Challenges in Large-Scale Active Directory Group Management
Many organizations have deployed Windows servers and Active Directory,
and leveraged the powerful access control infrastructure in this platform
to manage user access to data. This infrastructure uses security groups
to control user access to resources:
Groups are defined in Active Directory to reflect business functions
or organizational structure.
Groups are assigned rights to network resources, such as shares,
folders and printers.
Users are attached to groups based on their job requirements -- be
it their permanent role or temporary requirements (e.g., project work).
Groups may be nested, to simplify management.
Over time, the number of groups grows and in some organizations may
surpass the number of users. Moreover, in dynamic organizations users
frequently change responsibilities and are assigned new projects.
This churn creates complexity:
User requirements must be reflected by changes to user membership in
A user support group must be created to respond to user access problems
by attaching users to appropriate groups.
Users are frequently unaware of the security infrastructure, so their
calls to the help desk typically begin with: "I got an `access
Problem resolution is time consuming: first map the user's
problem description to a network UNC, then find the groups with
rights to that resource, then find owners for the groups, then call
them to get permission to attach the user and finally attach the
user to the group.
Complexity in managing large numbers of changes in security group
membership leads to real business problems:
Staffing cost in the user access management group, due to high
Long turnaround and lost productivity when users wait hours or
days to get required access rights.
Users with inappropriate access rights, as a result of
failures in the change authorization process.
Addressing Complexity Using Self-Service
Group membership management can be complex and costly when
Users don't know what to ask for -- they may not understand
that there are groups or which one they require.
Manual service is expensive -- a security administration
team spends its time receiving, clarifying, getting
approvals for and completing trivial access requests.
Users may have to wait a long time for required access,
both because the security administration team is busy
and because finding the right approval and waiting for
them to respond take time.
The approvals process may not be reliable. The security
administration team may make changes with either
the wrong approval or with none at all.
Change history may not be captured and may not be
complete or reliable. This may lead to audit findings.
The cost and complexity of group membership management
is greatly reduced using self-service:
Users do not need to understand the linkage between
resources and groups, or group structure. They simply
ask for access to the object they require.
Approvals are routed to appropriate stake-holders
automatically, without IT security team involvement.
Approved requests are automatically fulfilled, again
requiring no manual intervention.
The security team can focus on policies and process
rather than the execution of individual requests.
Users get faster service -- they don't have to wait
for busy access administrators to disambiguate their requests,
find appropriate authorizers, elicit approvals, etc.
All change requests are appropriately authorized --
approvals are automated and policy-driven, rather than
manual and ad-hoc.
There is a clear audit trail - who requested what,
when, why and who approved it.
Introducing Hitachi ID Group Manager
Group Manager is a self-service group membership request portal. It allows
users to request access to resources such as shares and folders,
rather than initially specifying groups. Group Manager automatically
maps requests to the appropriate security groups and invites
group owners to approve or deny the proposed change.
Using Group Manager, users sign into a secure web application and
request new access to a network resource, such as a share, folder,
printer or mail distribution list. From the Group Manager web form,
users first select a resource container (examples: share; directory OU)
and then use a tree view to browse for a specific resource (examples:
folder, mail DL). Once they have selected a resource, users simply
submit the request.
Once the user has selected a resource, Group Manager:
Dynamically maps the user resource selection to a specific managed
target system and to a security group on that system.
Determines whether the security group is already under Group Manager
access control and if not automatically adds the group to its
Checks whether at least one authorizer is already available for
the group and if not automatically extracts a new authorizer list from
the target system itself (e.g., identifies the group's owners).
Initiates a workflow request, asking the appropriate
authorizer(s) whether the user should be allowed to join the group
The Group Manager workflow system automatically tracks change
authorization and adds the user to the requested group if and when
the proposed change is approved.
Group Manager produces real, concrete business value:
Group Manager improves security by ensuring that changes to
membership in security groups are properly authorized before
Group Manager reduces the cost of IT support by moving requests
and authorization for changes to group membership out of IT,
to the community of business users.
Group Manager streamlines service delivery regarding the management
of membership in security groups by making it easier for users to
submit clear and appropriate change requests and automatically routing
those requests to the right authorizers. This makes the request
process painless and the approvals process fast.
Group Manager Technology
Group Manager is currently designed to target a single platform --
Active Directory. Its user interface exposes resources that are
typically made accessible by user membership in AD groups:
Shares on file servers.
Folders on shares, including the full depth of folder hierarchy.
Printers and print server queues published in AD.
Mail distribution lists, for example as used by MS Exchange.
Group Manager uses plugins to connect to target platforms. The Windows/AD
resource discovery plugin is able to drill down into Windows-based
network resources, find out which groups have rights to which resources,
and lookup group owners on Active Directory. The Hitachi ID Suite Active
Directory connector, included with Group Manager, can enumerate AD users
and groups, authenticate AD passwords and update AD group memberships.