As part of a challenging project in a clinical context, an existing Symfony application was technically and structurally enhanced. The aim was to fundamentally revise the existing role and authorization system and at the same time integrate a modern authentication solution based on Microsoft Entra – with direct benefits for end users and administration alike.
Initial Situation: Understanding of Roles According to Clinical Logic
The original application was strongly based on the role structures of traditional hospitals: each user could have exactly one role – e.g. doctor, nurse or administrative staff. In special cases, additional roles with extended authorizations were introduced in order to map interface functions between departments or professional groups.
Technically, the associated authorizations were stored directly and quite statically in the source code – a model that often worked in everyday life, but increasingly reached its limits: be it with changing task profiles, users with multiple responsibilities or in the maintenance of complex rights relationships.
The Conversion: From Role Logic to Rights Management
The project therefore focused on switching to a classic roles and rights system: roles can now be combined as required – a person can have several roles, which make up their specific authorizations. Instead of working directly with roles, the application uses explicit authorizations to check whether certain actions are permitted.
A key feature here is that roles can now be created and managed directly in the application – by authorized users. This represents a significant step towards a more flexible and manageable rights architecture, without losing sight of the security aspect.
The implementation of this step required a comprehensive revision of numerous authorization checks in the existing Symfony code base – a process that caused more effort than originally calculated. The application’s authorization structure had grown historically and was therefore deeply interwoven. Thanks to the close collaboration with the customer’s internal developers, who implemented many application-specific details directly, the conversion was nevertheless completed on schedule.
Authentication via Microsoft Entra – Modern SSO for Everyday Clinical Practice
In parallel to the role conversion, authentication was switched to Microsoft Entra (formerly Azure AD). This means that users can now log in directly via the “Logon with Entra” button – one click, redirection to the Microsoft login, authentication with 2FA if necessary, and directly back into the application.
The integration was carried out via the OpenID Connect protocol and could be implemented quickly and efficiently thanks to our project experience with Microsoft Entra. A particularly positive aspect was that groups defined on the Entra side can also be linked to roles within the application. Users’ group memberships are automatically synchronized – the application updates the assigned roles accordingly.
This integration not only means a better user experience for hospital staff, but also increases security: centralized management, 2-factor authentication, and no more additional passwords in the application itself.
Conclusion: More Flexible, More Secure and More Future-Proof
The combination of a modern, finely granulated rights concept and an established SSO solution such as Microsoft Entra brings decisive advantages for the customer: more flexibility in rights management, less effort in user handling, and secure, traceable authentication in hospital operations.
Even though the conversion of the internal role model in particular was more complex than expected, the effort was worth it. The new architecture is not only more robust, but also much easier to maintain – and ready for future requirements.
Planning Something Similar?
Whether it is about role refactoring, Microsoft Entra integration or Symfony security concepts: We have the necessary experience and support you in developing your application securely and flexibly.