In any organization, managing user permissions is a necessity based on compliance requirements, an important but too often unappreciated and manual task still needing to be performed by most administrators or IT staff today.
If it worked so far, why change it at all? The workload on today’s administrators has changed. Hybrid infrastructures, digitalization, IT consumerization, and IT security, amongst many other daily tasks, leave administrators little time. Depending on the organization, user access monitoring and management process for the IT staff can be complex, lengthy, and resource blocking.
By introducing a data owner concept, a concept defining individuals with responsibilities for managing access-related tasks like password resets, account detail changes (name or address changes etc.) recertification/entitlement of access rights, etc., administrators not only share responsibilities but also save time while keeping processes compliant and trackable.
Why and how can a data owner concept help?
In general, “divide and conquer” has proven to be a good strategy for solving complex problems—so how can we adapt it to work in the world of permission management?
The idea is simple: involve business users in the permission management process directly, since some of these often know better who should have access to their resources than IT does.
Wait a minute, isn’t this a bit too much power in novice hands? Sure, they certainly know their business but usually they aren’t technical users, so how should they know what and how to do?
Let‘s see how Access Rights Manager (ARM) can help overcome this obstacle.
Identify resources and owners
First, you need to create a list of resources that are good candidates to be owned by data owners. You might already have a good idea of what AD groups and folders this would be—I’m talking about those groups/folders whose tickets for permission/membership changes keep you busy. On top of these, you can also add folders on file servers protected from inheritance, since there’s usually a good reason for doing this.
ARM can help you to identify these folders by using the “Report on paths with different access rights” function available via the Resources view.
Report execution and filtering
(1) Navigate to the Resources view in the ARM thick client by clicking on Resources in the navigation bar.
(2) Click on Report at the upper-right side of the window and (3) select Report on paths with different access rights.
(4) Add all file server Objects you want to investigate in the report configuration window opening. Click on Start in the lower-right side of the window to execute the report.
(5) After report execution has finished, open the report by clicking Show report.
In the XLSX report now opening, switch to the sheet holding the information for your fileserver and add a filter to the column Inheritance activated for “off” entries. The filtered list will now show all relevant folders.
It’s a good idea to review this list and remove folders that shouldn’t be protected from inheritance in general. Together with the list of resources already known, you have now a good list to support you in discussions with the departments to find the correct data owner contact for each resource.
Define how to handle permission management on file servers
If you don’t want to involve data owners in change or approval processes on file servers, you can skip this part and continue reading at “Giving it a structure.”
As already discussed in the beginning, data owners usually don’t have deep technical knowledge and involving them in your permission management process should be as easy for them as possible but still effective. To achieve this, ARM’s group wizard needs to be activated and configured by answering a few questions about the permission management process to adapt to your environment. This will allow ARM to take care of the background tasks required if a user is added to a folder. The task for the data owner will be as easy as dragging and dropping a user from one list to another list.
Please note, the next steps are just an introduction to the topic. An advanced configuration is possible and recommended.
(6) First check to confirm the AD scan is configured with credentials allowing to perform changes in your AD. You find the view below in the ARM configuration client under Scans.
(8) Click on File Server in the technology-specific change configurations section.
(9) In Basic Settings, activate the Enable Group Wizard checkbox and choose the group type for resource groups to be created. Please note, the group type selection can be only done once. It can’t be changed after the configuration has been saved.
More information regarding the use of AD groups can be found on pages 293 to 299 in the ARM Administrator Guide and in the article Understanding Groups ( 2020 Microsoft, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd861330(v=ws.11), obtained January 30, 2020).
(10) Select all access rights you want to manage via ARM by administrators and data owners (everyone else) in Access Categories. Modify the tag/suffix for resource groups if needed.
(11) Adjust the naming convention for your resource groups (ARM groups) in the Naming Conventions for ARM Groups section.
(12) Select each file server, configure change credentials (these will be used by ARM for the actual change operation on the file server), and activate the automatic management of list groups by checking the Manage list rights option in the List Rights Configuration section.
Note, you can find more information on how to set up the file server change configuration starting at page 286 in the ARM Administrator Guide.
Giving it a structure
Once you have a list of data owners and resources, the next step is to put these into a logical structure—best practice is to align to your existing organizational structure.
Setting up such a structure makes administration easier and is a key requirement for advanced features in ARM. In addition, it allows reporting based on resources grouped in the organizational structure without having to select each resource individually.
Let’s assume you have in your organization the following situation. The marketing department is managed by an AD group Marketing and uses three shares named Outbox, Events, and Archive on your file server.
(13) To start your configuration, navigate to the Data Owner view in the ARM configuration client by clicking on Data Owner, the top item in the last column.
(14) Now add a new organizational category by clicking Create on the upper-left side of the window—note, I already created the root category Your Organization.
(15) In the window now opening, add the name Marketing, an optional description to be displayed, and click Apply.
(16) Select Marketing, (17) switch the User & Group selection to Filter and start to filter the list for your data owner. (18) Drag and drop the data owner to the list of Data Owners.
(19) Search and select the resources in the Resource selection pane and drag and drop these into the Resources list.
(20) Configure the data owner access permissions to each of the resources as required.
For now, it’s sufficient to provide the “read” option if you just want your data owner to be able to see who has access and the “write” option to allow your data owner to change memberships or permissions on resources.
If you want to make these resources available in the self-service portal via requests and approval workflows, there are some more steps required, which will be covered in another blog.
I hope this overview gives you a good understanding about some of ARM’s delegation capabilities and how you can use ARM to introduce a Data Owner concept in your organization.
With the configuration described above, a data owner can start to work with ARM and perform permission management tasks on the assigned resources via the thick and web client.
In the next part, I’ll explain how to add self-services like permission requests and approval workflows.
Need more details on the topic? Please refer to the ARM Administrator Guide starting at page 348.