1 Reply Latest reply on Sep 18, 2012 1:02 PM by crestenst

    Taking Authorization to the next level: ldap to ldap and data base


      Currently we use CQ with LDAP to provide authorization of content in the JCR and it works well for the few ldap groups we have, the ldap groups represent the area of content that we would like to grant/deny access. 

      So here is an example:

      User “joe” is part of ldap group “About Page” so joe is able to access the About Page

      User “john” is not part of the “About Page” ldap group therefore does not have access to the About Page.  (This was a Simple exmaple to explain)


      Now we want to take this a step further and provide access to JCR content based on attributes of a user (e.g  access based on what organization a user is associated with)  now obviously we can’t  create an ldap group for each organization since we could potentially have thousands of organizations so my questions is:  Has anybody run into a similar situation where they granted/denied access to content based  on user attributes (or some custom attribute) and if so I would be delighted if you could share your experience.

      And here is the example:

      1. User "joe" is part of two organizations : Foo and FooBar

      2. he may login once to the website ( SSO) and switch between the two organizations : Foo and FooBar

      3. When he is on the website as a member of Foo he should see only content related to Foo and only conent that he has access to.

      4. Now each organization has balance sheets that a user may or may not have access to

      5. Joe is allowed to see balance sheet for Foo but not for FooBar

      6. So when Joe logs in and switches to Foo he can see the balance sheet page/component

      7. However when Joe switches to organization FooBar he is denied access to balance sheet.


      My thoughts:

      1. Create ldap groups for protected content areas

      2. Add joe to ldap group "balanceSheet"

      3. have a table in the Database with three columns | user   | ldap group | Organization|

      4. Look into the table to determine if user has access to the content by looking at the ldap group they elong to and the associated organization.



      How can CQ be configured/modified to look at the cookie to figure out what organization the user is representing and then going to the DB table and figure out whether the user should be allowed to access the content.



      Would appreciate any insight