I'm currently evaluating if Adaxes could be our access and identity mangement solution and find it very powerful. The only thing that's left is that we have some internally developed applications that we grant general access through AD groups but on a more granular basis additionally inside an Oracle database. That means that a user needs to be member of AD group e.g. "APPLICATION-ONE-USER" to be authorized to use application "One", but additionally needs some entries inside a database which the application checks to allow or disallow certain things. We calculated that we would need about 2500 groups to solely manage that through AD groups.
Now I totally understand that Adaxes is an AD management tool (and in regards of forum name I might even be off-topic), but is there any way that we could manage those privileges inside the Oracle database through Adaxes?
First I thought 'no problem, anything you can't do directly is possible through powershell'. And there are even examples available to exchange information with MS SQL server. But how can one let the user pick certain roles inside the web interface depending on either groups he is already a member or is trying to become a member? I found so called virtual properties which can be added to the interface and be evaluated in business rules without actually being real AD properties, but I'm not sure if there's a way to create that "cascading multi-select" we need.
I was able to "inject" CSS to the web Interface through the footer config. So maybe it's possible to inject custom JavaScript, too, and do something to the virtual properties fields. If it's necessary I would also create a REST-service reading the current database entries that this JavaScript could access. As I wrote, it's crucial for us to have single access point for the users to manage the privileges and their properties.
Any ideas how we could do it?