...
Authentication- If you’re using LDAP but not Single Sign-on, then Isora GRC will use LDAP to authenticate users when they log in, unless they have a locally defined password. If a user has a locally defined password, then Isora GRC will not use LDAP to authenticate that user. When authentication checks are performed, Isora GRC will also verify that the user has any required attributes as specified when you configured your LDAP integration.
Authorization- For every request a user makes using Isora GRC, Isora GRC will contact the LDAP/AD server to verify that the user is authorized, based on the required attribute(s) you specified when you set up the LDAP integration. This is not fine-grained or role-based authorization. Isora GRC does not have detailed information about group memberships and other information which may be stored in your LDAP/AD server. The only role-based authorization done within Isora GRC is based on its own local database of users and permissions. Additionally, Isora GRC supports local service accounts- if you set up a user as a service account in Isora GRC, then all authorization checks on that user will be skipped.
Existence Checks- When you type the name of a user into Isora GRC (for example by specifying a person as the owner or IT Contact for a host in inventory, or as a delegate for answering org unit questions on a survey), Isora GRC does a “people search” on the LDAP/AD server to check if that person exists.
...