I’ve been reading Craig McMurtry’s series on Application Security. It is interesting stuff, especially the use of ADAM as repository for application security information. I certainly can understand why you would want to store user information in a central repository, but I am still struggling with the idea of storing all of the authorization information outside of the application database. What happens in a multi-database scenario? A user may have access rights to certain information in a database for one company, but not in the database for another company. Also, by moving the roles and role assignments out of the database, when I back up the database, I don’t back up that information. I guess if ADAM actually ran in Windows 2000 server I would be a bit more concerned, but at this point it is going to be a few more years before the majority of my clients are running W2K3 server.