Caution When Using Groups
Using groups to manage users can be successful. For example, in the Active Directory Microsoft demonstrates how a network structure, including all connected devices, can be modeled using groups and roles. This best practice approach is referred to as the AGDLP principle.
The main problem is that the AGDLP principle must be followed meticulously and consistently wherever it applies. Otherwise, it does not work.
Let’s use NTFS permissions as an example. NTFS permissions control access to folders in Microsoft environments. In order to grant someone access to a certain resource, the admin will make that person a member of Group X. If everything goes smoothly, the privilege will appear in the person’s user account in the Active Directory.
But what if the admin, for whatever reason, decides to set the permission directly on the folder instead of granting it through Group X? In this case, the privilege will not appear in the user’s AD account. As you can see, mistakes happen easily. Sometimes the reason is lack of time, sometimes it comes down to pure negligence. Other common mistakes include the use of organizational groups as permission groups or reusing permission groups.
Manual User Management Jeopardizes Data Protection
Without the appropriate software, user management poses a great challenge even to the most disciplined of admins. Questions any corporation must be able to answer include:
Who has or had access to what data and when?
What happens to a user’s rights when they switch departments or leave the company entirely?
Who is responsible for assigning roles and access rights?
Are changes to user status communicated in good time to maintain data security?
Leaving such questions unanswered presents a security risk that leaves your company vulnerable to everything from insider threats to malware and ransomware attacks. Furthermore, achieving compliance with the principle of least privilege and any regulations that require it (such as HIPAA or the NIST Cybersecurity Framework) will consume disproportionate amounts of time and effort.
Automation of User Management
For admins, user management consists of numerous repetitive actions and processes. As we have discussed, these actions must be performed in precisely the same way each time to ensure processes work correctly. Precision and repetition are what make user management so challenging, but are simultaneously the key elements to solving these challenges.
Since user management procedures can be easily standardized, they can also be automated. And that is precisely where identity access management in the form of an automated IAM solution comes in.
Automation of User Management With tenfold
tenfold Access Management provides a central platform for user and access management across all systems. Our IAM solution comes with built-in plugins that support the seamless integration of local Microsoft infrastructure, such as your Active Directory and file server, as well as Azure Active Directory and Microsoft 365. It even supports third-party systems such as SAP ERP, HCL Notes or ServiceDesk Plus.
Thanks to its automated user lifecycle management, tenfold can model user lifecycles from their first to last day at the company, including department changes and breaks. tenfold’s profile wizard analyzes which privileges are included in a department’s standard set, then assigns these privileges to users automatically and for all connected systems (including Active Directory and SAP).
If a user’s status changes (e.g. due to change of department), the software adjusts the permissions of that user automatically. If a person resigns or leaves the company for other reasons, tenfold deletes all of their accounts and privileges. This is possible thanks to an approach known as role-based access control.
All processes involved user management in tenfold are fully documented, with tamper-proof records ready for your next compliance audit. This applies both to the automatic assignment of default permissions as well as any processes initiated by the software’s self-service platform. This intuitive interface allows users to request additional privileges or password resets, reducing the workload for the IT department even further.
Permission requests are processed through customizable approval workflows that allow the relevant data owner to grant or reject access with a single click. User access reviews ensure that data owners regularly go over the privileges they are in charge of and either reconfirm or revoke them.