Directory groups can be used for provisioning and authorization. For those using groups in LDAP:
- are the standard object classes sufficient for your needs?
- are you using dynamic groups rather than static groups?
- do you use groups for authorization or primarily release collections attributes to applications?
- if you use groups for roles, then how do you address exceptions?