How can users be managed in different environments based on the type of work they do?
When it comes to provisioning and deprovisioning user accounts, IT departments often don’t know who’s who in the organisation, or who should have access to what. They rely on being fed data by human resources (HR), the custodians of employee data. But how is this managed?
The move from traditional on-premises IT solutions to cloud services has seen a dramatic change in the way that systems are managed and controlled. The access to services from any location and using any device means that a lot of the traditional management methods are not feasible.
Free use of multiple mobile devices, from remote locations as well as on-premises, means that the only thing that really remains under an organisation’s control is the identity used by an individual to access the services.
This is what we mean when we say that “identity is the new control plane“. We can associate applications and services with individual users based on their job within an organisation. By controlling the user, there is less concern over the device being used.
As a result, the identity of the user is key. What is their role within an organisation? What does that mean they should be able to do within the applications and services they have access to?
The job and its associated information (job title, manager, position, etc.) are all things that are stored in the human resources system. This means that they are in a location that can be looked up to make sure that the job title is spelt correctly and is consistent. If your position is as important as ‘Chief Cook and Bottle Washer (1st Grade)’, the last thing you want is to see your job title in Active Directory (AD) referenced as ‘C. Cook & BW’.
Quite often, when things are put through a manual process, they get misaligned. What started out as a request to create a new account in AD for ‘Dave Guest’, the new starter in the ‘Information Technology – Service Desk’ department, can come out the other end as an account named ‘DaveGest’ in ‘IT’. Simply because of the way that the information is re-typed.
A better way to do things would be to feed the new starter information directly into the AD from the HR system. That way, the name is spelt the same way it is in HR; the job title is the same, and so is the department.
There is a problem with this picture though. There are not many HR systems that can talk to AD, and – even if they could – would anybody want all of the employee records to be added to AD? AD accounts cost money for Client Access Licenses, so having accounts for people who do not need access to IT can be expensive.
There is a solution to this.
Microsoft Identity Manager (MIM) allows us to take information from almost any HR system and process it intelligently – adding users to AD where it is appropriate. If we can identify that all staff in certain departments get an AD account, then MIM can take the relevant details and provision the accounts directly to AD.
This is a much better model which ensures that user accounts are created in AD, matching the business requirements. Better than that, it’s also able to de-provision accounts as people leave. This closes a common security flaw within many organisations.
Recently, there’s been a move towards increased use of cloud services, and the publishing of company data on an intranet. This means that more and more people actually need IT accounts.
The same issues around provision of AD CALs exist so it may be that an organisation only wants to have a definitive set of users who can access the on-premises services through AD, but all of the remaining employees need to access services like a protected intranet using a cloud account.
This means creating accounts in the cloud directory separately to those in the AD. Microsoft provides a synchronisation utility called AD Connect which automatically takes the accounts from AD and makes them available in the cloud. We can add these to our diagram very simply.
Obviously, there’s a problem with this. Only the employees who have an AD account are included. What about the remaining employees? What we really need is a way to link the HR system to the cloud directory so that these employees can also have an account.
This is something else that MIM can do. By creating a link directly between MIM and the Azure directory these other employee accounts can be automatically provisioned into Azure ready for use.
This means that the employees can access the intranet, or other cloud-based services, without the need for an AD account. As these accounts are managed completely in the cloud, they are available to the user from anywhere at any time.
These accounts are provisioned, and deprovisioned, following the chosen business rules. Now, all of the employees can access the relevant services using a known ID and password, with all of their personal information remaining consistent and correct.
Security is maintained at all times, and the users can access the services they need when they need them, from wherever they are.
Linking an HR system to provide the automatic provisioning of accounts – both to internal, on-premises systems and to the cloud – provides a user population with better-controlled access, maintaining security around the accounts and keeping data secure and consistent.
The deployment of an identity management system to provide this automation – including provisioning to cloud services – can save time and money, while enabling the user population to work more effectively.
Next, watch the Microsoft identity stack demos to see how Microsoft’s key identity management technologies enable seamless user creation journeys.
Or download ‘The business case for IAM’ e-Guide and become the driving force behind modernisation, cyber security and operational efficiency in your organisation.
Automate the management of users, control corporate access and achieve business security. Book your free half-day Identity and Access Management Envisioning Workshop today.Apply for a free workshop
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, Security and Compliance.
Oxford Computer Group UK officially rebranded as ThirdSpace in the UK on 16 October. This rebrand reflects our broadening identity and security solutions, as working practices extend from the office and home into working flexibly and collaboratively from anywhere – Your "ThirdSpace".Continue to ThirdSpace
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.