Intelligent User Administration

Jan Spangsberg Sr. Systems Consultant, Dell Software

2

Agenda

• Challenges in todays AD administration

• The Dell Software solution

• GUI examples

• Architecture

3

The challenges

Security

• Internal & external threats

• Orphaned accounts mean security loopholes

• Users have more access than they need

• Too many separate user stores

• Managing user access rights is resource-intensive, error prone and time consuming

Complexity

• New requirements add more administrative tasks

• Proving compliance is labor-intensive

• Reviewing activity logs only during audits is often too late

Compliance

Fact: 48% of respondents rated the odds of experiencing a compliance risk within the next 18 months as “high” or “very high.”

Source – State of Compliance 2011, PWC

7

Account Lifecycle

New User is created (Hire) • Account Creation in AD and other systems • Mailbox and Home Folders Creation • Group and Distribution List Memberships • Access to Applications Granted • E-mail notifications

Administration • Information updates • Group /Role Membership • Distribution List Membership • User Profile Editor

Deletion (Retire) • Employment Status Changes • Disable Accounts • Disable Access to Resources • Assign Entitlements to others

Change in Account (Promotion) • Promotions or Transfers • Project Assignments • Information updates

AD Architect

HR

Application Owner

Administrators

Help Desk Entitlements

Managers

Policy

Visibility

Auditors

8

Spend your time wisely C

reate

C

onfig

ure

In

form

Elapse Time: Hours / Days 5 minutes

65 minutes

Add user to groups Security and Distribution Groups

10 minutes

Assign administrative permissions 10 minutes

Create user accounts connected sys Send to metadirectory, Unix/Linux, etc. 10 minutes

Inform the Business E-mail to IT, Service Desk, Management Facilities, etc.

10 minutes

Automatic

Automatic

Automatic

5 minutes

Automatic

Automatic

Automatic

Automatic

Effort: 5 minutes

Add employee to HR system

5 minutes HR

Create user account in Active Directory Location, Unique Name, Strong Password Generation

10 minutes

Create Exchange mailbox Controlled Store Selection, Alias Generation

5 minutes

Create home directory Location, NTFS permissions, Share permissions

5 minutes

Step Without Rules With Rules

Typical ActiveRoles

deployment time

Less than two weeks!!!

9

Consistency

Business Rule Examples

Description cannot be left blank

Phone number must contain 1- ### - ### - ####

E-mail address = first letter of first name + last name@dell.com

http://www.dell.com/people/

Generate Display Name

11

GUI examples

12

Tree Structure

13

Edit Exchange Properties

14

Change History

15

Architecture

16

18

19

4 layer model

Presentation Components

MMC UI Web UI ADSI

provider PowerShell SPML Reporting

Service Components

Access Check Policy Enforcement

Workflow

Identity Data, Applications and Resources

Active Directory

AD-LDS Exchange OCS/LYNC Windows Servers

Synchronization, Connectivity and Extensibility

ADFS SAML Quick Connect Q1IM

AD-Integrated

Systems

SDK Add-On

Manager

Database Components

Audit Trail Configuration

Virtual Attributes

SharePoint

20

ActiveRoles Server for the cloud

• Utilize out of the box connectors to synchronize your on-premise AD accounts and attributes to off-premise AD and/or synchronize to ‘cloud-based’ services such as Salesforce, Google Apps, Office365, Lync Online, and SharePoint Online.

• Delegate security access controls to specific administrators to manage portions of your cloud integrations using a least privilege model

• Automate and co-manage accounts with on-premise Exchange and/or Office365 mailboxes

• Perform two-way sync between Active Directory and the cloud

Functionality via the Cloud

21

Summary

Create • Add employee to HR

system • Create user account in AD • Generate location, unique

name, strong password • Create Exchange mailbox • Create home folders,

NTFS and share permissions

Configure • Add user to groups and

distribution lists • Grant access to applications • Assign group memberships

and role • Assign admin permissions • Create user accounts on

connected systems.

Modify • Modify user and

group status • Disable access to

accounts and resources

Audit and Inform • Email to IT, service desk and management facilities

• Grant visibility • Track change history &

user activity

22

A foundation for full IAM

Access

Governance

Privileged

Account Management

User Activity Monitoring

• Granular delegation • Enforce separation of duties • Enterprise privilege safe • Session management • Keystroke logging • Enhancing Sudo

• Granular AD auditing • Permissions reporting

• Log management • Event alerting

• Crisis resolution

• Synchronize identity data • Directory consolidation

• AD administration • Virtual directory services

• Single sign-on • Strong authentication

• Password management

Identity

Administration

• Automated provisioning • Access request and certification • Fine-grained application security • Data access management • Role engineering

23

Resources

24

Resources

• ActiveRoles Server user community – http://communities.quest.com/community/activeroles

• ActiveRoles Server Quest Drive (virtual testware) – https://www.quest.com/common/registration.aspx?requestdefid=28524

• ActiveRoles Server main product page – http://www.quest.com/activeroles-server/

• OnDemand webcasts – http://www.quest.com/events/list.aspx?contenttypeid=16&prod=183

• Whitepapers, tech briefs and datasheet

Easier accountability throughout your business

We simplify identity & access management

25