dell active roles
TRANSCRIPT
2
Agenda
• Challenges in todays AD administration
• The Dell Software solution
• GUI examples
• Architecture
3
The challenges
Security
• Internal & external threats
• Orphaned accounts mean security loopholes
• Users have more access than they need
• Too many separate user stores
• Managing user access rights is resource-intensive, error prone and time consuming
Complexity
• New requirements add more administrative tasks
• Proving compliance is labor-intensive
• Reviewing activity logs only during audits is often too late
Compliance
Fact: 48% of respondents rated the odds of experiencing a compliance risk within the next 18 months as “high” or “very high.”
Source – State of Compliance 2011, PWC
7
Account Lifecycle
New User is created (Hire) • Account Creation in AD and other systems • Mailbox and Home Folders Creation • Group and Distribution List Memberships • Access to Applications Granted • E-mail notifications
Administration • Information updates • Group /Role Membership • Distribution List Membership • User Profile Editor
Deletion (Retire) • Employment Status Changes • Disable Accounts • Disable Access to Resources • Assign Entitlements to others
Change in Account (Promotion) • Promotions or Transfers • Project Assignments • Information updates
AD Architect
HR
Application Owner
Administrators
Help Desk Entitlements
Managers
Policy
Visibility
Auditors
8
Spend your time wisely C
reate
C
onfig
ure
In
form
Elapse Time: Hours / Days 5 minutes
65 minutes
Add user to groups Security and Distribution Groups
10 minutes
Assign administrative permissions 10 minutes
Create user accounts connected sys Send to metadirectory, Unix/Linux, etc. 10 minutes
Inform the Business E-mail to IT, Service Desk, Management Facilities, etc.
10 minutes
Automatic
Automatic
Automatic
5 minutes
Automatic
Automatic
Automatic
Automatic
Effort: 5 minutes
Add employee to HR system
5 minutes HR
Create user account in Active Directory Location, Unique Name, Strong Password Generation
10 minutes
Create Exchange mailbox Controlled Store Selection, Alias Generation
5 minutes
Create home directory Location, NTFS permissions, Share permissions
5 minutes
Step Without Rules With Rules
Typical ActiveRoles
deployment time
Less than two weeks!!!
9
Consistency
Business Rule Examples
Description cannot be left blank
Phone number must contain 1- ### - ### - ####
E-mail address = first letter of first name + last [email protected]
http://www.dell.com/people/
Generate Display Name
19
4 layer model
Presentation Components
MMC UI Web UI ADSI
provider PowerShell SPML Reporting
Service Components
Access Check Policy Enforcement
Workflow
Identity Data, Applications and Resources
Active Directory
AD-LDS Exchange OCS/LYNC Windows Servers
Synchronization, Connectivity and Extensibility
ADFS SAML Quick Connect Q1IM
AD-Integrated
Systems
SDK Add-On
Manager
Database Components
Audit Trail Configuration
Virtual Attributes
SharePoint
20
ActiveRoles Server for the cloud
• Utilize out of the box connectors to synchronize your on-premise AD accounts and attributes to off-premise AD and/or synchronize to ‘cloud-based’ services such as Salesforce, Google Apps, Office365, Lync Online, and SharePoint Online.
• Delegate security access controls to specific administrators to manage portions of your cloud integrations using a least privilege model
• Automate and co-manage accounts with on-premise Exchange and/or Office365 mailboxes
• Perform two-way sync between Active Directory and the cloud
Functionality via the Cloud
21
Summary
Create • Add employee to HR
system • Create user account in AD • Generate location, unique
name, strong password • Create Exchange mailbox • Create home folders,
NTFS and share permissions
Configure • Add user to groups and
distribution lists • Grant access to applications • Assign group memberships
and role • Assign admin permissions • Create user accounts on
connected systems.
Modify • Modify user and
group status • Disable access to
accounts and resources
Audit and Inform • Email to IT, service desk and management facilities
• Grant visibility • Track change history &
user activity
22
A foundation for full IAM
Access
Governance
Privileged
Account Management
User Activity Monitoring
• Granular delegation • Enforce separation of duties • Enterprise privilege safe • Session management • Keystroke logging • Enhancing Sudo
• Granular AD auditing • Permissions reporting
• Log management • Event alerting
• Crisis resolution
• Synchronize identity data • Directory consolidation
• AD administration • Virtual directory services
• Single sign-on • Strong authentication
• Password management
Identity
Administration
• Automated provisioning • Access request and certification • Fine-grained application security • Data access management • Role engineering
24
Resources
• ActiveRoles Server user community – http://communities.quest.com/community/activeroles
• ActiveRoles Server Quest Drive (virtual testware) – https://www.quest.com/common/registration.aspx?requestdefid=28524
• ActiveRoles Server main product page – http://www.quest.com/activeroles-server/
• OnDemand webcasts – http://www.quest.com/events/list.aspx?contenttypeid=16&prod=183
• Whitepapers, tech briefs and datasheet