshu

The previous blogs have been written too long. Today, I want to talk about the problem of permission expansion. This problem also exists in the WEB system, but I only pay attention to network issues here.

Most companies use Active Directory to manage the company's PC and employee information. network devices use the user name and group information in the DC for authentication and authorization. For example, NetScreen UAC, Array VPN, Cisco VPN, etc. Of course, it may also include the forwarding of multiple Authentication servers such as RSA and ACS. The advantage of this deployment scheme is that it can be well integrated with the company's organizational structure. By ing the organizational structure information in AD with the local device group, the dynamic authorization of the employee's work department is realized, it can even be integrated with the human resource management system.

However, the problem is that there is only one group ID mapped to the Active Directory locally on the device, and all authorization is based on this group. For a large company, a department may contain several groups that do not exist in the organizational structure, or some special ones such as outsourcing personnel. For the most fine-grained organizational structure, the permissions of the personnel included need to be further differentiated. In this case, group-based authorization is too coarse-grained, which leads to an extended permission for other employees in the same department.

Theoretically, the most intuitive solution is that a group of users have the same basic permissions and then grant different users different special permissions, in addition, these users inherit the permissions of the group they belong. However, when using external Authentication servers, there are only groups on these network devices, and there is no user concept at all. Users are stored on external Authentication servers.

I think it may be possible for network devices to regularly import all user information from external authentication devices such as AD to the local device, and grant special permissions to special users. When a user requests authentication, the user still goes to the external authentication server for authentication. However, when the verification result and the group information are returned, the user's permissions are checked based on the group information, check the permissions granted to the user by the device.

However, I did not find the VPN that implements such permissions, The UAC device, because there is a problem with the implementation, or because I did not find it, or because there is no need to refine the permission Granularity on the network to this point?