Seite 84 - Cloud Migration Version 2012 english

84 
certain degree of convenience (centralised singular authentication or even 
single sign‐on for all applications) and high security for authentication and 
the centralised management of roles and permissions (authorisation). 
Centralised management of identities and authorisation 
User databases are obviously no Cloud era discovery. LDAP (Lightweight 
Directory Access Protocol) has been available for decades in different 
product‐specific types as a way to manage an enterprise's identities. 
LDAPWIKI provides a history of the protocol and also lists systems and 
products that support the protocol and identity management in the form of 
directory services. 
As far as the centralised management of identities goes, that also calls for 
the surrounding systems that make use of that centralised management. 
Seen on its own, a LDAP directory remains a trivial database; its contents 
can naturally be consulted but they serve no other purpose. 
What characterises the centralised management of identities? 
Identity and role management 
LDAP user directories are organised by schemas. Usually, each LDAP‐based 
product implements one or more standard schemas (e.g. the OpenLDAP 
core.schema creates the basis for a typical user data record with fields such 
as name, company, title, telephone numbers, address details, email, etc.). 
The IdM or IAM challenge in relation to role management is to present the 
most generic approach possible. What makes this difficult is not the 
technical storage in LDAP. Pre‐defined schemas have been implemented; 
freely defined enterprise‐specific schemas can generally be added 
individually to all products. The challenge lies in coming up with a 
sufficiently generic and at the same time comprehensive design for role 
management. 
A simple example would be a content management system that supports 
workflows with the following roles: Viewer, Contributor/Editor, Content 
Administrator, Approver, System Administrator 
The opposite is a system built on permissions without roles, e.g. a web 
application platform including the following permissions: system login, 
monitoring, application deployment, restart servers, view log files