It's an age old question, do you want to go with roles or Active Directory group management?  The answer is, why do you have to choose?  Do both.  Roles and groups.

Let me explain.

Windows uses security groups, there is no getting around that.  You have probably accumulated a ton of these groups over the years (and that's a problem in and of itself, ahem, token bloat).  But, the best part is that roles and Active Directory groups can co-exist and even complement each other.

Roles, and especially dynamic roles, are invaluable.  They exist outside of AD so they can be applied to enterprise authorization for any system, they can be applied to file share permissions, they can be applied to any flavor of LDAP directory or even databases.  They can even determine who can do what to AD groups.

And here's the kicker, you can make a role equal an Active Directory group.  So if you have one specific group that you know is updated (or if you manage that group dynamically) and you want to assign rights and permissions outside of the Microsoft ecosystem, make the membersip of that role an AD group in your RBAC powered metadirectory and you suddenly have an Active Directory group granting permissions everywhere!

This is especially useful if you have invested heavily in Active Directory group management in the past and want to leverage all of that hard work.

Contact us for a demonstration of how to make roles and AD groups live peacefully together.