The ABCs of User Management for Admins: How to Streamline User and Permission Management

The term user management refers to the tasks involved in managing user accounts for different systems and applications within an organization. Managing users and other digital assets is the responsibility of IT admins, though they may delegate or automate some of the tasks and steps involved. As part of their user management strategy, organizations must cover the following areas:

There are two ways to manage users: either locally (internally) or externally. When done locally, the admin will set up the required user accounts directly within each system. External user management means that the different systems and applications are connected to an external service where users and their privileges can be managed centrally.

Local or internal user management means that access data (such as usernames and passwords) is stored in encrypted form in the internal database of the system or app in question and is only valid for this specific app.

In companies where users are managed internally, admins must create separate users for each system, e.g. one for the Active Directory, one for Exchange and one for SAP ERP. In this example, these three separate accounts actually belong to the same person within the organization, and it’s likely this employee would need a lot more accounts than just these. If the personal data of this user changes (like choosing a new last name after getting married), the information must be updated individually in all accounts.

Because internal user management offers no options for centralized reporting, it requires extra work, time, effort and precision and presents additional challenges in terms of ensuring compliance with data security standards like PCI DSS or ISO 27001. For instance, reporting on Microsoft Exchange can only be done via an additional portal, the Exchange admin center or PowerShell.

Not only is the reporting process using these onboard tools complicated and time-consuming, it is also not thorough. To learn more about these limitations, read our blogpost on managing Exchange Mailbox Permissions.

With external user management, admins do not have to go into each individual system to update user accounts. Instead, they can make these changes centrally in an external directory server that is connected to each system. The connection is usually made via a Lightweight Directory Access Protocol (LDAP). This is a network protocol used for accessing and maintaining distributed directory information services. Another mode of connection is via an API (Application Programming Interface).

One of the key elements of user management is managing access privileges. A successful user management strategy is based on the principle of least privilege (POLP), which stipulates that any user should only have the bare minimum of privileges required to perform their job. The principle prohibits unnecessary or outdated privileges as well as abandoned or orphaned accounts.

Instead of assigning each privilege to a new user individually (which is time-consuming), admins can use groups to bundle permissions together. Each group has different privileges associated with it and users are added to the groups depending on what privileges they need. Though this approach saves time, implementing it manually can result in a chaotic access landscape.

Using groups to manage users is preferable to assigning permissions on a per-user basis, but manually creating all the groups required for a clear and transparent access structure still poses a significant challenge. For example, Microsoft’s recommended approach for implementing role-based access control in Windows environments, the AGDLP principle, is based around nested Active Directory groups for users and individual permissions.

Let’s use NTFS permissions as an example. NTFS permissions control access to folders in Microsoft environments. In order to grant someone access to a certain resource, the admin will make that person a member of Group X. If everything goes smoothly, the privilege will appear in the person’s user account in the Active Directory.

But what if the admin, for whatever reason, decides to set the permission directly on the folder instead of granting it through Group X? In this case, the privilege will not appear in the user’s AD account. As you can see, mistakes happen easily. Sometimes the reason is lack of time, sometimes it comes down to pure negligence.

Other common mistakes include the use of organizational groups as permission groups or reusing permission groups. These kinds of errors not only have a negative impact on transparency, but also threaten Active Directory security.

Without the appropriate software, user management poses a great challenge even to the most disciplined of admins. Questions any corporation must be able to answer include:

Leaving such questions unanswered presents a security risk that leaves your company vulnerable to everything from insider threats to malware and ransomware attacks. Furthermore, achieving compliance with the principle of least privilege and any regulations that require it (such as HIPAA or the NIST Cybersecurity Framework) will consume disproportionate amounts of time and effort.

For admins, user management consists of numerous repetitive actions and processes that nonetheless must be carried out consistently and accurately every time. Precision and repetition are what make user management so challenging, but are simultaneously the key factors for solving this problem: Since user management procedures can be easily standardized, they can also be automated.

It’s important to understand that automatic user management does not mean it’s entirely hands-off for admins. Short of hypothetical AI systems, there is simply no way for an automated platform to determine which users require which accounts with which permissions. Admins are still responsible for defining appropriate permissions for different groups of users. However, the time-consuming tasks involved in enforcing user and access policies will be carried out automatically. These are steps such as:

By using an identity and access management platform to centralize and automate user management in your organization, admins are freed from these repetitive, menial and error-prone tasks and can instead focus on the big picture: providing new users with the resources they need, using reporting tools to spot and remove outdated permissions and ensuring that critical data remains protected.

Automatic user management requires you to offload certain admin tasks onto a dedicated piece of software. The good news is: There are a wide variety of IAM solutions that can help you manage users and permissions. The bad news is: they cannot take care of everything for you. If you are just starting your journey towards user management automation, you first need to tell your tool exactly what you would like it to do.

Before your user management tool can get to work, it needs to be set up and configured. Aside from the technical implementation, such as setting up interfaces to your various target systems, this mainly requires you to establish rules and policies for accounts in your organization. A lot of these will be obvious requirements (such as “every user needs an Outlook account”), but ones that have never been formally written down.

Luckily, your IAM software can help you identify necessary resources for different user groups by examining the current permissions held by various members of your organization. This process, also known as role-mining, helps you quickly establish default permissions for different roles in your company (such as various positions and departments). In turn, these roles act as the blueprint your IAM solution follows when provisioning new users with the same access requirements. This approach is also known as role-based access control.

tenfold Access Management provides a central platform for user and access management across all systems. Our IAM solution comes with built-in plugins that support the seamless integration of local Microsoft infrastructure, such as your Active Directory and file server, as well as Azure Active Directory and Microsoft 365. It even supports third-party systems such as SAP ERP, HCL Notes or ServiceDesk Plus.

Thanks to its automated user lifecycle management, tenfold can model user lifecycles from their first to last day at the company, including department changes and breaks. tenfold’s profile wizard analyzes which privileges are included in a department’s standard set, then assigns these privileges to users automatically and for all connected systems (including Active Directory and SAP).

If a user’s status changes (e.g. due to change of department), the software adjusts the permissions of that user automatically. If a person resigns or leaves the company for other reasons, tenfold deletes all of their accounts and privileges.

All processes involved in tenfold‘s user management are fully documented, with tamper-proof records ready for your next compliance audit. This applies both to the automatic assignment of default permissions as well as any processes initiated by the software’s self-service platform. This intuitive interface allows users to request additional privileges or password resets, reducing the workload for the IT department even further.

Permission requests are processed through customizable approval workflows that allow the relevant data owner to grant or reject access with a single click. User access reviews ensure that data owners regularly go over the privileges they are in charge of and either reconfirm or revoke them.