Skip to main content

No History for Security Rights

Business Challenge

Active Directory tracks membership in security groups and uses this membership to connect users to file-system and other resource access control lists (ACLs). In short, placing a user into a security group is the main mechanism for granting security rights to users in Windows.

Windows does not, however, track the history of security groups. There is no way to know when a user was attached to a security group, who authorized the change and why. This means that Windows group membership - by itself - is inadequate for forensic analysis.

Hitachi ID Group Manager Solution
  • Group Manager implements a work-flow to manage group membership. Every change has a requester, a recipient and at least one authorizer.
  • Change requests are logged indefinitely. It is always possible to find out:
    • Who requested a change.
    • Who authorized a change.
    • What reasons were given for the request and for the approval.
    • When the change took place.
    This information is retained indefinitely -- even if the group membership has since been revoked.

Using Group Manager, organizations establish an accountable log of security changes and are able to carry out forensic analysis, if required.

Read More:

  • Slow Onboarding:
    It can take too long to create login IDs for newly hired or reassigned users.
  • Costly Security Administration:
    Processes to manage users and entitlements are costly and time consuming.
  • Unreliable Deactivation:
    Access deactivation can be slow, unreliable or incomplete.
  • Policy Violations:
    Manual security administration leads to users whose access profiles violate corporate policies regarding appropriate access or segregation of duties.
  • Auditing User Entitlements:
    Auditing user entitlements that span multiple systems.
  • Ambiguous User Access Requests:
    Users understand files and folders, but not groups and ACLs. This makes change requests hard to interpret and both costly and time consuming to fulfill.
  • No History for Security Rights:
    When security entitlements are granted or revoked using native administration tools, there is no audit trail to show who made the change, when or for what reason.
page top page top