Group management challenges
Over time, the number of groups on systems, applications and directories may surpass the number of users in an organization. As groups proliferate, they can become difficult to manage. This manifests as a series of problems:
- Groups may not be marked with needed metadata:
- Without an expiry date, it is impossible to say when it's safe to remove a group.
- Without a clearly described business function, it's impossible to know what purpose a group had when it was created.
- Without an unambiguous and well maintained owner, it is hard to authorize changes to group membership, periodically review membership or inquire about whether the group can be retired.
- Groups whose usefulness is questionable:
- Empty or very small groups (still needed?).
- Materially overlapping groups (perhaps one group can be used instead of many?).
- Groups that create technical problems:
- Too many members -- can lead processes to consume a lot of CPU and perform poorly.
- Nested too deeply -- similar to the above problem.
- Circular nesting (parent contains child, child contains parent) -- can cause some systems or applications to crash.
- Groups can be hard to find:
- Obscure descriptions.
- Unexpected or incorrect members or owners.
- Business process challenges:
- Users don't know how to create new or find existing groups.
- Users don't understand the relationship between needed access rights and the groups that bestow those rights on accounts.
- Users don't know where to find request forms or how to fill them in (e.g., select suitable groups to request).
- Approval for requests to change group membership or to create or modify group objects is not automatically routed to appropriate authorizers.
Complexity in managing the lifecycles and membership of many groups has a concrete business impact:
- Staffing cost associated with managing groups, often
in an access administration team.
- Long turnaround and lost productivity when users wait hours or
days for required access rights.
- Users with inappropriate access rights, as a result of process deficiencies.
Managing group objects
Groups are created, should be managed and may be deleted, like any other object in a directory. Also like other objects in a directory, they should be subject to policies and standards:
- Groups should always be assigned owners.
- It is best practice to also capture metadata such as expiry dates and the rationale for the group's existence.
- Naming conventions should be used for cn, sAMAccountName or description.
- Groups should be placed in appropriate containers (OU).
- Attributes, such as group type (security versus mail distribution list) and scope (Universal, Global or Domain Local) on AD should be set appropriately.
- Groups may contain child groups and (conversely) be members of parent groups. These relationships must not form loops.
These are basic, technical constraints. Businesses usually have additional requirements, such as restricting who can request the creation of new groups or modification to existing groups, what kinds of groups users can request, who must approve changes to groups, who should review the configuration and membership of groups and when, etc.