AD Users and Roles created using User Sources manage users button

I am reading the docs and threads to understand how we can implement Security Levels and Roles and I would like some feedback on this brief summation:

In order to provide (IMO granular) permissions on a view object, and while using AD, I either need to:

  • create an AD group for each role that I think I need
  • Or, use more general AD groups and use the AD/Database Hybrid to further extend the granularity of permissions.

For this example, I am building a Request for Purchase application. Let's say a Tech submits a request for more tools, this then goes up the chain of approval. Each user that interacts with this request may or may not have authority to make a decision, or edits to, the request.

Let's say I need five levels of permissions for the various operations as it climbs the ladder, gets ordered and then received.

If I were to use AD only, this means that IT would need to create five AD groups just for this situation and I would depend on IT to add/remove users to/from these groups when IT is available.

If I were to use AD/Database Hybrid, then I could create these roles in the DB and add/remove as I needed, since I'm the DB admin and IGN admin.

Does this sound like an accurate assessment of the two options using authentication with AD?

That sound about right to me, i have a similar system for users to request prox cards and access albeit with fewer levels than you. I chose to go with the AD and not the AD hybrid as the one time setup of the security groups by IT was pretty easy and we have an easy way to request those groups for individuals.

A side note about the AD Hybrid. I had experimented with the AD hybrid user source and found that it was tanking my servers CPU every time it queried active directory. Support was able to figure out it was executing one query for every user, which was over 8k for me.