I am reading the docs and threads to understand how we can implement Security Levels and Roles and I would like some feedback on this brief summation:
In order to provide (IMO granular) permissions on a view object, and while using AD, I either need to:
- create an AD group for each role that I think I need
- Or, use more general AD groups and use the AD/Database Hybrid to further extend the granularity of permissions.
For this example, I am building a Request for Purchase application. Let's say a Tech submits a request for more tools, this then goes up the chain of approval. Each user that interacts with this request may or may not have authority to make a decision, or edits to, the request.
Let's say I need five levels of permissions for the various operations as it climbs the ladder, gets ordered and then received.
If I were to use AD only, this means that IT would need to create five AD groups just for this situation and I would depend on IT to add/remove users to/from these groups when IT is available.
If I were to use AD/Database Hybrid, then I could create these roles in the DB and add/remove as I needed, since I'm the DB admin and IGN admin.
Does this sound like an accurate assessment of the two options using authentication with AD?