Solutions for Managing Active Directory
Problem
Many organizations use Active Directory (AD) as it provides a centralized way to secure and
administer user and computer access across the enterprise. AD is also used by many COTS
applications for authentication and authorization.
- For new hires, organizations need to be able to create users with the correct OU placement, group, and shared folder memberships. This applies to transfers, leaves of absence and terminations. Not being able to consistently terminate access can lead to a growing number of orphans. Organizations that have not implemented IAM solutions often have a home-grown solution based on a collection of scripts which become unmaintainable over time.
- In addition to the joiner, mover, leaver processes, organizations also need to perform periodic access reviews. In the absence of an IAM solution, these audits are often performed using spreadsheets in a very manual and tedious process.
Solution Overview
OpenIAM’s Workforce Identity and Access Governance solution includes a mature and flexible Active Directory connector that leverages PowerShell. The connector in conjunction with the rest of OpenIAM’s capabilities provides the functionality described below.
Active Directory authentication
OpenIAM can be configured to support AD authentication. This allows users to log in to
OpenIAM using their AD credentials.
User onboarding and offboarding
OpenIAM can manage the joiner, mover, leaver (JML) process so that accounts are created and
terminated on time. The access that users have is determined by business rules which define
birthright access or through the service catalog in the self-service portal.
Group management
OpenIAM supports the creation and removal of AD groups. Users can also use the self-service portal to request new groups. If the request is approved, then the system will automatically create the group.
Admin accounts
Some workers, such as those in IT, may have a second “Admin” account. This account will have privileged access that is different from their normal account. OpenIAM allows you to create both types of accounts and define a relationship between the two. This approach maintains a complete view of the user and their overall access.
Orphan management
Using the orphan management feature in OpenIAM, customers can compare the accounts in Active Directory with those from active users in OpenIAM. AD accounts which do not match real users will be flagged as orphans. Orphans can then be cleaned in either OpenIAM or in the source system.
Access certification
OpenIAM can be configured to regularly import groups, shared folders, and the access that users have. In this way, OpenIAM is always current with the data needed to initiate the access certification campaign.
Multiple domains
A single instance of OpenIAM can manage multiple AD domains.
Let’s Connect
Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.
For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.