Challenges in Large-Scale Active Directory Group Management
Most organizations rely on Windows servers and Active Directory to
manage PCs and filesystems. This infrastructure uses security
groups to control user access to resources:
Groups are defined in Active Directory to reflect business functions
or organizational structure.
Groups are assigned rights to network resources, such as shares,
folders and printers.
Users are attached to groups permanently, for example based on
their organizational role, or temporarily, for example when they join
Groups may be nested, to simplify management.
Over time, the number of groups and in some cases may surpass the
number of users. As groups proliferate, they can become difficult to
manage. This leads to problems, including:
Stale groups or group memberships, no longer clearly linked to a
Empty or very small groups.
Redundant groups (i.e., with identical or very similar membership).
Groups with obscure descriptions.
Groups with missing, invalid or inappropriate owners.
Difficult access request processes, as users are unsure
what to request and administrators are unsure of whether
to approve or fulfill requests.
Complexity in managing large numbers of changes in group
membership leads to real business problems:
Staffing cost associated with managing groups, often
in an access administration team.
Long turnaround and lost productivity when users wait hours or
days for required access rights.
Users with inappropriate access rights, as a result of
Addressing Complexity Using Self-Service
Group membership management can be complex and costly when
Users don't know what to ask for -- they may not understand
that there are groups or which one they require.
Manual service is expensive -- a security administration
team spends its time receiving, clarifying, getting
approvals for and completing trivial access requests.
Users may have to wait a long time for required access,
both because the security administration team is busy
and because finding the right approval and waiting for
them to respond take time.
The approvals process may not be reliable. The security
administration team may make changes with either
the wrong approval or with none at all.
Change history may not be captured and may not be
complete or reliable. This may lead to audit findings.
The cost and complexity of group membership management
is greatly reduced using self-service:
Users do not need to understand the linkage between
resources and groups, or group structure. They simply
ask for access to the object they require.
Approvals are routed to appropriate stake-holders
automatically, without IT security team involvement.
Approved requests are automatically fulfilled, again
requiring no manual intervention.
The security team can focus on policies and process
rather than the execution of individual requests.
Users get faster service -- they don't have to wait
for busy access administrators to disambiguate their requests,
find appropriate authorizers, elicit approvals, etc.
All change requests are appropriately authorized --
approvals are automated and policy-driven, rather than
manual and ad-hoc.
There is a clear audit trail - who requested what,
when, why and who approved it.
Introducing Hitachi ID Group Manager
Group Manager is a self-service group membership request portal. It allows
users to request access to resources such as shares and folders,
rather than initially specifying groups. Group Manager automatically
maps requests to the appropriate security groups and invites
group owners to approve or deny the proposed change.
Using Group Manager, users sign into a secure web application and
request new access to a network resource, such as a share, folder,
printer or mail distribution list. From the Group Manager web form,
users first select a resource container (examples: share; directory OU)
and then use a tree view to browse for a specific resource (examples:
folder, mail DL). Once they have selected a resource, users simply
submit the request.
Once the user has selected a resource, Group Manager:
Dynamically maps the user resource selection to a specific managed
target system and to a security group on that system.
Determines whether the security group is already under Group Manager
access control and if not automatically adds the group to its
Checks whether at least one authorizer is already available for
the group and if not automatically extracts a new authorizer list from
the target system itself (e.g., identifies the group's owners).
Initiates a workflow request, asking the appropriate
authorizer(s) whether the user should be allowed to join the group
The Group Manager workflow system automatically tracks change
authorization and adds the user to the requested group if and when
the proposed change is approved.
Group Manager produces real, concrete business value:
Group Manager improves security by ensuring that changes to security groups
are properly authorized before being implemented.
Group Manager reduces the cost of IT support by moving requests and
authorization for changes to groups out of IT, to the community of
business users. This includes requests to create, modify or delete
groups, to add or remove members or owners and more.
Group Manager streamlines service delivery regarding the management of
security groups by making it easier for users to submit clear and
appropriate change requests and automatically routing those requests to
the right authorizers. Approved requests are automatically completed,
in real time. This makes the request process painless and fulfillment
Group Manager Technology
Group Manager is currently designed to target a single platform --
Active Directory. Its user interface exposes resources that are
typically made accessible by user membership in AD groups:
Shares on file servers.
Folders on shares, including the full depth of folder hierarchy.
Printers and print server queues published in AD.
Mail distribution lists, for example as used by MS Exchange.
Group Manager uses plugins to connect to target platforms. The Windows/AD
resource discovery plugin is able to drill down into Windows-based
network resources, find out which groups have rights to which resources,
and lookup group owners on Active Directory. The Hitachi ID Suite Active
Directory connector, included with Group Manager, can enumerate AD users
and groups, authenticate AD passwords and update AD group memberships.