SlideShare une entreprise Scribd logo

Self-Service Active Directory Group Management

Hitachi ID Systems, Inc.
Hitachi ID Systems, Inc.

Hitachi ID Group Manager is a self-service group management solution. It allows users to request access to resources such as shares and folders, rather than requesting access to groups. Group Manager automatically maps requests to the appropriate security groups and invites group owners to approve or reject the proposed change. Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi ID Identity Manager.

TechnologieBusiness
1  sur  14
Télécharger pour lire hors ligne
Self-Service Active Directory Group Management © 2014 Hitachi ID Systems, Inc. All rights reserved.
Hitachi ID Group Manager is a self-service group membership request portal. It allows users to request access to resources such as shares and folders, rather than initially specifying groups. Group Manager automatically maps requests to the appropriate security groups and invites group owners to approve or reject the proposed change. Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi ID Identity Manager. Contents 1 Challenges in Large-Scale Active Directory Group Management 1 2 Addressing Complexity Using Self-Service 2 3 Introducing Hitachi ID Group Manager 3 4 Hitachi ID Group Manager Technology 4 5 User Interface Workflow 5 6 Windows Shell and SharePoint integrations 7 7 Robust approvals workflow 8 8 Installing, Configuring and Managing Hitachi ID Group Manager 9 9 Logging and Reporting 9 10 Network Architecture 11 11 Platform Support 12 i
Self-Service Active Directory Group Management 1 Challenges in Large-Scale Active Directory Group Management Many organizations have deployed Windows servers and Active Directory, and leveraged the powerful ac- cess control infrastructure in this platform to manage user access to data. This infrastructure uses security groups to control user access to resources: • Groups are defined in Active Directory to reflect business functions or organizational structure. • Groups are assigned rights to network resources, such as shares, folders and printers. • Users are attached to groups based on their job requirements. • Groups may be nested, to simplify management. Over time, the number of groups grows and in some organizations may surpass the number of users. Moreover, in dynamic organizations users frequently change responsibilities and are assigned new projects. This churn creates complexity: • User requirements must be reflected by changes to user membership in groups. • A user support group must be created to respond to user access problems by attaching users to appropriate groups. • Users are frequently unaware of the security infrastructure, so their calls to the help desk typically begin with: "I got an ‘access denied’ error..." • Problem resolution is time consuming: first map the user’s problem description to a network UNC, then find the groups with rights to that resource, then find owners for the groups, then call them to get permission to attach the user and finally attach the user to the group. Complexity in managing large numbers of changes in security group membership leads to real business problems: • Staffing cost in the user access management group, due to high call volumes. • Long turnaround and lost productivity when users wait hours or days to get required access rights. • Users with inappropriate access rights, as a result of failures in the change authorization process. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Self-Service Active Directory Group Management 2 Addressing Complexity Using Self-Service The complexity of group membership management can be greatly reduced by implementing a self-service solution in place of the security administration group. Users should then be able to: • Sign into an Intranet web application. • Search or browse for the resource they would like to access. • Request access rights directly. • Automatically route requests to the appropriate authorizers, namely the owners of the appropriate AD security group. • Use e-mail and web-based workflow to enable authorizers to approve requests directly. • Automatically attach users to requested groups, upon approval. Deploying self-service to reduce the complexity of group membership management eliminates: • The need for users to understand the security infrastructure. • The cost of operating a security administration group. • Security exposures due to unauthorized group memberships. • Lost productivity due to long delays in change authorization. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Self-Service Active Directory Group Management 3 Introducing Group Manager Hitachi ID Group Manager is a self-service group membership request portal. It allows users to request access to resources such as shares and folders, rather than initially specifying groups. Group Manager automatically maps requests to the appropriate security groups and invites group owners to approve or reject the proposed change. Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi ID Identity Manager. Group Manager is a component of the Hitachi ID Management Suite designed to streamline user requests to network resources. Using Group Manager, users sign into a secure web application and request new access to a network resource, such as a share, folder, printer or mail distribution list. From the Group Manager web form, users first select a resource container (examples: share; directory OU) and then use a tree view to browse for a specific resource (examples: folder, mail DL). Once they have selected a resource, users simply submit the request. Once the user has selected a resource, Group Manager: • Dynamically maps the user resource selection to a specific managed target system and to a security group on that system. • Determines whether the security group is already under Group Manager access control and if not automatically adds the group to its workflow system. • Checks whether at least one authorizer is already available for the group and if not automatically extracts a new authorizer list from the target system itself (e.g., identifies the group’s owners). • Initiates a workflow request, asking the appropriate authorizer(s) whether the user should be allowed to join the group in question. The Group Manager workflow system automatically tracks change authorization and adds the user to the requested group if and when the proposed change is approved. Group Manager produces real, concrete business value: Group Manager improves security by ensuring that changes to membership in security groups are properly authorized before being implemented. Group Manager reduces the cost of IT support by moving requests and authorization for changes to group membership out of IT, to the community of business users. Group Manager streamlines service delivery regarding the management of membership in security groups by making it easier for users to submit clear and appropriate change requests and automatically routing those requests to the right authorizers. This makes the request process painless and the approvals process fast. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Self-Service Active Directory Group Management 4 Group Manager Technology Hitachi ID Group Manager is currently designed to target a single platform – Active Directory. Its user interface exposes resources that are typically made accessible by user membership in AD groups: • Shares on file servers. • Folders on shares, including the full depth of folder hierarchy. • Printers and print server queues published in AD. • Mail distribution lists, for example as used by MS Exchange. Group Manager uses plugins to connect to target platforms. The Windows/AD resource discovery plugin is able to drill down into Windows-based network resources, find out which groups have rights to which resources, and lookup group owners on Active Directory. The Hitachi ID Management Suite Active Directory connector, included with Group Manager, can enumerate AD users and groups, authenticate AD passwords and update AD group memberships. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Self-Service Active Directory Group Management 5 User Interface Workflow Hitachi ID Group Manager can be used to manage many different types of resources. A plug-in program binds Group Manager to a specific type of resource, such as Windows shares, whose access is mediated by membership in an Active Directory group. Other resources include network printers and mail distribution lists. The description is best clarified with a concrete example: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Self-Service Active Directory Group Management User Group Manager Resource-Type Plug-in Target System 1 Sign in using a network login ID and password. Validate credentials 2 Initiate a new resource- access request. 3 Display a list of descriptive names for configured Windows file servers and shares. 4 Select a share. 5 Display a tree view of folders in the selected shares 6 Browse for and select a folder where access is desired. Interactive tree view display Iteratively provide a list of sub-directories from the selected share. 7 Select a set of privileges and an authorizer to request. ..Display and user input.. Provide a list of groups that have privileges on the share and the security privileges each one has been assigned. (read-only? read-write? etc.) One or more owners (authorizers) are provided for each group. 8 Workflow to track change authorization 9 (Change approved) Run agent to update the user’s group membership. Send a confirmation e-mail to the user and to all owner/authorizers. Updated privileges. User can now access the folder. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
Self-Service Active Directory Group Management 6 Windows Shell and SharePoint integrations A shell extension is included with Hitachi ID Group Manager which can be deployed on Windows XP, Win- dows Vista/7/8 PCs. If installed, this component can intercept Windows “access denied” error messages and present an expanded message which allows users to open a web browser to the Group Manager application, where they can request membership in the appropriate AD group. Figure 1: Windows Shell Extension: Replacing the Native Access Denied Dialog An analogous integration with SharePoint is provided, which works by extending the "access denied" error page on each SharePoint server. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
Self-Service Active Directory Group Management 7 Robust approvals workflow The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports: • Concurrent invitations to multiple users to review a request. • Approval by N of M authorizers (N is fewer than M). • Automatic reminders to non-responsive authorizers. • Escalation from non-responsive authorizers to their alternates. • Scheduled delegation of approval responsibility from unavailable to alternate approvers. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
Self-Service Active Directory Group Management 8 Installing, Configuring and Managing Group Manager Hitachi ID Group Manager is very simple to configure and manage. For example, to configure it to manage group membership in Active Directory, to enable users to gain access to group-controlled file folders, one need only: • Set up Active Directory as a Group Manager target system. • Enter the base UNC for each share in which Group Manager will manage access. • Ensure that the owner field is correctly populated on each AD user group. Group Manager deployment is typically very quick: • Install the product. • Configure the primary target system – a Windows / Active Directory domain. • Install the resource location plugin (currently a Windows resource plugin is available, supporting shares, folders, printers and Exchange mail distribution lists). • Configure root nodes for resource browsing, such as share UNCs. • Verify that group owners are correctly defined in AD, as these people will be used as authorizers. • Test and debug the installation as appropriate. The entire process typically requires just 2-3 days of technical configuration work. 9 Logging and Reporting Hitachi ID Group Manager logs all attempted and completed requests for group membership. Group Manager workflow-related reports include: Report Description Authorizer activity Approvals, rejections and failure to respond by authorizers Request status by authorizer Lists request-status information for each authorizer to whom a request is assigned. It also includes the actions taken by each authorizer for each request item Request status by implementer Lists request-status information for each implementer to whom a request is assigned. Pre-defined requests Shows the configuration of pre-defined requests Request event log Details and change history of matching requests © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
Self-Service Active Directory Group Management Report Description Search requests Advanced search of and statistics about current and archived requests. Request volume trend Trend analysis of request volume per time interval. Participant response time Analysis of the responsiveness of participants in workflow processes. Inactive requests Analysis of requests which have had no activity in N days. Stuck requests Analysis of requests which cannot be completed. Escalated / delegated requests Analysis of escalation and delegation of requests. Request popularity Analysis of the popularity of pre-defined request types, managed resources, operations and workflow participants. All workflow requests are retained in the Group Manager database indefinitely, for reporting at any future date. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
Self-Service Active Directory Group Management 10 Network Architecture The Hitachi ID Group Manager network architecture is illustrated in Figure 2. Browse resources; request access Review request: approve or deny Discover resources and ACLs Access resource Discover users, groups, group owners Update group memberships Invite authorization Requester User Workstation Any Client OS Windows Server OS File Server Any Client OSWindows 2003 User Workstation Authorizer Web browser Web server Web browser Windows filesystem client ID-Access application Mail client Share or folder Windows Server OS Domain Controller AD: Users, Groups Typically Exchange E-mail System Mailboxes 1 6 4 5 7 3 2 8 Hitachi ID Group Manager Figure 2: Group Manager Network Architecture Diagram In the diagram: 1. A requester signs into Group Manager and locates a network resource of interest, using some com- bination of searching and browsing. 2. The requester asks for access to the resource. 3. Group Manager looks up the ACLs on the resource, and determines which group membership would be appropriate. 4. Group Manager looks up the group’s owners, and sends them an e-mail on behalf of the requester, asking that the requester be attached to their group, in order to enable the requester to access the resource of interest. 5. At some later time, the group owners receive the e-mail, sign into Group Manager, and either approve or deny the request. 6. If the request is received, Group Manager updates the user and group objects in AD, to create a new group membership. Access by the requester and authorizer to Group Manager is typically HTML over HTTPS. Access by both the requester and Group Manager to the network resources in question may be SMB, DFS or LDAP. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
Self-Service Active Directory Group Management 11 Platform Support Hitachi ID Group Manager currently supports Active Directory group membership management, where AD runs on Windows 2000, 2003, 2008 or 2012 servers. It also supports management of: 1. SMB and DFS based filesystems. 2. Nested groups. Users and/or policy plugins choose the group for which membership will be requested. 3. Access to shares (i.e., share-level ACLs). 4. Access to folders (i.e., NTFS folder-level ACLs). 5. Access to printers (i.e., ACLs on AD-published print queues). 6. Access to mail distribution lists (i.e., membership in AD mail DLs). www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/documents/id-access/id-access-white-paper-1.tex Date: 2013-01-21

Recommandé

Windows Server 2012 Active Directory Backup Restore
Windows Server 2012 Active Directory Backup RestoreWindows Server 2012 Active Directory Backup Restore
Windows Server 2012 Active Directory Backup Restore
Serhad MAKBULOĞLU, MBA
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing Value
Hitachi ID Systems, Inc.
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
Hitachi ID Systems, Inc.
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
Hitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
Hitachi ID Systems, Inc.
 

Recommandé

Windows Server 2012 Active Directory Backup Restore
Windows Server 2012 Active Directory Backup RestoreWindows Server 2012 Active Directory Backup Restore
Windows Server 2012 Active Directory Backup Restore
Serhad MAKBULOĞLU, MBA
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing Value
Hitachi ID Systems, Inc.
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
Hitachi ID Systems, Inc.
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
Hitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
Hitachi ID Systems, Inc.
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
Hitachi ID Systems, Inc.
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
Hitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
Hitachi ID Systems, Inc.
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
Hitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
Hitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
Hitachi ID Systems, Inc.
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
Hitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Systems, Inc.
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Systems, Inc.
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager Brochure
Hitachi ID Systems, Inc.
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
Hitachi ID Systems, Inc.
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
Hitachi ID Systems, Inc.
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
 

Contenu connexe

Plus de Hitachi ID Systems, Inc.

How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
Hitachi ID Systems, Inc.
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
Hitachi ID Systems, Inc.
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
Hitachi ID Systems, Inc.
 

Plus de Hitachi ID Systems, Inc. (20)

Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager Brochure
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Dernier (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Self-Service Active Directory Group Management

  • 1. Self-Service Active Directory Group Management © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 2. Hitachi ID Group Manager is a self-service group membership request portal. It allows users to request access to resources such as shares and folders, rather than initially specifying groups. Group Manager automatically maps requests to the appropriate security groups and invites group owners to approve or reject the proposed change. Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi ID Identity Manager. Contents 1 Challenges in Large-Scale Active Directory Group Management 1 2 Addressing Complexity Using Self-Service 2 3 Introducing Hitachi ID Group Manager 3 4 Hitachi ID Group Manager Technology 4 5 User Interface Workflow 5 6 Windows Shell and SharePoint integrations 7 7 Robust approvals workflow 8 8 Installing, Configuring and Managing Hitachi ID Group Manager 9 9 Logging and Reporting 9 10 Network Architecture 11 11 Platform Support 12 i
  • 3. Self-Service Active Directory Group Management 1 Challenges in Large-Scale Active Directory Group Management Many organizations have deployed Windows servers and Active Directory, and leveraged the powerful ac- cess control infrastructure in this platform to manage user access to data. This infrastructure uses security groups to control user access to resources: • Groups are defined in Active Directory to reflect business functions or organizational structure. • Groups are assigned rights to network resources, such as shares, folders and printers. • Users are attached to groups based on their job requirements. • Groups may be nested, to simplify management. Over time, the number of groups grows and in some organizations may surpass the number of users. Moreover, in dynamic organizations users frequently change responsibilities and are assigned new projects. This churn creates complexity: • User requirements must be reflected by changes to user membership in groups. • A user support group must be created to respond to user access problems by attaching users to appropriate groups. • Users are frequently unaware of the security infrastructure, so their calls to the help desk typically begin with: "I got an ‘access denied’ error..." • Problem resolution is time consuming: first map the user’s problem description to a network UNC, then find the groups with rights to that resource, then find owners for the groups, then call them to get permission to attach the user and finally attach the user to the group. Complexity in managing large numbers of changes in security group membership leads to real business problems: • Staffing cost in the user access management group, due to high call volumes. • Long turnaround and lost productivity when users wait hours or days to get required access rights. • Users with inappropriate access rights, as a result of failures in the change authorization process. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 4. Self-Service Active Directory Group Management 2 Addressing Complexity Using Self-Service The complexity of group membership management can be greatly reduced by implementing a self-service solution in place of the security administration group. Users should then be able to: • Sign into an Intranet web application. • Search or browse for the resource they would like to access. • Request access rights directly. • Automatically route requests to the appropriate authorizers, namely the owners of the appropriate AD security group. • Use e-mail and web-based workflow to enable authorizers to approve requests directly. • Automatically attach users to requested groups, upon approval. Deploying self-service to reduce the complexity of group membership management eliminates: • The need for users to understand the security infrastructure. • The cost of operating a security administration group. • Security exposures due to unauthorized group memberships. • Lost productivity due to long delays in change authorization. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 5. Self-Service Active Directory Group Management 3 Introducing Group Manager Hitachi ID Group Manager is a self-service group membership request portal. It allows users to request access to resources such as shares and folders, rather than initially specifying groups. Group Manager automatically maps requests to the appropriate security groups and invites group owners to approve or reject the proposed change. Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi ID Identity Manager. Group Manager is a component of the Hitachi ID Management Suite designed to streamline user requests to network resources. Using Group Manager, users sign into a secure web application and request new access to a network resource, such as a share, folder, printer or mail distribution list. From the Group Manager web form, users first select a resource container (examples: share; directory OU) and then use a tree view to browse for a specific resource (examples: folder, mail DL). Once they have selected a resource, users simply submit the request. Once the user has selected a resource, Group Manager: • Dynamically maps the user resource selection to a specific managed target system and to a security group on that system. • Determines whether the security group is already under Group Manager access control and if not automatically adds the group to its workflow system. • Checks whether at least one authorizer is already available for the group and if not automatically extracts a new authorizer list from the target system itself (e.g., identifies the group’s owners). • Initiates a workflow request, asking the appropriate authorizer(s) whether the user should be allowed to join the group in question. The Group Manager workflow system automatically tracks change authorization and adds the user to the requested group if and when the proposed change is approved. Group Manager produces real, concrete business value: Group Manager improves security by ensuring that changes to membership in security groups are properly authorized before being implemented. Group Manager reduces the cost of IT support by moving requests and authorization for changes to group membership out of IT, to the community of business users. Group Manager streamlines service delivery regarding the management of membership in security groups by making it easier for users to submit clear and appropriate change requests and automatically routing those requests to the right authorizers. This makes the request process painless and the approvals process fast. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 6. Self-Service Active Directory Group Management 4 Group Manager Technology Hitachi ID Group Manager is currently designed to target a single platform – Active Directory. Its user interface exposes resources that are typically made accessible by user membership in AD groups: • Shares on file servers. • Folders on shares, including the full depth of folder hierarchy. • Printers and print server queues published in AD. • Mail distribution lists, for example as used by MS Exchange. Group Manager uses plugins to connect to target platforms. The Windows/AD resource discovery plugin is able to drill down into Windows-based network resources, find out which groups have rights to which resources, and lookup group owners on Active Directory. The Hitachi ID Management Suite Active Directory connector, included with Group Manager, can enumerate AD users and groups, authenticate AD passwords and update AD group memberships. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 7. Self-Service Active Directory Group Management 5 User Interface Workflow Hitachi ID Group Manager can be used to manage many different types of resources. A plug-in program binds Group Manager to a specific type of resource, such as Windows shares, whose access is mediated by membership in an Active Directory group. Other resources include network printers and mail distribution lists. The description is best clarified with a concrete example: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 8. Self-Service Active Directory Group Management User Group Manager Resource-Type Plug-in Target System 1 Sign in using a network login ID and password. Validate credentials 2 Initiate a new resource- access request. 3 Display a list of descriptive names for configured Windows file servers and shares. 4 Select a share. 5 Display a tree view of folders in the selected shares 6 Browse for and select a folder where access is desired. Interactive tree view display Iteratively provide a list of sub-directories from the selected share. 7 Select a set of privileges and an authorizer to request. ..Display and user input.. Provide a list of groups that have privileges on the share and the security privileges each one has been assigned. (read-only? read-write? etc.) One or more owners (authorizers) are provided for each group. 8 Workflow to track change authorization 9 (Change approved) Run agent to update the user’s group membership. Send a confirmation e-mail to the user and to all owner/authorizers. Updated privileges. User can now access the folder. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 9. Self-Service Active Directory Group Management 6 Windows Shell and SharePoint integrations A shell extension is included with Hitachi ID Group Manager which can be deployed on Windows XP, Win- dows Vista/7/8 PCs. If installed, this component can intercept Windows “access denied” error messages and present an expanded message which allows users to open a web browser to the Group Manager application, where they can request membership in the appropriate AD group. Figure 1: Windows Shell Extension: Replacing the Native Access Denied Dialog An analogous integration with SharePoint is provided, which works by extending the "access denied" error page on each SharePoint server. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 10. Self-Service Active Directory Group Management 7 Robust approvals workflow The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports: • Concurrent invitations to multiple users to review a request. • Approval by N of M authorizers (N is fewer than M). • Automatic reminders to non-responsive authorizers. • Escalation from non-responsive authorizers to their alternates. • Scheduled delegation of approval responsibility from unavailable to alternate approvers. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
  • 11. Self-Service Active Directory Group Management 8 Installing, Configuring and Managing Group Manager Hitachi ID Group Manager is very simple to configure and manage. For example, to configure it to manage group membership in Active Directory, to enable users to gain access to group-controlled file folders, one need only: • Set up Active Directory as a Group Manager target system. • Enter the base UNC for each share in which Group Manager will manage access. • Ensure that the owner field is correctly populated on each AD user group. Group Manager deployment is typically very quick: • Install the product. • Configure the primary target system – a Windows / Active Directory domain. • Install the resource location plugin (currently a Windows resource plugin is available, supporting shares, folders, printers and Exchange mail distribution lists). • Configure root nodes for resource browsing, such as share UNCs. • Verify that group owners are correctly defined in AD, as these people will be used as authorizers. • Test and debug the installation as appropriate. The entire process typically requires just 2-3 days of technical configuration work. 9 Logging and Reporting Hitachi ID Group Manager logs all attempted and completed requests for group membership. Group Manager workflow-related reports include: Report Description Authorizer activity Approvals, rejections and failure to respond by authorizers Request status by authorizer Lists request-status information for each authorizer to whom a request is assigned. It also includes the actions taken by each authorizer for each request item Request status by implementer Lists request-status information for each implementer to whom a request is assigned. Pre-defined requests Shows the configuration of pre-defined requests Request event log Details and change history of matching requests © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
  • 12. Self-Service Active Directory Group Management Report Description Search requests Advanced search of and statistics about current and archived requests. Request volume trend Trend analysis of request volume per time interval. Participant response time Analysis of the responsiveness of participants in workflow processes. Inactive requests Analysis of requests which have had no activity in N days. Stuck requests Analysis of requests which cannot be completed. Escalated / delegated requests Analysis of escalation and delegation of requests. Request popularity Analysis of the popularity of pre-defined request types, managed resources, operations and workflow participants. All workflow requests are retained in the Group Manager database indefinitely, for reporting at any future date. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
  • 13. Self-Service Active Directory Group Management 10 Network Architecture The Hitachi ID Group Manager network architecture is illustrated in Figure 2. Browse resources; request access Review request: approve or deny Discover resources and ACLs Access resource Discover users, groups, group owners Update group memberships Invite authorization Requester User Workstation Any Client OS Windows Server OS File Server Any Client OSWindows 2003 User Workstation Authorizer Web browser Web server Web browser Windows filesystem client ID-Access application Mail client Share or folder Windows Server OS Domain Controller AD: Users, Groups Typically Exchange E-mail System Mailboxes 1 6 4 5 7 3 2 8 Hitachi ID Group Manager Figure 2: Group Manager Network Architecture Diagram In the diagram: 1. A requester signs into Group Manager and locates a network resource of interest, using some com- bination of searching and browsing. 2. The requester asks for access to the resource. 3. Group Manager looks up the ACLs on the resource, and determines which group membership would be appropriate. 4. Group Manager looks up the group’s owners, and sends them an e-mail on behalf of the requester, asking that the requester be attached to their group, in order to enable the requester to access the resource of interest. 5. At some later time, the group owners receive the e-mail, sign into Group Manager, and either approve or deny the request. 6. If the request is received, Group Manager updates the user and group objects in AD, to create a new group membership. Access by the requester and authorizer to Group Manager is typically HTML over HTTPS. Access by both the requester and Group Manager to the network resources in question may be SMB, DFS or LDAP. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
  • 14. Self-Service Active Directory Group Management 11 Platform Support Hitachi ID Group Manager currently supports Active Directory group membership management, where AD runs on Windows 2000, 2003, 2008 or 2012 servers. It also supports management of: 1. SMB and DFS based filesystems. 2. Nested groups. Users and/or policy plugins choose the group for which membership will be requested. 3. Access to shares (i.e., share-level ACLs). 4. Access to folders (i.e., NTFS folder-level ACLs). 5. Access to printers (i.e., ACLs on AD-published print queues). 6. Access to mail distribution lists (i.e., membership in AD mail DLs). www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/documents/id-access/id-access-white-paper-1.tex Date: 2013-01-21