Application Security, Part 16

At this point, let’s return to our scenario. Remember that our client organization has Active Directory as its directory service, while our application uses ADAM as its user data repository. Everyone in the organization is catalogued in the Active Directory, and the folk who will be using TaskVision II are a subset of those individuals. Suppose, in fact, that the network administrators tell us that everyone who is to be entitled to use our application has been added to a group that the administrators have created within the Active Directory called YourApplicationUsers. Well, that has two consequences for our work with MIIS. First, it means that users projected into the MIIS meta-verse from Active Directory must be propagated into ADAM, a process that is called provisioning. Second, only those users in the YourApplicationUsers group within ActiveDirectory should be provisioned in ADAM.


Now, I have to tell you that the documentation for MIIS does not make it very clear how to accomplish either of these two tasks. You might be surprised by that, and especially by the fact that provisioning is well covered. After all, you may be asking, isn’t that what MIIS is for? Well, actually, no, provisioning users from one system into another is not the core function that MIIS was meant to perform. MIIS was intended to keep pre-existing objects in various repositories in synch with one another. But, anyway, if the online documentation—which consists of an administrator’s guide and a programmer’s reference to the MIIS API is no use—then what is one to do? It so happens that if you look on the MIIS CDs, you will find several lengthy documents in Word format that document accompanying samples. That material covers both of the tasks facing us, provisioning users in ADAM that exist in Active Directory, and ensuring that only those users that are in the TaskVisionUsers group in Active Directory are provisioned in ADAM.