http://www.scanguru.com/page.php?9

My advise, keep the authentication central via your AD system and let each application, manage its own authorization model. Organizations can standardize on the tools/model to be used for authorization. This can provide a good delegated admin model also where an application admin can manage privileges for his/her set of application users

My two cents on ECM security, having dealt with many implementations from a migration
point-of-view, is that access rights to content (be thay ACL-Role, Asset-ACL or whatever) should be maintained by the ECM.

That is to say… I’m a great believer in keeping the metadata alongside the content and
to me access right information is nothing more than metadata. So I guess I take an
asset-centric point-of-view.

I think what is needed is industry standardisation around accesss rights. You right in
pointing out that security is more than just providing connectors into LDAP directories
to perform authentication requests.

Efforts like SAML are still “authentication-focused”, which is disappointing. I’m surprised not more is being done in this area to standardise the “access-rights” problem. There’s hardly any competitive edge to be found in the security implementations from one CMS to another.

I guess vendors are taking the “walled garden”-approach and hoping to cash-in on lock-in through lack of standardisation.

I believe that Centralizing Authorization is not such a good idea. It creates a “cyclic dependancy” between the portal and the applications.
The Central Authorization Server needs to know all roles which exist in all the accessed application in order to do that.

Also the applications hardly ever agree on the security model – and we find the applications using a mix of ACL-Role , Role-Resource-Operation, and a unix style Asset-ACL authorization model.
Even if all the systems were using JAAS – centralizing authorization will require a dependance during application maintenance and administration.