Previous PDF

swipe to navigate

Challenges in Large-Scale Active Directory Group Management

Many organizations have deployed Windows servers and Active Directory, and leveraged the powerful access control infrastructure in this platform to manage user access to data. This infrastructure uses security groups to control user access to resources:

  • Groups are defined in Active Directory to reflect business functions or organizational structure.

  • Groups are assigned rights to network resources, such as shares, folders and printers.

  • Users are attached to groups based on their job requirements -- be it their permanent role or temporary requirements (e.g., project work).

  • Groups may be nested, to simplify management.

Over time, the number of groups grows and in some organizations may surpass the number of users. Moreover, in dynamic organizations users frequently change responsibilities and are assigned new projects. This churn creates complexity:

  • User requirements must be reflected by changes to user membership in groups.

  • A user support group must be created to respond to user access problems by attaching users to appropriate groups.

  • Users are frequently unaware of the security infrastructure, so their calls to the help desk typically begin with: "I got an `access denied' error..."

  • Problem resolution is time consuming: first map the user's problem description to a network UNC, then find the groups with rights to that resource, then find owners for the groups, then call them to get permission to attach the user and finally attach the user to the group.

Complexity in managing large numbers of changes in security group membership leads to real business problems:

  • Staffing cost in the user access management group, due to high call volumes.

  • Long turnaround and lost productivity when users wait hours or days to get required access rights.

  • Users with inappropriate access rights, as a result of failures in the change authorization process.

Addressing Complexity Using Self-Service

Group membership management can be complex and costly when performed manually:

  1. Users don't know what to ask for -- they may not understand that there are groups or which one they require.
  2. Manual service is expensive -- a security administration team spends its time receiving, clarifying, getting approvals for and completing trivial access requests.
  3. Users may have to wait a long time for required access, both because the security administration team is busy and because finding the right approval and waiting for them to respond take time.
  4. The approvals process may not be reliable. The security administration team may make changes with either the wrong approval or with none at all.
  5. Change history may not be captured and may not be complete or reliable. This may lead to audit findings.

The cost and complexity of group membership management is greatly reduced using self-service:

  1. Users do not need to understand the linkage between resources and groups, or group structure. They simply ask for access to the object they require.
  2. Approvals are routed to appropriate stake-holders automatically, without IT security team involvement.
  3. Approved requests are automatically fulfilled, again requiring no manual intervention.
  4. The security team can focus on policies and process rather than the execution of individual requests.
  5. Users get faster service -- they don't have to wait for busy access administrators to disambiguate their requests, find appropriate authorizers, elicit approvals, etc.
  6. All change requests are appropriately authorized -- approvals are automated and policy-driven, rather than manual and ad-hoc.
  7. There is a clear audit trail - who requested what, when, why and who approved it.

Introducing Hitachi ID Group Manager

Group Manager is a self-service group membership request portal. It allows users to request access to resources such as shares and folders, rather than initially specifying groups. Group Manager automatically maps requests to the appropriate security groups and invites group owners to approve or deny the proposed change.

Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi ID Identity Manager.

Group Manager is a component of the Hitachi ID Identity and Access Management Suite designed to streamline user requests to network resources.

Using Group Manager, users sign into a secure web application and request new access to a network resource, such as a share, folder, printer or mail distribution list. From the Group Manager web form, users first select a resource container (examples: share; directory OU) and then use a tree view to browse for a specific resource (examples: folder, mail DL). Once they have selected a resource, users simply submit the request.

Once the user has selected a resource, Group Manager:

  • Dynamically maps the user resource selection to a specific managed target system and to a security group on that system.

  • Determines whether the security group is already under Group Manager access control and if not automatically adds the group to its workflow system.

  • Checks whether at least one authorizer is already available for the group and if not automatically extracts a new authorizer list from the target system itself (e.g., identifies the group's owners).

  • Initiates a workflow request, asking the appropriate authorizer(s) whether the user should be allowed to join the group in question.

The Group Manager workflow system automatically tracks change authorization and adds the user to the requested group if and when the proposed change is approved.

Group Manager produces real, concrete business value:

Group Manager improves security by ensuring that changes to membership in security groups are properly authorized before being implemented.

Group Manager reduces the cost of IT support by moving requests and authorization for changes to group membership out of IT, to the community of business users.

Group Manager streamlines service delivery regarding the management of membership in security groups by making it easier for users to submit clear and appropriate change requests and automatically routing those requests to the right authorizers. This makes the request process painless and the approvals process fast.

Group Manager Technology

Group Manager is currently designed to target a single platform -- Active Directory. Its user interface exposes resources that are typically made accessible by user membership in AD groups:

  • Shares on file servers.
  • Folders on shares, including the full depth of folder hierarchy.
  • Printers and print server queues published in AD.
  • Mail distribution lists, for example as used by MS Exchange.

Group Manager uses plugins to connect to target platforms. The Windows/AD resource discovery plugin is able to drill down into Windows-based network resources, find out which groups have rights to which resources, and lookup group owners on Active Directory. The Hitachi ID Suite Active Directory connector, included with Group Manager, can enumerate AD users and groups, authenticate AD passwords and update AD group memberships.

Previous Next PDF