This document introduces business challenges associated with managing groups on directories such as Active Directory or LDAP. It lays out group management strategies and describes how Hitachi ID Group Manager can help organizations to more effectively and securely manage groups.
Most organizations rely on directories, such as Active Directory or other LDAP implementation, to identify and authenticate users, to assign users access rights and to manage e-mail distribution lists.
Groups are central to user management:
In most directories, groups can be nested, to simplify management. This means that groups can contain, among their members, other groups.
It is important to differentiate between two concepts: roles and groups. Hitachi ID Systems uses these terms as follows:
Groups are assigned to accounts while roles are assigned to users. Groups can be assigned directly to accounts or indirectly, when a user is assigned a role that includes a group. Roles can be assigned directly to users or indirectly, when a parent role is assigned to a user.
Confusingly, within some systems and applications, groups are referred to as roles or by other names, such as privileges. For consistency, all such constructs, which exist on target systems and are assigned to accounts on those systems will be referred to as groups here.
Over time, the number of groups and in some cases may surpass the number of users. As groups proliferate, they can become difficult to manage. This leads to problems, including:
Complexity in managing large numbers of changes in group membership leads to real business problems:
Groups are created, should be managed and may be deleted, like any other object in a directory. Also like other objects in a directory, they should be subject to policies and standards:
These are basic, technical constraints. Businesses usually have additional requirements, such as restricting who can request the creation of new groups or modification to existing groups, what kinds of groups users can request, who must approve changes to groups, who should review the configuration and membership of groups and when, etc.