It is important to document the existing security models used within the LOB applications. Typically, applications that use external authentication or authorization are candidates for deployment as well as applications that rely on external directory services. Security information might include the following:
What authentication mechanisms are currently being used?
Are their special authentication requirements (such as 2-factor authentication)?
Is there a pluggable interface for external authentication mechanisms?
What authorization mechanisms are currently being used?
Can (or should) authorization be externalized?
What user data repositories are being used? Can these be externalized?
Who can access the application? Are there existing roles or groups in place? Under what special conditions are they granted access?