Most organizations manage access control to resources based on Active Directory group membership. That is, they establish AD groups that correspond to a job function or set of related tasks (i.e. Finance, DB Admins, Recruiting, etc.). Then they point as many resources as possible, such as applications and infrastructure, to AD for authorization of access: “If member of ‘DB Admins’ then permit access to Oracle database admin console” or “If member of ‘HR’ then permit access to Workday HR application admin interface”.
This is a much more scalable approach than trying to define access “locally” on each resource. It’s also far easier to audit.
The downside of this approach is that AD group membership accuracy becomes critical, because everything depends on it. Put a person in the wrong group, or forget to remove him when he leaves, and you can have real risks as well as serious audit findings if the mistakes are exposed.
Most companies still handle AD membership changes manually. A ticket is opened to add or remove someone from AD group(s), and then Security or AD Operations makes the changes in AD and closes the ticket. This creates two problems: delays waiting for the manual process, and the possibility of the admins making a mistake (or possibly never even doing the update at all).
One organization recently experienced these problems twice and the second time it led to an audit finding – all because a person was put into the wrong AD group, granting them access they should not have had. In fact, the problem was actually discovered during an audit that included a random check of AD group membership accuracy.
Automation can clearly help with this problem. If you automate the translation of the ticket to actual AD changes, not only do you speed things up, but you also avoid costly mistakes. You’ll also maintain a solid audit trail of changes independent of AD administration.
Ayehu is well positioned to deliver this automation, particularly because of our seamless integrations with AD and ServiceNow (just to name a few). You can view a comprehensive list of all available integrations here.