Many enterprise applications are designed to implement user authentication employing a roles or group membership-based authorization and authentication protocol, such as the Microsoft Windows® Active Directory® directory service. Directory services for Windows® domain networks assign permissions to roles or groups, to which users or other “nested” groups are made members in order to grant and control access to resources.
A customer environment including many client systems may employ a “membership” access model, like Active Directory, to issue client certificates to establish access control rights as it relates to one or more applications. However, cloud-based application execution platforms may employ an authentication model that includes restrictions relating to the management of groups. For example, cloud environment authentication models may not support group nesting, set a maximum number of total groups, restrict users to membership in a maximum number of groups, etc.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that the embodiments are not limited to the embodiments or drawings described. It should be understood that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to.