Previous PDF

swipe to navigate

Challenges in Large-Scale Active Directory Group Management

Most organizations rely on Windows servers and Active Directory to manage PCs and filesystems. This infrastructure uses security groups to control user access to resources:

  • Groups are defined in Active Directory to reflect business functions or organizational structure.

  • Groups are assigned rights to network resources, such as shares, folders and printers.

  • Users are attached to groups permanently, for example based on their organizational role, or temporarily, for example when they join a project.

  • Groups may be nested, to simplify management.

Over time, the number of groups and in some cases may surpass the number of users. As groups proliferate, they can become difficult to manage. This leads to problems, including:

  1. Stale groups or group memberships, no longer clearly linked to a business function.
  2. Empty or very small groups.
  3. Redundant groups (i.e., with identical or very similar membership).
  4. Groups with obscure descriptions.
  5. Groups with missing, invalid or inappropriate owners.
  6. Difficult access request processes, as users are unsure what to request and administrators are unsure of whether to approve or fulfill requests.

Complexity in managing large numbers of changes in group membership leads to real business problems:

  • Staffing cost associated with managing groups, often in an access administration team.

  • Long turnaround and lost productivity when users wait hours or days for required access rights.

  • Users with inappropriate access rights, as a result of process deficiencies.

Addressing Complexity Using Self-Service

Group membership management can be complex and costly when performed manually:

  1. Users don't know what to ask for -- they may not understand that there are groups or which one they require.
  2. Manual service is expensive -- a security administration team spends its time receiving, clarifying, getting approvals for and completing trivial access requests.
  3. Users may have to wait a long time for required access, both because the security administration team is busy and because finding the right approval and waiting for them to respond take time.
  4. The approvals process may not be reliable. The security administration team may make changes with either the wrong approval or with none at all.
  5. Change history may not be captured and may not be complete or reliable. This may lead to audit findings.

The cost and complexity of group membership management is greatly reduced using self-service:

  1. Users do not need to understand the linkage between resources and groups, or group structure. They simply ask for access to the object they require.
  2. Approvals are routed to appropriate stake-holders automatically, without IT security team involvement.
  3. Approved requests are automatically fulfilled, again requiring no manual intervention.
  4. The security team can focus on policies and process rather than the execution of individual requests.
  5. Users get faster service -- they don't have to wait for busy access administrators to disambiguate their requests, find appropriate authorizers, elicit approvals, etc.
  6. All change requests are appropriately authorized -- approvals are automated and policy-driven, rather than manual and ad-hoc.
  7. There is a clear audit trail - who requested what, when, why and who approved it.

Introducing Hitachi ID Group Manager

Group Manager is a self-service group membership request portal. It allows users to request access to resources such as shares and folders, rather than initially specifying groups. Group Manager automatically maps requests to the appropriate security groups and invites group owners to approve or deny the proposed change.

Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi ID Identity Manager.

Group Manager is a component of the Hitachi ID Identity and Access Management Suite designed to streamline user requests to network resources.

Using Group Manager, users sign into a secure web application and request new access to a network resource, such as a share, folder, printer or mail distribution list. From the Group Manager web form, users first select a resource container (examples: share; directory OU) and then use a tree view to browse for a specific resource (examples: folder, mail DL). Once they have selected a resource, users simply submit the request.

Once the user has selected a resource, Group Manager:

  • Dynamically maps the user resource selection to a specific managed target system and to a security group on that system.

  • Determines whether the security group is already under Group Manager access control and if not automatically adds the group to its workflow system.

  • Checks whether at least one authorizer is already available for the group and if not automatically extracts a new authorizer list from the target system itself (e.g., identifies the group's owners).

  • Initiates a workflow request, asking the appropriate authorizer(s) whether the user should be allowed to join the group in question.

The Group Manager workflow system automatically tracks change authorization and adds the user to the requested group if and when the proposed change is approved.

Group Manager produces real, concrete business value:

Group Manager improves security by ensuring that changes to security groups are properly authorized before being implemented.

Group Manager reduces the cost of IT support by moving requests and authorization for changes to groups out of IT, to the community of business users. This includes requests to create, modify or delete groups, to add or remove members or owners and more.

Group Manager streamlines service delivery regarding the management of security groups by making it easier for users to submit clear and appropriate change requests and automatically routing those requests to the right authorizers. Approved requests are automatically completed, in real time. This makes the request process painless and fulfillment fast.

Group Manager Technology

Group Manager is currently designed to target a single platform -- Active Directory. Its user interface exposes resources that are typically made accessible by user membership in AD groups:

  • Shares on file servers.
  • Folders on shares, including the full depth of folder hierarchy.
  • Printers and print server queues published in AD.
  • Mail distribution lists, for example as used by MS Exchange.

Group Manager uses plugins to connect to target platforms. The Windows/AD resource discovery plugin is able to drill down into Windows-based network resources, find out which groups have rights to which resources, and lookup group owners on Active Directory. The Hitachi ID Suite Active Directory connector, included with Group Manager, can enumerate AD users and groups, authenticate AD passwords and update AD group memberships.

Previous Next PDF