In the past, the importance of access rights management had to wait in line behind trending topics like hybrid infrastructures, digitalization, cloud, and the latest new tools the C-level wants to have and implement. As a result, access rights management in companies often lacks transparency, is organically grown, and doesn’t follow best practices like the principle of least privilege.
Even though managing user access rights is an essential part of every administrator’s work, there are different ways of doing it. However, looking at all the systems, tools, and scripts out there, most admins share the same big pain points.
Earlier this year, we asked our THWACK® community about their biggest pain points when it comes to access rights management and auditing. Turn out the biggest factors are:
Moving, adding, or changing permissions
Running an audit/proving compliance
Understanding recursive group memberships
1. Moving, Adding, or Changing Permissions
The flexibility of today’s working world requires a well thought-out user provisioning process. Whether for a new user, a short-term assignment, department changes, or temporary projects, the expectations of an IT group are to accurately and quickly provision users while helping to maintain data security.
IT departments are typically responsible for securing a network, managing access to resources, and keeping an overview of permissions and access rights policies. Therefore, they should use a provisioning framework. SolarWinds® Access Rights Manager (ARM) is designed to help address the user provisioning process across three phases—joiners, movers, and leavers.
SolarWinds Access Rights Manager not only helps automate the joiner or initial provisioning phase, it also allows admins to quickly perform changes and remediate access rights while enabling data owners.
Creating and Moving User Access Permissions
With ARM, you can control the creation of new user accounts, rights management, and account details editing.
Its user provisioning tool allows you to set up new users typically within seconds. Users are generated in a standardized manner and in conformity with the roles in your company. The access rights to file servers, SharePoint sites, and Exchange as defined in the AD groups are issued at the same time. ARM generates a suitable email account so the new colleague can start work immediately. You can schedule the activation to prepare for the event in the future or to limit the access period for project work. Whether help desk or data owner, participants work with a reduced, simple interface in both cases.
All access rights are set up in a few steps.
On the start screen under “User Provisioning,” you can choose from the most important quick links for:
Creating a user or a group
Editing group memberships
Editing access rights for resources
By choosing “Create new user or group,” ARM allows you to create a user or group based on preset templates. These user and group templates have to be created individually one time after installing ARM.
Groups can be members of other groups. Active Directory allows "children" to become "parents" within their own family tree. If the nested group structure loops in a circular way, group membership assignments become ineffective and nonsensical. Through these recursions or circular nested groups, every user who is a member of any of the recursive groups is granted all the access rights of all the groups. The consequence is a confusing mess of excessive access rights.
ARM automatically identifies all recursions in your system. We highly recommend removing the recursion by breaking the chain of circular group memberships.
ARM not only allows you to see circular or recursive groups, but directly correct group memberships and dissolve recursions.
To keep an eye on the most common access-based risk levels, ARM provides a risk assessment dashboard with the eight biggest risk factors and lets you correct your individual risk levels right away.
Get your free ARM trial and do your risk assessment here.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.