User management

There are two key questions that IT admins must be able to answer: Who is part of the company network and what resources can they access? Administrators are at the core of access and user management. They are the ones holding it all together. They are responsible for setting up user accounts and user identifiers (UIDs). Furthermore, administrators ensure that all users have the appropriate access to the files, systems and applications they need.

In this article, we are going to explore what exactly user management entails, examine the challenges of manual user management and discuss the advantages of automated user management.

Contents (show)

What Is User Management?

The term user management refers to the tasks involved in managing users for different systems and applications within an organization. The administrator (or administrators) is usually the person responsible for carrying out and/or coordinating these tasks. An efficient user management strategy will include the following features and capabilities:

  • Protection of IT systems and data against unauthorized access (both internal and external)

  • User authentication (e.g. username and password)

  • Password-reset function

  • Assign user privileges for systems, services and applications

  • Lock and delete accounts and privileges that are no longer required (e.g. when a user leaves the company)

Local vs. External User Management

There are two ways to manage users: either locally (internally) or externally. When done locally, the admin will set up the required user accounts directly within each system. External user management means that the different systems and applications are connected to an external server where users and their privileges can be managed centrally.

Internal User Management

Local or internal user management means that access data (such as usernames and passwords) is stored in encrypted form in the internal database of the system or app in question and is only valid for this specific app.

In companies where users are managed internally, admins must create separate users for each system, e.g. one for the Active Directory, one for Exchange and one for SAP ERP. In this example, all three accounts represent the same person within the organization, and it’s likely this employee would need even more accounts than these. If there is a change to that person’s master data (like a change of surname), the information must be updated individually in all accounts.

User management for onboarding

Tricky Reporting

Because internal user management offers no options for centralized reporting, it requires extra work, time, effort and precision and is more challenging to steer in terms of compliance policies. For instance, privilege reporting in Microsoft Exchange can only be done via an additional portal, the Exchange admin center or PowerShell.

Not only is the reporting process using these onboard tools complicated and time-consuming, it is also not thorough. To learn more about these limitations, read our blogpost on managing Exchange Mailbox Permissions.

External User Management

With external user management, admins do not have to go into each individual system to update user accounts. Instead, they can make these changes centrally in an external directory server that is connected to each system. The connection is usually made via a Lightweight Directory Access Protocol (LDAP). This is a network protocol used for accessing and maintaining distributed directory information services. Another mode of connection is via an API (Application Programming Interface).

User Management via Groups

One of the key elements of user management is managing access privileges. A successful user management strategy is based on the principle of least privilege (POLP), which stipulates that any user should only have the bare minimum of privileges required to perform their job. The principle prohibits unnecessary or outdated privileges as well as abandoned or orphaned accounts.

Instead of assigning each privilege to a new user individually (which is time-consuming), admins prefer to use groups for support. Each group has different privileges associated with it and users are added to the groups depending on what privileges they need. Though this approach saves time, it can also quickly result in a chaotic access landscape.

[FREE WHITE PAPER] Best Practices for Access Management in Microsoft® Environments

Read our white paper to learn how best to treat access rights in Microsoft® environments.

Go to download

[FREE WHITE PAPER] Best Practices for Access Rights in Microsoft® Environments

Read our white paper to learn how best to treat access rights in Microsoft® environments.

Go to download

Caution When Using Groups

Using groups to manage users can be successful. For example, in the Active Directory Microsoft demonstrates how a network structure, including all connected devices, can be modeled using groups and roles. This best practice approach is referred to as the AGDLP principle.

The main problem is that the AGDLP principle must be followed meticulously and consistently wherever it applies. Otherwise, it does not work.

Let’s use NTFS permissions as an example. NTFS permissions control access to folders in Microsoft environments. In order to grant someone access to a certain resource, the admin will make that person a member of Group X. If everything goes smoothly, the privilege will appear in the person’s user account in the Active Directory.

But what if the admin, for whatever reason, decides to set the permission directly on the folder instead of granting it through Group X? In this case, the privilege will not appear in the user’s AD account. As you can see, mistakes happen easily. Sometimes the reason is lack of time, sometimes it comes down to pure negligence. Other common mistakes include the use of organizational groups as permission groups or reusing permission groups.

Manual User Management Jeopardizes Data Protection

Without the appropriate software, user management poses a great challenge even to the most disciplined of admins. Questions any corporation must be able to answer include:

  • Who has or had access to what data and when?

  • What happens to a user’s rights when they switch departments or leave the company entirely?

  • Who is responsible for assigning roles and access rights?

  • Are changes to user status communicated in good time to maintain data security?

Leaving such questions unanswered presents a security risk that leaves your company vulnerable to everything from insider threats to malware and ransomware attacks. Furthermore, achieving compliance with the principle of least privilege and any regulations that require it (such as HIPAA or the NIST Cybersecurity Framework) will consume disproportionate amounts of time and effort.

Automation of User Management

For admins, user management consists of numerous repetitive actions and processes. As we have discussed, these actions must be performed in precisely the same way each time to ensure processes work correctly. Precision and repetition are what make user management so challenging, but are simultaneously the key elements to solving these challenges.

Since user management procedures can be easily standardized, they can also be automated. And that is precisely where identity access management in the form of an automated IAM solution comes in.

Automation of User Management With tenfold

tenfold Access Management provides a central platform for user and access management across all systems. Our IAM solution comes with built-in plugins that support the seamless integration of local Microsoft infrastructure, such as your Active Directory and file server, as well as Azure Active Directory and Microsoft 365. It even supports third-party systems such as SAP ERP, HCL Notes or ServiceDesk Plus.

Thanks to its automated user lifecycle management, tenfold can model user lifecycles from their first to last day at the company, including department changes and breaks. tenfold’s profile wizard analyzes which privileges are included in a department’s standard set, then assigns these privileges to users automatically and for all connected systems (including Active Directory and SAP).

If a user’s status changes (e.g. due to change of department), the software adjusts the permissions of that user automatically. If a person resigns or leaves the company for other reasons, tenfold deletes all of their accounts and privileges. This is possible thanks to an approach known as role-based access control.

Automatic Reporting

All processes involved user management in tenfold are fully documented, with tamper-proof records ready for your next compliance audit. This applies both to the automatic assignment of default permissions as well as any processes initiated by the software’s self-service platform. This intuitive interface allows users to request additional privileges or password resets, reducing the workload for the IT department even further.

Permission requests are processed through customizable approval workflows that allow the relevant data owner to grant or reject access with a single click. User access reviews ensure that data owners regularly go over the privileges they are in charge of and either reconfirm or revoke them.

While you’re here, why don’t you sign up for our webinar?

“Top 5 Access Management Rksks” –
held by Helmut Semmelmayer, tenfold Software

Register for free
Webinar Anmeldung Icon

While you’re here, why don’t you sign up for our webinar?

“Top 5 Access Management Risks” –
held by Helmut Semmelmayer, tenfold Software

Register for free