self service ad group management

8/3/2019 Self Service Ad Group Management

http://slidepdf.com/reader/full/self-service-ad-group-management 1/13

Self-Service Active Directory

Group Management

© 2011 Hitachi ID Systems, Inc. All rights reserved.

http://hitachi.com/

http://hitachi-id.com/



Hitachi ID Group Manager is a self-service group management solution. It allows users to request accessto resources such as shares and folders, rather than requesting access to groups. Group Manager auto-matically maps requests to the appropriate security groups and invites group owners to approve or rejectthe proposed change.

Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi IDIdentity Manager.

Contents

1 Challenges in Large-Scale Active Directory Group Management 1

2 Addressing Complexity Using Self-Service 2

3 Introducing Group Manager 3

4 Group Manager Technology 4

5 User Interface Workflow 5

6 Requests Workflow: Parallel Authorization by Multiple Approvers 7

7 Requests Workflow: Escalation and Delegation 7

8 Installing, Configuring and Managing Group Manager 9

9 Logging and Reporting 9

10 Network Architecture 10

11 Platform Support 11

12 Group Manager Development Roadmap 11

i



Self-Service Active Directory Group Management

1 Challenges in Large-Scale Active Directory Group Management

Many organizations have deployed Windows servers and Active Directory, and leveraged the powerful ac-

cess control infrastructure in this platform to manage user access to data. This infrastructure uses securitygroups to control user access to resources:

• Groups are defined in Active Directory to reflect business functions or organizational structure.

• Groups are assigned rights to network resources, such as shares, folders and printers.

• Users are attached to groups based on their job requirements.

• Groups may be nested, to simplify management.

Over time, the number of groups grows and in some organizations may surpass the number of users.

Moreover, in dynamic organizations users frequently change responsibilities and are assigned new projects.This churn creates complexity:

• User requirements must be reflected by changes to user membership in groups.

• A user support group must be created to respond to user access problems by attaching users toappropriate groups.

• Users are frequently unaware of the security infrastructure, so their calls to the help desk typicallybegin with: "I got an ‘access denied’ error..."

• Problem resolution is time consuming: first map the user’s problem description to a network UNC,then find the groups with rights to that resource, then find owners for the groups, then call them to get

permission to attach the user and finally attach the user to the group.

Complexity in managing large numbers of changes in security group membership leads to real business

problems:

• Staffing cost in the user access management group, due to high call volumes.

• Long turnaround and lost productivity when users wait hours or days to get required access rights.

• Users with inappropriate access rights, as a result of failures in the change authorization process.

© 2011 Hitachi ID Systems, Inc. All rights reserved. 1




2 Addressing Complexity Using Self-Service

The complexity of group membership management can be greatly reduced by implementing a self-service

solution in place of the security administration group. Users should then be able to:

• Sign into an Intranet web application.

• Search or browse for the resource they would like to access.

• Request access rights directly.

• Automatically route requests to the appropriate authorizers, namely the owners of the appropriate ADsecurity group.

• Use e-mail and web-based workflow to enable authorizers to approve requests directly.

• Automatically attach users to requested groups, upon approval.

Deploying self-service to reduce the complexity of group membership management eliminates:

• The need for users to understand the security infrastructure.

• The cost of operating a security administration group.

• Security exposures due to unauthorized group memberships.

• Lost productivity due to long delays in change authorization.





3 Introducing Group Manager

Hitachi ID Group Manager is a self-service group management solution. It allows users to request access

to resources such as shares and folders, rather than requesting access to groups. Group Manager auto-matically maps requests to the appropriate security groups and invites group owners to approve or rejectthe proposed change.

Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi IDIdentity Manager.

Group Manager is a component of the Hitachi ID Management Suite designed to streamline user requests

to network resources.

Using Group Manager, users sign into a secure web application and request new access to a networkresource, such as a share, folder, printer or mail distribution list. From the Group Manager web form, usersfirst select a resource container (examples: share; directory OU) and then use a tree view to browse for a

specific resource (examples: folder, mail DL). Once they have selected a resource, users simply submit therequest.

Once the user has selected a resource, Group Manager:

• Dynamically maps the user resource selection to a specific managed target system and to a securitygroup on that system.

• Determines whether the security group is already under Group Manager access control and if notautomatically adds the group to its workflow system.

• Checks whether at least one authorizer is already available for the group and if not automaticallyextracts a new authorizer list from the target system itself (e.g., identifies the group’s owners).

• Initiates a workflow request, asking the appropriate authorizer(s) whether the user should be allowedto join the group in question.

The Group Manager workflow system automatically tracks change authorization and adds the user to therequested group if and when the proposed change is approved.

Group Manager produces real, concrete business value:

Group Manager improves security by ensuring that changes to membership in security groups are properlyauthorized before being implemented.

Group Manager reduces the cost of IT support by moving requests and authorization for changes to group

membership out of IT, to the community of business users.

Group Manager streamlines service delivery regarding the management of membership in security groupsby making it easier for users to submit clear and appropriate change requests and automatically routing

those requests to the right authorizers. This makes the request process painless and the approvals processfast.





4 Group Manager Technology

Hitachi ID Group Manager is currently designed to target a single platform – Active Directory. Its user

interface exposes resources that are typically made accessible by user membership in AD groups:

• Shares on file servers.

• Folders on shares, including the full depth of folder hierarchy.

• Printers and print server queues published in AD.

• Mail distribution lists, for example as used by MS Exchange.

Group Manager uses plugins to connect to target platforms. The Windows/AD resource discovery pluginis able to drill down into Windows-based network resources, find out which groups have rights to which

resources, and lookup group owners on Active Directory. The Hitachi ID Management Suite Active Directoryconnector, included with Group Manager, can enumerate AD users and groups, authenticate AD passwordsand update AD group memberships.





5 User Interface Workflow

Hitachi ID Group Manager can be used to manage many different types of resources. A plug-in program

binds Group Manager to a specific type of resource, such as Windows shares, whose access is mediatedby membership in an Active Directory group. Other resources include network printers and mail distributionlists.

The description is best clarified with a concrete example:





User Group Manager Resource-Type Plug-in TargetSystem

1 Sign inusing a

networklogin IDandpassword.

Validate credentials

2 Initiate anewresource-accessrequest.

3 Display a list of descriptive namesfor configured Windows fileservers and shares.

4 Select ashare.

5 Display a tree view of folders inthe selected shares

6 Browse forand selecta folderwhereaccess isdesired.

Interactive tree view display Iteratively provide a list ofsub-directories from the selectedshare.

7 Select aset ofprivilegesand anauthorizerto request.

..Display and user input.. Provide a list of groups that haveprivileges on the share and thesecurity privileges each one hasbeen assigned. (read-only?read-write? etc.) One or moreowners (authorizers) are providedfor each group.

8 Workflow to track changeauthorization

9 (Change approved) Run agent toupdate the user’s groupmembership. Send a confirmatione-mail to the user and to allowner/authorizers.

Updatedprivileges.User cannowaccess thefolder.





6 Requests Workflow: Parallel Authorization by Multiple Approvers

Starting with Windows 2003SP1, it became possible to attach a group of users as the owner of another

group. This effectively means that an AD group can have multiple owner/authorizers.

Hitachi ID Group Manager supports approval by multiple owners, and/or by a specified subset of them (e.g.,

1 out of 2 or 3 out of 5 authorizers).

Group Manager supports both parallel and serial change authorization, but Hitachi ID Systems encouragesall of its customers to use parallel authorization.

With either parallel and serial authorization, every authorizer must approve a change before it is imple-mented. As a result, there is no security implication to choosing one method over the other.

The difference between parallel and serial authorization is that parallel authorization favors efficient SLA(Service Level Agreement) , while serial authorization shields subsequent authorizers from the occasional,spurious request that an earlier authorizer would reject. In Hitachi ID Systems experience, users are awarethat their requests will be highly visible and almost never make requests that are unlikely to be approved.Consequently, the number of spurious requests is close to zero in practice and there is no real businessadvantage to shielding later authorizers from spurious requests. As a consequence, the advantages ofparallel authorization – improved SLA and reduced process complexity – are the deciding factor.

7 Requests Workflow: Escalation and Delegation

Once a user has requested access to a network resource, a workflow process takes over, prompting theappropriate authorizer(s) (AD group owner(s)) to review the request.

Sometimes, authorizers will not respond promptly. To meet IT service level agreements (SLAs), requestsmust be supported by automatic reminders, automatic escalation and manual delegation of authority.

Workflow is used in Hitachi ID Group Manager to approve change requests, to implement approved re-quests, to certify user access and more. A participant in the workflow process is a person who is beingasked to complete a task, most commonly change authorization.

The Group Manager workflow engine has built-in support for automatic reminders, escalation and delega-tion, so as to elicit reliable responses from individually-unreliable users:

• When participants are first chosen, their out-of-office status on their primary e-mail system may bechecked, to trigger early escalation to an alternate participant.

• Non-responsive participants that have been asked to review a request receive automatic reminders.The reminder interval is configurable.

• Participants who remain non-responsive (too many reminders) are automatically replaced with al-ternate participants, identified using escalation business logic. Escalation is most often based onOrgChart data – i.e., the original authorizer’s direct manager is often the escalated authorizer.

• Participants can pro-actively delegate their authority, temporarily or permanently. Delegation may





trigger its own approval – asking the new participant to accept a new responsibility.

• A workflow manager can reassign participants attached to open requests, for instance when they areterminated or when a request is urgent and already-assigned participants are not available.





8 Installing, Configuring and Managing Group Manager

Hitachi ID Group Manager is very simple to configure and manage. For example, to configure it to manage

group membership in Active Directory, to enable users to gain access to group-controlled file folders, oneneed only:

• Set up Active Directory as a Group Manager target system.

• Enter the base UNC for each share in which Group Manager will manage access.

• Ensure that the owner field is correctly populated on each AD user group.

Group Manager deployment is typically very quick:

• Install the product.

• Configure the primary target system – a Windows / Active Directory domain.

• Install the resource location plugin (currently a Windows resource plugin is available, supporting

shares, folders, printers and Exchange mail distribution lists).

• Configure root nodes for resource browsing, such as share UNCs.

• Verify that group owners are correctly defined in AD, as these people will be used as authorizers.

• Test and debug the installation as appropriate.

The entire process typically requires just 2-3 days of technical configuration work.

9 Logging and Reporting

Hitachi ID Group Manager logs all attempted and completed requests for group membership. GroupManager workflow-related reports include:

1. Request summary.2. Request lifecycle.3. Request statistics.

4. Request details.5. Implementers summary.

6. Current delegations.7. Historical delegations.8. Requests that were escalated.

All workflow requests are retained in the Group Manager database indefinitely, for reporting at any futuredate.





10 Network Architecture

The Hitachi ID Group Manager network architecture is illustrated in Figure 1.

Browse resources;request access

Reviewrequest:approve ordeny

Discover resources and ACLs

Access resource

Discoverusers,groups,groupowners

Update groupmemberships

Inviteauthorization

Requester

User Workstation

Any Client OS

Windows Server OS

File Server

Any Client OSWindows 2003

User Workstation

Authorizer

Web browser Web server Web browser

Windows filesystemclient

ID-Accessapplication

Mail client

Share orfolder

Windows Server OS

Domain Controller

AD: Users,Groups

Typically Exchange

E-mail System

Mailboxes

1 6

4

5

7

32

8

Hitachi IDGroup Manager

Figure 1: Group Manager Network Architecture Diagram

In the diagram:

1. A requester signs into Group Manager and locates a network resource of interest, using some com-bination of searching and browsing.

2. The requester asks for access to the resource.

3. Group Manager looks up the ACLs on the resource, and determines which group membership wouldbe appropriate.

4. Group Manager looks up the group’s owners, and sends them an e-mail on behalf of the requester,asking that the requester be attached to their group, in order to enable the requester to access theresource of interest.

5. At some later time, the group owners receive the e-mail, sign into Group Manager, and either approveor deny the request.

6. If the request is received, Group Manager updates the user and group objects in AD, to create a newgroup membership.

Access by the requester and authorizer to Group Manager is typically HTML over HTTPS.

Access by both the requester and Group Manager to the network resources in question may be SMB, DFSor LDAP.





11 Platform Support

Hitachi ID Group Manager currently supports Active Directory group membership management, where AD

runs on Windows 2000 and Windows 2003 servers.

It also supports management of:

1. SMB and DFS based filesystems.

2. Nested groups. Users and/or policy plugins choose the group for which membership will be requested.

3. Access to shares (i.e., share-level ACLs).

4. Access to folders (i.e., NTFS folder-level ACLs).

5. Access to printers (i.e., ACLs on AD-published print queues).

6. Access to mail distribution lists (i.e., membership in AD mail DLs).

12 Group Manager Development Roadmap

Support for other platforms, such as NetWare/NDS/eDirectory, will be forthcoming, with timing based oncustomer demand.

The plugin architecture makes Hitachi ID Group Manager suitable for enabling users to browse for andrequest access to any type of resource, including any type of LDAP-published group, any network-enabled

filesystem, and any complex application ACLs.

0, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]



self service ad group management

Documents