One of the recent trends in the Education market over the last couple of years are the free email offerings from Google and Microsoft. While Gmail and MSlive@edu offer a number of tangible benefits to schools and universities, including a permanent account for alumni, creating and managing the accounts can be a challenge. Adding to this issue, password from Active Directory are no longer automatically synchronized and, especially if you were using Exchange, an additional burden can be placed on the helpdesk to reset email passwords.
Tools4ever offers solutions to both of these common issues when moving to Gmail or MS Live. Our User Management Resource Administrator can take a feed from your Student Information System and use data from there to automatically create user accounts in the hosted email solution. Further, when students graduate, their AD accounts can programmatically be moved to an Alumni OU and the appropriate indication made in either Gmail or MS Live.
Our PSM (Password Synch Manager) and SSRPM (Self Service Reset Password Manager) also have links in both of these email applications. IF a user forgets a password in AD or the email solution they can visit a web page, answer a series of challenge questions, and reset both passwords simultaneously. Although not as common for students, faculty and staff typically will have expiration dates on passwords and will need to reset them on a regular basis. PSM allows the capturing of this new AD password and can send it off to the email application to insure the passwords remain in synch.
To learn how Tools4ever can help prevent your free mail system from costing a fortune in maintenance and help desk time, please visit our website: Tools4ever, Inc.
Monday, March 28, 2011
Tuesday, March 22, 2011
Your Identity Management Strategy: What’s on the Menu?
Identity Management projects have a reputation for being long, costly and technically complex. What if the benefits of an Identity Management strategy could be yours without the hassle, including overhead that goes with technically complex projects; and within the limits of your budget?
Thanks to hundreds of Identity Management projects managed by our technical consultants, Tools4ever has been able to create a number of Identity Management best practices, aiming at achieving the maximum result with minimal effort.
One best practice is establishing a real Identity Management maturity model. Another result is the Tools4ever Identity Management à la carte menu, demonstrating Tools4ever’s capacity to deliver point solutions as well as integrated Identity Management approach.
Here are some examples of the Identity Management à la carte menu of solutions that have been implemented. (The estimated implementation time refers to average size organizations of about 2000 users.
• Delegation and tracing of the management of all user accounts and their resources(2 days);
• Synchronization with HR system(2 days);
• Identity Management Self Service Portal and Workflow Management(5 days);
• RBAC - Role Based Access Control level 1(3-5 days);
• Web portal for auditing and managing NTFS rights or Group Management(2 days);
• Single Sign-On for your 10 main applications(3 days);
• Self Service Password Management(1-3 days);
• Password Synchronization(1 day).
Interested? Please visit our website; Tools4ever, Inc. to learn more about our solutions and how they will help you achieve your Identity Management goals.
Thanks to hundreds of Identity Management projects managed by our technical consultants, Tools4ever has been able to create a number of Identity Management best practices, aiming at achieving the maximum result with minimal effort.
One best practice is establishing a real Identity Management maturity model. Another result is the Tools4ever Identity Management à la carte menu, demonstrating Tools4ever’s capacity to deliver point solutions as well as integrated Identity Management approach.
Here are some examples of the Identity Management à la carte menu of solutions that have been implemented. (The estimated implementation time refers to average size organizations of about 2000 users.
• Delegation and tracing of the management of all user accounts and their resources(2 days);
• Synchronization with HR system(2 days);
• Identity Management Self Service Portal and Workflow Management(5 days);
• RBAC - Role Based Access Control level 1(3-5 days);
• Web portal for auditing and managing NTFS rights or Group Management(2 days);
• Single Sign-On for your 10 main applications(3 days);
• Self Service Password Management(1-3 days);
• Password Synchronization(1 day).
Interested? Please visit our website; Tools4ever, Inc. to learn more about our solutions and how they will help you achieve your Identity Management goals.
Doing More with Less
In Identity Management, balancing efficiency and security can be a tough and expensive proposal. IdM projects are complex, require broad support and can very easily fail, so it's understandable that many organizations have resisted these changes in favor of business as usual. Although this is changing due to countless regulatory standards and industry trends, many businesses still relying on antiquated and painfully manual processes for performing simple tasks such as updating phone numbers or removing access for an employee on leave.
Just last week, a colleague met with a hospital whose onboarding process for a new employee involved at least 3-5 different people, two sheets of paper, several emails and a response time of two days. On top of this, it was expected that parties involved would provide accurate information and do their own error checking. With over 1400 employees, you don't need to do much calculating to realize how much time is involved with this one process and the risk that is created. The good news is that the hospital is beginning the one year process of assessing and evaluating identity management options, however, it is still unclear what role of workflow automation will play in their eventual solution.
Any organization, like the hospital visited can easily implement a project that provides a series of web forms and automatic notifications that will provide a means to request, verify and approve facilities and implement network changes independently. Using a provisioning package such as Tools4ever's UMRA, these changes can be executed across the network according to predefined rule sets. The graphic below outlines such a process.
A solution like this is easy to implement and can be an inexpensive way to manage security risks and improve the speed in which user management functions can be accomplished.
For more information, visit our workflow page: Tools4ever, Inc.
Just last week, a colleague met with a hospital whose onboarding process for a new employee involved at least 3-5 different people, two sheets of paper, several emails and a response time of two days. On top of this, it was expected that parties involved would provide accurate information and do their own error checking. With over 1400 employees, you don't need to do much calculating to realize how much time is involved with this one process and the risk that is created. The good news is that the hospital is beginning the one year process of assessing and evaluating identity management options, however, it is still unclear what role of workflow automation will play in their eventual solution.
Any organization, like the hospital visited can easily implement a project that provides a series of web forms and automatic notifications that will provide a means to request, verify and approve facilities and implement network changes independently. Using a provisioning package such as Tools4ever's UMRA, these changes can be executed across the network according to predefined rule sets. The graphic below outlines such a process.
A solution like this is easy to implement and can be an inexpensive way to manage security risks and improve the speed in which user management functions can be accomplished.
For more information, visit our workflow page: Tools4ever, Inc.
Friday, March 18, 2011
We want to automate everything, but …
With an increasing frequency, we hear from our prospects the desire to automate every aspect of their Identity Management process. Inevitably, during the discovery phase, specific items are uncovered that are exceptions to the rule and difficult, or in some cases, impossible to address programmatically. It is conceivable that the vast majority of new user accounts will be handled systematically and only a rare exception will need special treatment.
To this end, Tools4ever can offer a hybrid solution of automating the account lifecycle management. AS new users are entered into the Human Resource (HR) system an automated process occurs that generates the new user account automatically based on the predefined criteria but instead o factually committing the account in Active Directory, a “request” is queued for further review.
An email is delivered to a group stating there are pending items to be reviewed. At that point, a Systems Administrator or Help Desk person accesses a web portal and reviews the request. If all appears correct, simply clicking a submit button will execute the account creation in AD, email (Exchange, Google, Lotus) and numerous other systems. If further details are necessary – possibly specific group memberships, larger mailbox store or distribution list access to name a few – the Sys Admin or Help Desk person can add the required resources and then click submit to complete the processing.
Extending this concept further, particularly to schools, college and universities, the account creation for students is often straightforward and can be automated entirely – without the queued request. While account creations for faculty and staff are often more complex, lower in frequency and can be handled using the queued process.
By utilizing this hybrid methodology, it is extremely easy to handle both simple and complex account creation scenarios.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
To this end, Tools4ever can offer a hybrid solution of automating the account lifecycle management. AS new users are entered into the Human Resource (HR) system an automated process occurs that generates the new user account automatically based on the predefined criteria but instead o factually committing the account in Active Directory, a “request” is queued for further review.
An email is delivered to a group stating there are pending items to be reviewed. At that point, a Systems Administrator or Help Desk person accesses a web portal and reviews the request. If all appears correct, simply clicking a submit button will execute the account creation in AD, email (Exchange, Google, Lotus) and numerous other systems. If further details are necessary – possibly specific group memberships, larger mailbox store or distribution list access to name a few – the Sys Admin or Help Desk person can add the required resources and then click submit to complete the processing.
Extending this concept further, particularly to schools, college and universities, the account creation for students is often straightforward and can be automated entirely – without the queued request. While account creations for faculty and staff are often more complex, lower in frequency and can be handled using the queued process.
By utilizing this hybrid methodology, it is extremely easy to handle both simple and complex account creation scenarios.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
Thursday, March 17, 2011
Active Directory: Dealing with Reorganizations
The health care sector is undergoing various reorganizations. These require a change in the organizational hierarchy as well as the merging or separation of organizational units. A properly configured Active Directory structure is a precondition for dealing with organizational changes in a flexible way. If the organization has opted for a branched OU structure that is closely aligned with the organizational model, a major effort may be required to modify this structure in case of changes.
The structure depicted below provides an idea of how you can set up Active Directory in such a way that IT can conveniently implement organizational changes, while sufficient room is left for security mechanisms. This structure is based on the assumption that it is possible to retrieve cost centers, functional codes, departments and locations from the HR system (e.g. Meditech or Lawson).
- Administration
-|- Service accounts
-|- Administration accounts
- Organization
-|- Computers
-|- Users (1 OU for all user accounts)
-|- Groups
-|-|- Cost centers (HR interface)
-|-|- Functions (HR interface)
-|-|- Departments (HR interface)
-|-|- Locations (HR interface)
-|-|- Data (nested in the above groups)
-|-|- Mail (nested in the above groups)
-|-|- Applications (nested in the above groups)
In this way, the user accounts can be made a member of one or more functions, departments, cost centers and/or locations. Resources such as data, mail and applications are linked to these user accounts in turn. In case of organizational changes, it will suffice to create additional HR groups. It is up to IT to link the right resources to these groups. Using Tools4ever´s UMRA solution to set up a link with the HR system allows you to link any user to the right HR group(s). Added to which, IT will be in control over the assigned resources.
It is possible to create each HRL group in a proprietary OU by, for example, using UMRA in the event more GPO capabilities are required because all users are now accommodated in a single OU. In that case it will be possible to roll out a GPO for each HR object. If you use, say, RES PowerFuse, comprehensive GPO settings are usually not required. You will be able to accommodate all HR objects in a single OU and to distinguish them, e.g. through their naming.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
The structure depicted below provides an idea of how you can set up Active Directory in such a way that IT can conveniently implement organizational changes, while sufficient room is left for security mechanisms. This structure is based on the assumption that it is possible to retrieve cost centers, functional codes, departments and locations from the HR system (e.g. Meditech or Lawson).
- Administration
-|- Service accounts
-|- Administration accounts
- Organization
-|- Computers
-|- Users (1 OU for all user accounts)
-|- Groups
-|-|- Cost centers (HR interface)
-|-|- Functions (HR interface)
-|-|- Departments (HR interface)
-|-|- Locations (HR interface)
-|-|- Data (nested in the above groups)
-|-|- Mail (nested in the above groups)
-|-|- Applications (nested in the above groups)
In this way, the user accounts can be made a member of one or more functions, departments, cost centers and/or locations. Resources such as data, mail and applications are linked to these user accounts in turn. In case of organizational changes, it will suffice to create additional HR groups. It is up to IT to link the right resources to these groups. Using Tools4ever´s UMRA solution to set up a link with the HR system allows you to link any user to the right HR group(s). Added to which, IT will be in control over the assigned resources.
It is possible to create each HRL group in a proprietary OU by, for example, using UMRA in the event more GPO capabilities are required because all users are now accommodated in a single OU. In that case it will be possible to roll out a GPO for each HR object. If you use, say, RES PowerFuse, comprehensive GPO settings are usually not required. You will be able to accommodate all HR objects in a single OU and to distinguish them, e.g. through their naming.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
Two-factor Password Authentication
Tools4ever’s Self Service Password Management has always been available with a web interface, in order to allow users to reset their Active Directory passwords from an intranet or via the web. On the basis of a number of simple, predefined questions end-users can reset their password. Although this has been widely adopted in mostly educational establishments, some form of two factor authentication has been requested by many of our corporate customers.
On the 18th of February we released SSRPM Security Module, which adds two-factor authentication via email. Two-factor authentication (TFA or 2FA) means using two independent means of evidence to assert an entity's identity to another entity.
When a user logs onto the Active Directory domain for the first time following an SSRPM deployment, as well as answering a question set configured by the administrator, they will also be asked to supply a private email address. If an end user should subsequently forget their password, they can answer the challenge questions in the standard way. However, before they can reach the final stage and submit a new password, they must first enter the PIN emailed to their private address. This scenario illustrates the basic parts of most two-factor authentication systems; the "something you have" + "something you know" concept.
Two-factor authentication secures the web interface already. But we intend to extend this even more by enabling the forwarding of PINS to mobile phones by SMS. Watch this space for further information!
To learn more about our solution, visit:Tools4ever, Inc.
On the 18th of February we released SSRPM Security Module, which adds two-factor authentication via email. Two-factor authentication (TFA or 2FA) means using two independent means of evidence to assert an entity's identity to another entity.
When a user logs onto the Active Directory domain for the first time following an SSRPM deployment, as well as answering a question set configured by the administrator, they will also be asked to supply a private email address. If an end user should subsequently forget their password, they can answer the challenge questions in the standard way. However, before they can reach the final stage and submit a new password, they must first enter the PIN emailed to their private address. This scenario illustrates the basic parts of most two-factor authentication systems; the "something you have" + "something you know" concept.
Two-factor authentication secures the web interface already. But we intend to extend this even more by enabling the forwarding of PINS to mobile phones by SMS. Watch this space for further information!
To learn more about our solution, visit:Tools4ever, Inc.
Wednesday, March 16, 2011
Automatic handling of helpdesk tickets related to users and access rights
Many organizations today already have web forms in place to handle requests for user accounts, access rights or other resources. Typically a manager can use such web forms from their intranet to announce the arrival or departure of an employee. They can request an account, mailbox, shares, groups or application rights. At the end of the form or workflow, a ticket arrives at the helpdesk who will then create the account and resources or request that this be done by the system administrators.
This time consuming and error prone work is directly entered in Active Directory or on other systems, and what’s more, it involves entering the same data as already exists in the help desk ticket.
Although UMRA has its own work flow management systems and the option to create web forms, we recently found a way to deploy UMRA in an existing situation. In the example of a financial institution, we configured UMRA to automatically process all the new tickets related to users, and their rights and resources.
The advantages:
• A short implementation time of 2 days to automatically process all tickets related to users and access rights;
• Saves a lot of time for the system administrators;
• Guarantees that all the standards are respected;
• Eliminates manually keying in the same information twice with possible errors;
• Possible to process the request in different systems (Active Directory, Mail system, databases and applications).
Using this methodology, all the available information from the request is utilized in the optimal way.
A potential disadvantage of this situation lies in the fact that web forms that are managed within the company’s intranet are often not dynamic, creating a ‘static’ ticket. The configuration data such as departments, OU’s or groups in the Active Directory, and relationship between an employee and his manager, have to be managed separately and often manually. By utilizing UMRA forms, which are fully dynamic, and able retrieve information real time from the Active Directory or the HR system, the data can be used to create the appropriate drop down lists, eliminating another potential for errors and manual entry.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
This time consuming and error prone work is directly entered in Active Directory or on other systems, and what’s more, it involves entering the same data as already exists in the help desk ticket.
Although UMRA has its own work flow management systems and the option to create web forms, we recently found a way to deploy UMRA in an existing situation. In the example of a financial institution, we configured UMRA to automatically process all the new tickets related to users, and their rights and resources.
The advantages:
• A short implementation time of 2 days to automatically process all tickets related to users and access rights;
• Saves a lot of time for the system administrators;
• Guarantees that all the standards are respected;
• Eliminates manually keying in the same information twice with possible errors;
• Possible to process the request in different systems (Active Directory, Mail system, databases and applications).
Using this methodology, all the available information from the request is utilized in the optimal way.
A potential disadvantage of this situation lies in the fact that web forms that are managed within the company’s intranet are often not dynamic, creating a ‘static’ ticket. The configuration data such as departments, OU’s or groups in the Active Directory, and relationship between an employee and his manager, have to be managed separately and often manually. By utilizing UMRA forms, which are fully dynamic, and able retrieve information real time from the Active Directory or the HR system, the data can be used to create the appropriate drop down lists, eliminating another potential for errors and manual entry.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
Friday, March 11, 2011
Keeping Active Directory Clean
One of the issues that frequently arise, especially in larger organization, is the need to provide contractors, consultants and temporary employees with access to network resources and email. The concept of automating the lifecycle by integrating with a Human Resource system breaks down because these types of employees are rarely entered there.
We have solved this dilemma numerous times for companies by implementing a web-based workflow. The hiring manager access an internal web page and completes the relevant information - name, department, type of employee, expected length of service, etc. Once the form is submitted, the IT or helpdesk can review the information and process it automatically. An email is delivered back to the hiring manager with the username, email address and initial password.
The key element here to keep AD clean is the expected length of service date. As that date approaches a notification can be delivered to the manager asking if the date should be extended. If yes, the manager clicks on a link in the email and can enter a new end date. If no, the process automatically disables the user on the last day of service. A manger can also be given an option to disable or terminate immediately if the person has already left.
After sitting in a disabled status for a period of 60 to 90 days, the record can automatically be purged from AD. Implementing a process like this saves time, potential licensing costs and increases security all while making life easier for the OIT department.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
We have solved this dilemma numerous times for companies by implementing a web-based workflow. The hiring manager access an internal web page and completes the relevant information - name, department, type of employee, expected length of service, etc. Once the form is submitted, the IT or helpdesk can review the information and process it automatically. An email is delivered back to the hiring manager with the username, email address and initial password.
The key element here to keep AD clean is the expected length of service date. As that date approaches a notification can be delivered to the manager asking if the date should be extended. If yes, the manager clicks on a link in the email and can enter a new end date. If no, the process automatically disables the user on the last day of service. A manger can also be given an option to disable or terminate immediately if the person has already left.
After sitting in a disabled status for a period of 60 to 90 days, the record can automatically be purged from AD. Implementing a process like this saves time, potential licensing costs and increases security all while making life easier for the OIT department.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
Can an identity management solution save lives?
Can an identity management solution save lives?
Managing double entries in hospital information / medical systems
In the field of Identity Management we are usually concerned with the management of employees and their user accounts, access rights and authorizations. Sometimes it occurs that the same principles and tools that we use in identity and Access management projects can be applied to a wider range of situations not usually associated with identity management. Here’s a recent example:
A hospital has to be very secure about the management of access rights for its employees, but also when it comes to the patient data within their applications. Recently when meeting with IT management of a big hospital the question was asked whether we could also prevent double entries of ‘patients’ in Hospital Information Systems (HIS) like Meditech, McKesson, Epic, CPSI, Sage Health, EClinical Works, Allscripts and Eclipsys.
Imagine a patient existing two times in the hospital information system due to a typo or other mistake. That means the patient has two files containing different information. The doctors may then miss important information if they don’t access the right patient file. Imagine a patient that is allergic to penicillin being given a penicillin treatment just because of a typo in the HIS.
Using the same mechanisms and tooling used by identity management solutions in this case Tools4ever’s UMRA, and applying UMRA’s capacity to detect doubles or possible double entries in various systems, can save lives. And with the different kinds of matching mechanisms in UMRA this is quite easy to do - a possible double can then be detected very early and a notification be sent to the person managing that particular data to validate whether or not we are really talking about the same patient. UMRA can of course also manage all the tracking and tracing required regarding the alerts and the way they have been dealt with.
To learn more about Tools4ever solutions, please visit our website,
Tools4ever, Inc.
Managing double entries in hospital information / medical systems
In the field of Identity Management we are usually concerned with the management of employees and their user accounts, access rights and authorizations. Sometimes it occurs that the same principles and tools that we use in identity and Access management projects can be applied to a wider range of situations not usually associated with identity management. Here’s a recent example:
A hospital has to be very secure about the management of access rights for its employees, but also when it comes to the patient data within their applications. Recently when meeting with IT management of a big hospital the question was asked whether we could also prevent double entries of ‘patients’ in Hospital Information Systems (HIS) like Meditech, McKesson, Epic, CPSI, Sage Health, EClinical Works, Allscripts and Eclipsys.
Imagine a patient existing two times in the hospital information system due to a typo or other mistake. That means the patient has two files containing different information. The doctors may then miss important information if they don’t access the right patient file. Imagine a patient that is allergic to penicillin being given a penicillin treatment just because of a typo in the HIS.
Using the same mechanisms and tooling used by identity management solutions in this case Tools4ever’s UMRA, and applying UMRA’s capacity to detect doubles or possible double entries in various systems, can save lives. And with the different kinds of matching mechanisms in UMRA this is quite easy to do - a possible double can then be detected very early and a notification be sent to the person managing that particular data to validate whether or not we are really talking about the same patient. UMRA can of course also manage all the tracking and tracing required regarding the alerts and the way they have been dealt with.
To learn more about Tools4ever solutions, please visit our website,
Tools4ever, Inc.
Subscribe to:
Posts (Atom)