Delegate with Active Directory Self Service

Posted by Edward Killeen on Wed, Oct 23, 2013

There is a saying in Identity Management: "What you can't automate, delegate."  It may be something that only I say, but it should be said more often.  Because following that credo improves security, productivity and the bottom line.

active directory self serviceThe project list of things to automate is a mile long, starting with user provisioning and permissions, group and role memberships, identity synchronization, and so on.  For delegation, the list is equally as long -- password reset, group membership, single sign-on, cloud accounts, and the lowest hanging fruit: Active Directory self-service.

Active Directory is a tricky beast, there are parts of it you need to completely cordon off.  You can't let anyone mess with the OU structure or change their own title or delete user accounts.  But you do want them to update their own mobile phone number, change the title of the user reporting to them, join a distribution group, or update their password.  Within ADUC, it's all or nothing, there isn't a way to manage it granularly like this.

The key to any AD self service solution is to have controls in place; an RBAC policy that defines who can do what without undue amounts of configuration.  You need to be able to define who can do what action (change a password, update phone numbers, create a group), who needs to approve it, and what is even shown to each user.  Having a dynamically maintained role structure and Rights-based approval routing (RBAR) allows you to have this level of granularity.

EmpowerID's HTML5 user interface means that updates can be made from any device, its unique combination of RBAC and ABAC allows for very fine grained permissions, and RBAR means that you don't have to define every single permission for approvals, it is all handled within the system.

With all of this delegation power available from the self service interface, native access can be shut down to ADUC.  You can have admin roles, help desk roles, manager roles, user roles, and all of it managed dynamically.  No more accidental deletion of an OU because you had to give an intern access to ADUC to change a user's telephone number (true story).

What separates a full IAM solution from a point solution is what it does with this Active Directory information.  An IAM solution can take these changes to AD and flow them to other identity stores and applications.  For example, the phone number change can update the emergency contact list, a title change can update HRIS once an approval workflow is satisfied, a change in a security group can update a user's role in a cloud application.

I'm not sure if you noticed in this post, but this is all delegated or automated.  IT just configures it using EmpowerID's visual workflow studio and users and computers do the rest.  Delegate out this lowest hanging of all fruit, AD self service, and improve security, productivity and the bottom line!

Download whitepaper Active Directory Management

Tags: Active Directory