User Provisioning, Comparison of Common Methodologies, Cloud Provisioning

  • Published on
    12-Jun-2015

  • View
    282

  • Download
    0

Embed Size (px)

DESCRIPTION

Get details about user provisioning & 3 common access control approaches described by Ensim Corporation. For more details call 408-496-3700 or visit http://www.ensim.com

Transcript

  • 1. Organizational User Provisioning: Comparison of Common Methodologies Executive Summary This document is intended to summarize and compare the common approaches to user provisioning and access control within medium size organizations between roughly 1,000 and 5,000 employees. For the purpose of this document, user provisioning is defined as the process of creating an account authorizing access for an individual to specific application services including email and associated mobile devices supporting push email. The three common approaches include: 1. Use of native tools (manual provisioning) 2. Shell scripts (semi-automated provisioning) 3. Complete provisioning platform (fully-automated) In summarizing the common approaches, this document provides detailed, screen-by-screen snapshots describing each step in the provisioning process while keeping track of the length of time necessary for each step. We also describe the general requirements, summarizing the advantages and disadvantages of each respective approach. This document will cover the provisioning process with the assumption that users need to be given support for: !Microsoft Active Directory, including appropriate security and distribution group list membership (and thus also access to any systems utilizing ADs schema for access or identification);!Exchange 2007 (including desktop and Blackberry support), and!Blackberry Enterprise Server 4.1.4.The approaches that are documented include: !Use of native tools including the Microsoft MMC console for Active Directory, the Exchange management console (EMC) for Exchange 2007 and Blackberry Manager.!This example demonstrates the variety of attributes of an account that need to be managed during the provisioning process using the separate interfaces provided by each of the tools mentioned above.!Use of shell scripts that have been provided by third parties or created and managed by the organization itself to facilitate provisioning across these platforms.ORGANIZATIONAL USER PROVISIONING: COMPARISON OF COMMON METHODOLOGIES 20 FEBRUARY 20081

2. !Use of Ensim Unify Enterprise as the user provisioning and access control solution.It is important to keep in mind that procedures can vary in different environment even when similar tools are used. Also note that the workflow and process ownership can be distributed by geography or functional area. For that reason, a common example of the required information and steps will be utilized. Our goal is to provide an understanding of the !information required to complete the provisioning process!the steps of required for approval and workflow!the range of IT skill sets required!the requirements for systems access and infrastructure for each approach!an overview of the relative strengths and weaknesses of each approachProcess Flow The user provisioning process usually involves a number of functional areas where expertise and process ownership are allocated. These include human resources (HR), IT, facilities, those responsible for allocating mobile devices and the team responsible for the corporate messaging infrastructure. For the purpose of these examples, it will be assumed that: !The HR organization will work with employees to identify a start date, complete salary and tax paperwork, and perform other tasks related to the employment process both from a new hire and termination perspective.!Facilities provides a location for the new employee and related items.!IT provides a computer, Blackberry and the account definition (the list of approved service components, security group and distribution list assignments, and recommended service configurations. The account definition prescribes the access level and capabilities of the account to be provisioned (ex: Employee, Contractor, Executive Management, etc).!The examples begin with a request to generate a new account for the user so that, on their start date, they would have access to the organizations network and resources, email, and Blackberry. The provisioning administrator (whether it is a help desk staff or the IT administrator for the enterprise) is assumed to be tasked with processing the request consistently per the documented methodologies and policies defined by IT department.Summary of Findings Automated provisioning using a complete provisioning platform such as Ensim Unify provides: !an 8X efficiency improvement over manual provisioning and de-provisioning!a 4X efficiency improvement over use of shell scripts for the provisioning process!Unify makes it easy for IT to support the full range of mobile devices (smart phones)!provide a standardized yet extensible architecture that meets compliance and security audit requirementsORGANIZATIONAL USER PROVISIONING: COMPARISON OF COMMON METHODOLOGIES 20 FEBRUARY 20082 3. Traditional Approach Using Native Tools The use of native tools is common to smaller environments and those where entrusted, knowledgeable administrators either insist on, or are required to retain, control of these tools. ! Phase 1: Creating an Active Directory Account1 Accessing Active Directory Users and Computers Console (Approximately 1 minute from start) The screen at left illustrates the launch of the Active Directory Users and Computers Console, which is generally located on a domain controller and accessed using a domain administrator account. An administrator will need to get access to and login to, the machine where this tool resides, using an account privileged to create AD accounts. For larger inter-site environments, a specific domain controller in the appropriate site may have to be accessed for the following steps. The administrator would then need to select the appropriate Organizational Unit for the account, to utilize the environments group policies assigned to each Organizational Unit. This would need to be documented and consistently performed with each provisioning to appropriately locate the account within the Organizational Unit hierarchy, which can be complex in larger and more sophisticated AD deployments. (Organizational Units are commonly used to separate Users, Computers and Active Directory objects by functional area, geography, business lines etc.) After selecting the appropriate Organizational Unit, the administrator selects the new user function via the menu or the button on the toolbar.2 Creating the Active Directory Account (Approximately 3 minutes from start) The administrator will then provide the name and login ID for the account. There will generally be an established approach to generating login IDs that would be well documented and understood by the Active Directory provisioning staff. The login ID must be guaranteed unique to the Active Directory domain, and so an administrator should check and search for the preexistence of the intended login name dictated by the login naming convention procedure. In case the intended login name is in use, the procedure for generating unique login IDs would need to address these exceptions and outline a common methodology of extending the ID to become unique. Common approaches are to append numbers, include middle initials etc. (example: John.Doe becomes John.J.Doe or John.Doe01)ORGANIZATIONAL USER PROVISIONING: COMPARISON OF COMMON METHODOLOGIES 20 FEBRUARY 20083 4. 3 Creating the Password and Password Policies for the AD account (Approximately 6 minutes from start) The administrator will then provide a password (with verification) for the account. There are also options regarding changing the password and expiration that should be consistently selected according to the organizations policies. These policies generally vary for particular roles or account types within the organization. Exceptions may exist on the password policies for certain accounts, and both the strategy for creating a password and the options/exceptions for password policies need to be understood across the Active Directory team for consistent enforcement.4 Creation of the Active Directory Account(Approximately 7 minutes from start) The initial task of creating the Active Directory account will be completed upon selecting Finish from the last confirmation dialog, providing the account logon name, and the password policy selections.ORGANIZATIONAL USER PROVISIONING: COMPARISON OF COMMON METHODOLOGIES 20 FEBRUARY 20084 5. 5 Assigning extended Active Directory information(Approximately 9 minutes from start) Once the account is created, it would be located and opened so that additional AD information can be provided for the account that is not required in the initial account setup (such as address, office location, telephone, mobile telephone, fax, title, department etc.) A manager can also be designated from the existing accounts under the Organization tab. In many cases, organizations may leave the entry of this information to another functional area within the organization, or to the account owner themselves (requiring notification to, and involvement of, this participant entity). There also may be extended Active Directory attributes required internally for other applications or processes, and this would be the ideal phase for these to be entered.6 Assigning of Account Restrictions, Logon Hours, Systems Available for Logon etc.(Approximately 14 minutes from start) The organization may require restrictions in terms of logon hours, and specific systems available for login for the functional role/account type the user will be assigned to. An account expiration may be assigned for temporary accounts (contractors, interns, consultants etc.) Again, this would be dependent on the policies in place for certain roles, and the common methodology that has been documented and trained on for account creation.ORGANIZATIONAL USER PROVISIONING: COMPARISON OF COMMON METHODOLOGIES 20 FEBRUARY 20085 6. 7 Designating User Profile Location, Login Script, Home Directory for the Account (Approximately 15 minutes from start) The administrator can then configure the User Profile to be stored on a network resource, as is common for ensuring backup and availability of the profile across the organization. Additionally, a login script can be designated for specific actions to take place for the specified role upon login (mapping of drives, system configuration, etc.) The accounts home directory can also be mapped to a network resource (as is a common practice for larger organizations), to ensure backup and availability of the accounts home directory.8 Assigning of Security Groups, Distribution Lists and other Active Directory Attributes (Approximately 17 minutes from start) A critical piece of adding an account to the environment is to also designate the security groups and distribution lists appropriate to the employee role. This allocates permissions (in addition to the policies enforced at the Organization Unit level) to resources throughout the enterprise. This is another critical piece of documentation for the provisioning of different roles within the organization, and any exceptions to the standard methodology would need to be provided to the provisioning staff. A failure to allocate the proper distribution lists and security groups will result in unreceived correspondence, inability to access critical resources, or creating a security hole by availing improper resources.9 Selecting the Appropriate Security Groups and Distribution Lists for the AD Account (Approximately 18 minutes from start) A critical piece of adding an account to the environment is to also designate the security groups and distribution lists appropriate to the employee role. This allocates permissions (in addition to the policies enforced at the Organization Unit level) to resources throughout the enterprise. This is another critical piece of documentation for the provisioning of different roles within the organization, and any exceptions to the standard methodology would need to be provided to the provisioning staff. A failure to allocate the proper distribution lists and security groups will result in unreceived correspondence, inability to access critical resources, or creating a security hole by availing improper resources.ORGANIZATIONAL USER PROVISIONING: COMPARISON OF COMMON METHODOLOGIES 20 FEBRUARY 20086 7. 10 Selecting the Dial-in, Remote Control and Terminal Services options for the account (Approximately 22 minutes from start) It should then be determined whether to allow Terminal Services sessions toward the account, and whether it is required for them to accept these requests. You can also enable remote assistance sessions to have a view-only, or complete interactivity during Terminal Services sessions for the account. Alternate profile and home directories can be specified within the Terminal Services Profile tab, to redirect profiles and home directories during Terminal Services sessions. Additionally, using the Dial-In tab, permission can be granted and configured for remote access to the environment (including VPN), and whether a callback number is required (for dial-up access).11 Setting Appropriate Permissions to the Account and Completing the AD Configuration (Approximately 25 minutes from start) Finally, configuration of permissions of the new account for other security groups and specific accounts would need to be configured according to the methodology for the intended account role. Again, this would need to be documented and consistently applied to accounts according to intended capabilities, and exceptions would need to be authorized, outlined and recorded according to the provisioning methodology. These permissions can be complex in larger organizations and more sophisticated AD architectures, and improper configuration can lead to complex problems in administering and supporting the account once it becomes active. Any accompanying documentation or required notifications would need to be generated so that the appropriate stakeholders and subsequent processing participants are provided relevant information per their requirements. This effectively creates the account within Active Directory, and replication across Active Directory sites will eventually populate the Global Catalog servers throughout the domain with the account information. The time required for the account to fully propagate throughout the domain(s) is determined by the inter-site replication strategy, which can be anywhere from one hour to several days depending on the number of sites, WAN links/speeds and Active Directory site complexity.ORGANIZATIONAL USER PROVISIONING: COMPARISON OF COMMON METHODOLOGIES 20 FEBRUARY 20087 8. Phase 2: Creating an Exchange Mailbox for the UserThe next phase is to create an account within Exchange for the user. This may be a process that is owned by another functional area within the organization (particularly in larger environments where Active Directory and Messaging Services may be divided), so there may be a required documentation, notification and handoff before t...

Recommended

View more >