Well, here's what I do. I use Active Directory groups to manage access to different areas of our intranet. There are a few instances where I create pseudo groups from our main business system, but in the near future, that's going to change to use Active Directory as well.
I have an OU, in AD, that contains all groups used for security on my web site. If someone needs access to an area, then several people in our dept can add them. Eventually, I will create an interface so that the primary contacts, across campus, can determine, themselves, who has access to their online resources. I use the "managedBy" attribute to tell who is the group's primary contact. (We have quite a bit of turnover, but accounts don't always get removed from security groups as they should. By putting some of the group administration in the hands of the dept heads, they can help keep our AD up-to-date.) When a user logs in, I query AD using CFLAP. I store their group membership in an array, or query object, in their session scope. Then, where needed, I only have to call a single function that accepts multiple roles. It goes something like this: <cfif isUserInGroup("group1,group2,groupn")> Most of the intranet is read-only content. However, there are a few areas where some people have more access to the data. In those, cases, I only have to create a new domain group and add them. It has worked great for the last few years and I'm getting ready to do the same thing on the redesign of our intranet. M!ke ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:260064 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4