All-In-One Identity Management and Cloud Security

Listening to a Gartner webinar on Identity & Access Management this morning, this line struck me: "Cloud breaks legacy IAM approaches".  Because it is true, most legacy IAM vendors are stuck with old codebases, old products, and components that have been cobbled together to form "frankenproducts".  They have no more chance of seamlessly managing cloud identities than they do of installing and configuring on time and on budget.

Cloud identity management is hindered by these old legacy approaches to IAM.  The industry is, in many ways, in the exact same position as it was ten years ago with on premise applications.  The solution to each cloud problem (SSO, provisioning, access governance) is met by a different vendor, or a different product within the legacy vendor's "suite".

In the webinar, Gregg Kreizman says that the larger vendors "have been able to provide functionally across the IAM function set through acquisition, through some development.  They have slowly and somewhat shortly have been incorporating these things into suites, some of them very loosely integrated some of them better than others."

The problem, though, isn't the legacy IAM vendors.  The problem is that it's easier to justify a legacy IAM vendor to your CFO, despite the higher cost and lengthy deployment.  Gregg also says, "I hope no one would base election or implementation decisions based on identifying the largest vendors only."  For the exact reasons above.

Because there are approaches to the cloud that isn't burdened with tons of legacy baggage.  To a newer, more modern IAM platform, that cloud application is just another identity store.  In some ways, even easier to work with due to its requirements for SDKs and APIs.

Having a platform that integrates easily between cloud and on-premise brings you up to date in Identity & Access Management.  EmpowerID has connectors to most major cloud applications and a flexible connector platform to build new ones for others.  Provisioning, deprovisioning, updates are all seamless and fit into your IAM workflows the same as an on premise application.

But that isn't what breaks most legacy applications, it's the integration of IAM functionality.  Provision a cloud user AND provide cloud single sign-on.  Role based provisioning for cloud applications that integrates with role based adaptive authentication for cloud applications.  These are the things that test your ability to manage identities in the cloud.

Chances are the legacy IAM "frankenproduct" cannot do that for on premise applications, much less the cloud.  The only way to make this sort of modern IAM functionality to happen is to have a purpose-built, single codebase IAM platform.  One that can easily have the roles engine speak to the workflow engine speak to the metadirectory.  One that can insert a second factor authentication shape into an access authorization workflow.  One that can provision any number of cloud or on premise applications within a single visually based workflow.  In short, EmpowerID: the modern IAM approach.

That is a list of the capabilities of EmpowerID.  The same platform manages all of this functionality.  What changes is the workflow shapes (think of them like identity management actions) that are exposed by module.  For example, if you have the User Manager and Group Manager modules, you can insert a dynamic group membership provisioning shape into your user provisioning workflow, allowing provisioning to extend to groups.  If you have User Manager and SSO Manager, you can check a user's role and demand additional authentication before passing them along to the cloud application if the role and application mix is identified as highly secure.

The cloud doesn't have to break your IAM.  In fact, IAM is too important to let it.  What you need is an approach that is modern, flexible and built to manage change in both identities and your business process.  Seeing is believing, we can demonstrate IAM that extends seamlessly to the cloud with EmpowerID.  Schedule a demo and you will never think about going back to those legacy IAM approaches.

Prior to The Dot Net Factory, I spent over six years helping healthcare organizations implement software solutions.  During that time I helped doctors, frontline care workers, financial staff, even maintence staff to replace paper documentation systems with electronic documentation solutions.  Now my time in Identity & Access Management (IAM) has helped me to bridge the gap between healthcare and IAM.  Here is a list of common complaints that I heard in the healthcare world:

• Why do I need another system to log into or remember a password?
• Who will setup the permissions for the solution – with HIPAA requirements they must be accurate and up to date?
• What if I am locked out and I need access now?

Another Password or Another Sign in!

As a healthcare professional your job first and foremost is to care for your patients, individuals, & residents.  This means that making sure that Sally gets her medications is your first priority but unfortunately if it doesn’t get documented then it didn’t happen which can setup you up for a costly error that can mean legal or survey errors in the future.  Then what if you need to check her blood pressure before giving the medications and that needs to be input to a vital system?  Now we have two systems that need to be accessed to input one interaction with a patient. 

Enter – SSO (single sign on), now staff can log into Windows, an EHR, or any other trusted app once and then EmpowerID handles the heavy lifting of making sure everyone get access to all of the apps you need without logging in again.

Providing the Right Access

You are a complicated healthcare entity.  You may have a doctor’s office, skilled nursing homes, a hospital, or you provide home healthcare.  You could also be one entity with several wings or units.  Your staff needs access to only what they need and nothing more in every system to avoid HIPPA concerns. 

EmpowerID's Role Based Access Control (RBAC) engine can pull from your HR system to assign the right access to the right people because we know that Sally is a Nurse Supervisor on the Alzheimer’s unit.  Those two things tell us who she manages, what she controls, and what she needs access to.  Your healthcare apps already filter by service location or healthcare unit.  Wouldn’t it be nice to have EmpowerID put them into the correct place at the correct time? 

Access Now!

Your patient is complaining of extreme pain and we must move him from outpatient service to the emergency room, now!  You are ready to take him but you know his daughter was in just earlier today and she needs to be contacted. You need to access your patient’s emergency contact information to see his daughter’s contact information and right as you go to access it you realize that you ignored your email that said your password would expire about 10 minutes ago (of all the moments). 

This particular app doesn’t support self-service password reset  so you have to submit a ticket or call the help desk to get access.  Or even worse you know a friends password or you can have your friend access the information for you (even though it is your patient and not his!).  With EmpowerID’s Password Manager we can give you the tools to reset the password on the fly.  And if you reset your password once it will push the change to all of your apps.  You will answer a series of questions that only you know the answer to; the best part is that EmpowerID can force you to enroll in the password reset system..  This ensures that when you are in this bind you are setup to take care of it quickly. 

These are only a few scenarios but Healthcare systems require so much complicated access and are used so frequently and with so much urgency that access has to be easy on your workers.  Anything from clocking in through one app to giving patients access to their health record from another app or accessing a client’s medication allergies makes things more of a challenge.  That is why our full IAM suite allows you to address one issue or all of them through one platform.

Security is not easy.  IT's goal is to find a way to increase security without adding complexity to the point where it reduces productivity.  It is a fine line and one that needs constant balancing.

Authentication is a key point on this security balance beam.  Password complexity, multi factor authentication, adaptive authentication, federation and single sign on are all considerations in how to deliver security without hindering productivity. 

Starting on one end of the spectrum (no security but easy for users) is a simple eight character password synchronized to all of your applications....that is not good.  On the other end of the spectrum you can have each application having a separate complex 16 character password with biometrics and identity proofing and an OATH token....your users will kill you.

I believe that targeted two factor authentication with single sign on is the answer.  Adaptive authentication is what makes this work.  Because EmpowerID is built on a visual business process oriented workflow platform, you can insert additional authentication options into any workflow based on either the role of the user authenticating or based on the application that the user is tying to access.

Examples of these two options are:

• Adaptive authentication based on the user's role: All users should be able to authenticate into the network with a password but more highly privileged users (domain admins or VPs of finance) should have a higher level of security.  These users will be placed into a role or group that requires a second authentication factor such as an OATH token.  (note: I find it very interesting that those with the highest level of access tend to be those who can control their authentication level such as CxOs or domain admins)
• Adaptive authentication based on application:  This option will result in much less resistance and one could argue is actually more secure.  When a user tries to access a more highly sensitive application or resource, the EmpowerID workflow will recognize the resource as security level X and apply a more stringent authentication method such as knowledge based questions or an OATH token.

The key to all of this is that the IAM platform must have workflows that can increase authentication levels based on either the user's role or the resource's security level.  EmpowerID's visual workflow can even make a hybrid model of this where certain roles accessing certain resources can trigger the advanced authentication.

It is also crucial to use the correct second factor.  As you know, the first factor is what you know and the second factor is what you have and the third factor is what you are.  Remember that balancing act between security and productivity?  The productivity side also incorporates how hard it is to get the second factor into your users' hands.

How hard is it to get iris scans or fingerprints for every user?  How hard is it to deploy smart cards for remote users when you have a 5% turnover per year?  How difficult is it to manage physical assets to manage the "what your users have" factor?

This is what makes smart phones so darned valuable.  Everyone has one.  The flip side to the BYOD revolution is the first three letters: users bring their own!  You can take advantage of this by having users register their devices as part of the authentication (yes, EmpowerID can do that for you).  Then either text a code or demand an OATH token as the second factor.

There are plenty of open source apps available (for example, this one for the iPhone) for the OATH client so you don't even have to deploy hardware.  EmpowerID has its own OATH server, creating a simple seamless way to incorporate an open standard such as OATH and the widely available smart phone from your users to create a very flexible adaptive authentication method using two factor authentication.

And you get to balance productivity and security by selectively applying this second factor to highly secure and confidential resources and highly privileged users.  Additional security without sacrificing productivity.  Schedule a demonstration of EmpowerID and see how we can make that a reality for you.

Identity and access management (IAM) is a big concept.  Google analytics tells me that there are 18,100 searches for this term each and every month.  Gartner's definition is that "IAM ensures the right people have the right access to the right resources at the right time, enabling the right business outcomes."  That is a big concept.

However, it is rare that an organization is trying to solve every single aspect of IAM in a single project.  Some do and EmpowerID can do it.  But most don't and they need a modular approach to solving the IAM problem. 

To break down Gartner's definition:

• The right people: user provisioning into the metadirectory and all applications
• The right access: attribute and role based access control
• The right resources: inventorying of protected resources whether they be applications or files or anything
• The right time: workflow that ensures that all actors (people, roles, resources) are updated at all times
• The right business outcome: a workflow model that corresponds to your actual business process

The best and easiest example is a client who comes to us looking to solve its user provisioning problem (the right people).  EmpowerID does this in its sleep (just kidding, EmpowerID doesn't sleep).  The EmpowerID metadirectory constantly inventories all connected applications and identity stores, updating information and flowing it between any directory or database that needs the information. 

A user is provisioned in HR, gets an EmpowerID person account which then creates application accounts based on the user's role.  As soon as that user is changed in any connected application, that identity information flows througout the identity stores associated with that user.  As their role changes, their permissions change and their access changes.  Once the user leaves the organization, the user is de-provisioned.

As you can see, this quickly leaks beyond the right people to the right access.  And the right resources.  Yet not all products can accomplish this from a single platform, much less one with a single code base.  EmpowerID can.  And we haven't even gotten into what comes next.

User provisioning is a very common use case.  Very common.  What happens next is also common, we ask, "what about single sign on?"  Invariably, the client says something along the lines that they are looking to solve that next fiscal year.  Then we say, "what about your extranet, do you want to manage external identities?"  Just as often the answer is something along the lines of another team has a concurrent project for that.

And this is where having an actual identity management platform comes into play.  EmpowerID can solve the current project's business dilemma and future proof for the additional business problems.  The integrated metadirectory, roles engine and visual workflow platform allow all of the modules to work idependently or in conjunction to solve additional problems.

In the first SSO example, once the users are provisioned and synchronized and you know your identities are accurate, it is simple to base the applications that they can access on the role of these users (remember, you already have that in place).  Just adding a few single sign on workflows opens up the possibility for adaptive authentication based on resource or role.

You can easily incorporate partners and customers into the fold for the second example.  EmpowerID is designed for multi-tenancy so you can even have different customers have different levels of access.  Your roles are in place for your end users so it's easy to give permissions to employees to manage the customer's access and identities.

All of it works together without the need to buy everything at the time of the original project.  One of our more recent customers, a large publishing house, took this exact approach.  Their initial aim was user provisioning and access governance.  Basically, get their own house in order.  The next step is the customer portal, giving end users and book stores role based access to online ordering and account management.  The third phase is getting internal user's access to this customer portal and all of the legacy systems.

Basically, they future proofed their Identity & Access Management on top of their initial project's requirements.  This is an important ability to check when deciding on something as big as your IAM vendor, it's a lot more than just synchronizing some attributes back and forth; it's matching your business processes (now and in the future) to your IAM workflows. 

Schedule a demonstration and see how we can map what you need to what we do and be prepared to think in the future when we ask you what's next.

To paraphrase Gartner, Identity and Access Management is the act of getting the right people the right access to the right resources at the right time.  Central to that concept is the right people.

Think of the people that you have: employees, contractors, customers, and prospects.  Each of those users needs access to certain resources on your network and you certainly don't want to treat them all the same.  You need role based provisioning to ensure that each user gets provisioned to the appropriate applications.

As an example, your employees will need user accounts in Exchange, SharePoint, CRM, ERP, Google Apps, etc.  Contractors will need a subset of that with more limited roles.  Customers will need accounts in the supply chain software, ticket management, and maybe SharePoint.  Prospect you just want to make sure that they are in CRM and have access to general sites within SharePoint.

So how do you automate this?

For each type of user you will need an authoritative source, the Identity Store of Truth.  For employees and contractors, it most likely will be your HRIS.  For customers, it can be the billing system or CRM.  For prospects, you might want to have a self-registration page.  Each of these Identity Stores of Truth will connect to the empowerID metadirectory, creating a person object that defines roles based on what data store they come from and attributes that we know about them (department, total annual billing, location, etc).  These roles are handled dynamically and change as a user's status changes.

Based on these roles, empowerID will provision user accounts into each of the connected systems listed above.  The metadirectory will then have a joined record of each user's accounts and can synchronize any changes from authoritative sources over to the connected system.

This pertains to the ongoing lifecycle of each of these users.  As you know, users are not static, they change jobs, they move from contractor to employee, prospect to customer and their needs change.  So, provisioning has to keep going to keep up with these users' lifecycles.  This is a key part of the concept of the right person having the right access at the right time.

EmpowerID's metadirectory is constantly inventorying each of these connected systems, if it sees a change to a contractor in the HRIS, it flows that to each application, possibly provisioning or deprovisioning accounts, and most likely changing their roles in all of these systems.

And it is all handled by a visual IAM workflow.  You have probably designed this process on a whiteboard or in Visio.  EmpowerID's workflow emulates this look and feel, allowing you to map the process to your IAM process.  And, the beauty of it?  It is true automated provisioning.  Not just once but every time a change happens.

Once you have your user provisioning automated, empowerID opens up the world of RBAC and federation and password management and governance and auditing.  But start with the "right people" through automated user provisioning and you've won the first and most important battle. 

Schedule a demo now and see how it works!

Adaptive authentication conjures up images of complexity.  Turning over your identities to HAL 9000 or something equally scary.  But, in reality, it can be simpler than that.  Remember the goal of identity and access management per Gartner is to ensure that "the right people get the right access to the right resources at the right time, enabling the right business outcomes."

Part of compliance to that principle is knowing who the right people are and what the right resources are.  So, let's break out the actors in this adaptive authentication scenario into 2 people and 2 resources.  Then it's simple to determine what the right access is.

People (or roles):  1) marketing manager and 2) finance director.

Resources: 1) salesforce.com, 2) folder containing 10K documents, and 3) internal SharePoint portal.

Each user will dynamically belong to a role based on their title, department and location for example.  In this case, we will consider these users as roles.

Both roles need access to Salesforce.com.  It is considered a security level 2 application when being accessed by any role outside of sales and requires a second factor authentication when accessing.

Only the finance director needs access to the 10K documents but since these are highly secure level 3 security resources, not only is a second factor authentication is needed, but a notification needs to be sent to the CFO every time someone accesses the documents.

And both roles need access to SharePoint; no adaptive authentication needed.

This is what makes adaptive authentication possible.  The empowerID directory is actually an identity provider and users authenticate against it.  Since it supports federation, it will use your Windows authentication, but still be managing all of your application and resource access.

So, in the first scenario, when the two users try to access salesforce.com; empowerID will see that their roles are not in sales and force a second factor authentication before authenticating them to salesforce.com.

The same thing happens when each user tries to access the financial documents in the 10K folder.  empowerID stops the marketing manager dead in his tracks since he doesn't have access to that resource.  When the finance director accesses the folder, empowerID enforces the second factor authentication and sends a notification to the CFO.  In this instance, you could also do identity proofing, have a workflow approval, or even grant only temporary access.

The same two users go to SharePoint and both are already authenticated.  Of course, once in SharePoint, the users have different experiences based on their roles in empowerID, but we aren't forcing any extra authentication here.

Adaptive authentication is a fairly straight forward concept that doesn't have to be any more complicated than what we described above.  You set security levels on your resources (as granular as you would like); you create roles for your users.  Certain roles have more stringent authentication requirements for certain security level resources. 

You are able to improve security without forcing these more strict security measures on every single role and resource.

Reading an article by Earl Perkins titled Data Meets Applications in Identity and Access Governance, I was struck by the distinction he makes between application and data access governance.  From an IAM professional's point of view, they should be one and the same thing...access to resources for their users.

But, apparently, our competitors haven't always thought that way.  He talks about how IAM suite vendors (we are one) are squeezing out point solutions by buying companies and product lines to integrate data access governance into traditional IAM.  EmpowerID is one step ahead of that curve (at least one step!).

EmpowerID's platform incorporates role based access control (RBAC) into all aspects of IAM: provisioning, authentication, synchronization, and, yes, access governance.  This ability to manage any IAM workflow based on roles or even attributes (ABAC) and integrate them into any IAM process is what makes our access governance abilities unique.

We don't have to distinguish between data and application access when granting privileges.  Either are simply resources to empowerID.  The same role structure, the same access request workflows, the same user interfaces apply whether asking for access to Salesforce.com or that folder in the Windows file system, or the shared Exchange mailbox. 

If your role has access, you have access.  If you want to request access, it is the same UI and a resource-appopriate approval process.

For data access governance, we have taken it one step further.  Most solutions offer you one of two ways to request access: 1) request access to a file or folder, or 2) request access to the group that is granting access.  EmpowerID adds the option of requesting access to a role.

No two users think of this process in the same way.  Those who prefer option 1 think of it as, "I need access to that data", those who prefer option 2 think, "what do I need to get access to data", and the third think, "who gets access to that data."

An access governance solution should be able to provide all three options (within limits of course) to satisfy the left brain, the right brain and the all brain thinkers.  Not just for data but application access as well. 

I dislike square peg round hole situations.  If you consider your access governance and IAM solution to be a peg, make it malleable to fit your own businesss situations, processes and policies.  Let us show you a personalized demonstration to see how empowerID can fit into your business and improve access governance.

In many ways, identity management in enterprises is back where it was in 2001.  We've spent the last decade cleaning up users and roles and provisioning and single sign-on but then the cloud happened.  Half of the access your users need is outside the enterprise in the cloud (I made up that stat, please don't quote it).  And the cloud isn't quite as easy to control.

The first part that is out of control is that individual business units can go out and contract with a cloud application; they don't necessarily need to rely on IT to install it and configure it.  They usually get a web-based management console and take to doing the provisioning & deprovisioning manually despite there being a much smarter way to handle it.

So your first and biggest challenge is just knowing what applications there are.  Finance is usually the only place that can even help you with that.  Then you need to know who should and shouldn't have access to this application.  Basically, what roles in your organization should have what role in that application.

Then you have to speak to that application.  Thankfully, most cloud applications have APIs but you have to learn all of their APIs and find a way to code the basics of provision, deprovision and roles.  You need to find a way to manage changes in roles and make sure that you aren't paying for users that aren't using the application any more.

And, lastly, the age old password issue.  The most insane downside to the business setting up their own cloud apps is that they will still blame IT for them having to remember another password.

All of the above sounds familiar.  It is exactly the same discussion that was had around whiteboards at the turn of the century, just with the added cloudy complication that IT doesn't control all of the applications.

Rest assured though, some identity and access management vendors have kept up.  EmpowerID's metadirectory connects to cloud or on-premise applications equally.  Managing user provisioning, authentication and role based access control are as simple as mapping our workflow shapes to cloud application APIs. 

Your provisioning and deprovisioning can be handled based on your role within the organization.  Only sales gets an account in Salesforce, marketing to Hubspot, support to Zendesk, everyobody to Office 365.  By managing roles dynamically, if someone moves from sales to marketing, you can deprovision the Salesforce account, improving security and your monthly bill.

And each of these applications has roles within it so not all Sales department roles get the same level of access in Salesforce.  An account executive has a certain level of access, while a sales director has a more robust role.  By incorporating a simple drag and drop visual role mapping capability, EmpowerID allows you to manage application roles in the same way you manage your corporate roles.

But connectors and APIs don't help with the password problem.  Thankfully, SAML, OAuth, OpenID, WS-Trust and WS-Federation do.  Most cloud applications are SAML-enabled, meaning that you can federate with the cloud applications and offer a single sign on experience.  Users authenticate into your network, click on a link to their cloud application, empowerID's secure token service sends a SAML claim over to the federated application and, boom, single sign on!

EmpowerID's claim to fame in this equation is that it is one single platform handling the provisioning, deprovisioning, RBAC, and federated single sign on.  They can be decoupled, but having a single purpose-built platform handling all of the heavy lifting for on premise and cloud identity management is much more 2013 than 2001.

We learned a lot of lessons in Identity and Access Management (IAM) over the last decade, let's not let the cloud make us forget them.  I've included a few links to whitepapers below, please click on them to see how empowerID embraces the best practices of IAM in the cloud.  And, most importantly, schedule a demo to see how it might fit into your environment.

Security and auditing are two of the main driving forces in Identity & Access Management (IAM).  Remember the definition of identity management: giving the right people access to the right resources at the right time.  But it's like Schrödinger's cat, both alive and dead until you observe and measure it.

Until you observe and measure your IAM practices and policies, you don't know if the right people have the right access.  And you don't know if the wrong people got the wrong access.  That is where auditing actually helps your business, not just satisfying a regulatory requirement.

Auditing and security is a mix of proactive design and reactive reporting.  You design your workflows in a way that ensures the right people have access, set up alerts for exceptions to these rights, and have a helpful reporting interface for your quarterly or yearly audits.  In our view, if you do the proactive part right, the reactive part becomes a rubber stamp.

We look at a few main categories for your proactive access control design:

• RBAC & ABAC access control
• Native system permissions inventory
• Separation of Duties (SOD) policy
• Attestation and access recertification
• EmpowerID Operations audit log

By allowing a hybrid of role based access control (RBAC) and attribute based access control (ABAC), you can achieve a finer level of granularity around your access without role bloat.  Basically, any time a role needs a finer grain control, you add an attribute check from any connected system and access is only granted if the user is in the right role and has the right attribute.

Native tools are a problem in IAM.  If you can circumvent your identity management platform to change attributes, roles or access, what's the point?  EmpowerIDs will continuously inventory native systems, detect changes and report on changes in the native tool.  It can be configured to alert someone, roll it back or just report on it.

Separation of Duties is an oft-overlooked aspect of IAM.  Basically, there are mutually exclusive roles.  If you are allowed to sign a check, you should not be able to issue a PO.  If you are in the research department in a bank, you should not have access to the retail banking systems.  Again, report on it, set alerts or just plain not allow these conflicting roles or group memberships or access rights.

There are also many cases where users have the right access but should not have this access forever.  Attestation and access re-certification solves this.  You can have resource owners (role owner, group owner, app owner, compliance officer) periodically attest that this access is correct.  Even if this access is managed dynamically, you should still have periodic attestation.

All of these GRC factors are stored in an audit log.  But that doesn't do you any good unless there is a strong vehicle to present these actions and access to the appropriate business owner and/or auditor.  Having an online view, a powerful report generator, and most importantly, a method to take action on any red flags is key.

You want to know who made a change, when it was made, what tool was used, and who approved it.  These changes can be in multiple applications and a centralized metadirectory helps keep it all in one place.

Some of the largest most regulated corporations in the world use EmpowerID to solve these access problems, let us demonstrate how EmpowerID can work in your environment.

Delegate and Automate.  The first two words of IT.  It is especially true with respect to managing Active Directory.  There are a lot of authoritative sources of identity information that Active Directory needs and not one of them is your help desk employees.

And that's one of the main issues with managing AD, it often falls into the help desks' hands.  They get an email from HR saying to create some users.  They get requests to add users to AD security groups.  They might get an email that Jane Doe got promoted to a new job in Operations.  And for all of these changes, they have to have access to Active Directory Users & Computers (ADUC).

Once you have access to ADUC, you have access to ADUC.  By that I mean that the help desk user can not only create a new user but delete an OU.  Not only can they add a member to a security group but they can make themselves a domain admin or member of the executive security group.  It just isn't that safe or secure.

So you want to be able to delegate and automate your Active Directory management.  Have end users have only the access they need to make changes.  Give them a self service portal that follows pretty strong workflow rules, giving field level security to changes on their profile or their users.  Give them the ability to request membership in some groups and not others.  Allow them to manage the membership of a group that they own.

By using rights based approval routing, anything that user is allowed to do is done instantly.  Anything that needs approval from another user is routed for their approval.  Anything that they shouldn't even see (the distribution group of users on steps of discipline for example) never appears before them.

EmpowerID allows this self service management with a level of granularity and security and role based access control that makes ADUC completely irrelevant.  Grant access only to make changes in AD that the user is allowed to.

But that doesn't cover everything.  Automation is your other big step.  Creating a user still shouldn't be done manually.  You probably have an authoritative source like HR that can be inventoried to see if a new employee exists or if an existing employee has changed.  Once the new user is inventoried, EmpowerID will provision the user into Active Directory or make changes to their job title or any other change.

These new or changed users will have a specific dynamic role and will be provisioned into the correct systems, given access to the right resources and be a productive member of the corporation immediately.

With the right combination of delegation and automation, you don't need to have ADUC access for any user.  You can manage all of the AD objects and attributes without the "everything" access that comes with native tools like ADUC.

Take a look at our whitepaper on replacing ADUC and schedule a demonstration of how we can help you delegate and automate.