If you tell enough stories, perhaps the moral will show up.


Microsoft Abandons AD Shock!

The Microsoft Dynamics CRM product is probably on the shortlist for every greenfield CRM implementation. It's on ours simply because we've slipped a couple of versions in our existing system.

It's no surprise. The system, developed entirely internally by Microsoft, is a showcase for the options available for .net applications: SQL, IIS, Async, Workflow and the rest. It's a modern architecture and I think it would be fair to say that this is how MS expect applications to be built now. Which means that it also contains a really good joke.

Remember Active Directory? I do, in fact I'm pretty sure it was going to be at the heart of the modern enterprise. What that means is a question for another time, what's clear for now is that Microsoft doesn't believe it any more. Dynamics CRM 4.0 barely touches the AD after the user has authenticated. All the access control, all of the organisational structure is built entirely in the application data structures. Domain groups? We've heard of them!

I asked whether this put the DBAs into an access control role we've tried to limit to the helpdesk. The answer was a peach: the data are very normal, but none the less too complicated to edit by hand. And the DBAs won't have the access anyway...

Goodbye AD. Goodbye ACLs. Goodbye integrated access control. I never really believed, but for a while I did hope.

No comments: