In the past, the importance of access rights management had to wait in line behind trending topics like hybrid infrastructures, digitalization, cloud, and the latest new tools the C-level wants to have and implement. As a result, access rights management in companies often lacks transparency, is organically grown, and doesn’t follow best practices like the principle of least privilege.
Even though managing user access rights is an essential part of every administrator’s work, there are different ways of doing it. However, looking at all the systems, tools, and scripts out there, most admins share the same big pain points.
Earlier this year, we asked our THWACK® community about their biggest pain points when it comes to access rights management and auditing. Turn out the biggest factors are:
- Moving, adding, or changing permissions
- Running an audit/proving compliance
- Understanding recursive group memberships
1. Moving, Adding, or Changing Permissions
The flexibility of today’s working world requires a well thought-out user provisioning process. Whether for a new user, a short-term assignment, department changes, or temporary projects, the expectations of an IT group are to accurately and quickly provision users while helping to maintain data security.
IT departments are typically responsible for securing a network, managing access to resources, and keeping an overview of permissions and access rights policies. Therefore, they should use a provisioning framework. SolarWinds® Access Rights Manager (ARM) is designed to help address the user provisioning process across three phases—joiners, movers, and leavers.
SolarWinds Access Rights Manager not only helps automate the joiner or initial provisioning phase, it also allows admins to quickly perform changes and remediate access rights while enabling data owners.
Creating and Moving User Access Permissions
With ARM, you can control the creation of new user accounts, rights management, and account details editing.
Its user provisioning tool allows you to set up new users typically within seconds. Users are generated in a standardized manner and in conformity with the roles in your company. The access rights to file servers, SharePoint sites, and Exchange as defined in the AD groups are issued at the same time. ARM generates a suitable email account so the new colleague can start work immediately. You can schedule the activation to prepare for the event in the future or to limit the access period for project work. Whether help desk or data owner, participants work with a reduced, simple interface in both cases.
All access rights are set up in a few steps.
On the start screen under “User Provisioning,” you can choose from the most important quick links for:
- Creating a user or a group
- Editing group memberships
- Editing access rights for resources
By choosing “Create new user or group,” ARM allows you to create a user or group based on preset templates. These user and group templates have to be created individually one time after installing ARM.
For further information please download our whitepaper: Joiner, Mover, Leaver: User Provisioning With SolarWinds Access Rights Manager
2. Running an Audit/Proving Compliance
With ARM, you can either create reports on users/groups or resources along with further filters.
Just looking at reports for Active Directory, you could create views for:
- Where user and groups have access
- Employees of manager
- Display user account details
- Find inactive accounts
- OU members and group memberships
- User and group report
- Identify local accounts
- And many more
While creating a report, you can set different selections such as the users or groups you’d like to report on and the resources you would like details about.
Additionally, you can set up scheduled reports, which you can send directly as email to yourself, your auditor, or direct line if needed.
To gain more insight on the reporting capabilities of ARM, please see our whitepaper: Top 7 Audit-Prep Reports
3. Understanding Recursive Group Memberships
Groups can be members of other groups. Active Directory allows "children" to become "parents" within their own family tree. If the nested group structure loops in a circular way, group membership assignments become ineffective and nonsensical. Through these recursions or circular nested groups, every user who is a member of any of the recursive groups is granted all the access rights of all the groups. The consequence is a confusing mess of excessive access rights.
ARM automatically identifies all recursions in your system. We highly recommend removing the recursion by breaking the chain of circular group memberships.
ARM not only allows you to see circular or recursive groups, but directly correct group memberships and dissolve recursions.
To keep an eye on the most common access-based risk levels, ARM provides a risk assessment dashboard with the eight biggest risk factors and lets you correct your individual risk levels right away.