Identity Management Solutions

Single Sign On and Password Synchronization - A powerful combination.

2011-11-09T09:46:00.001-08:00

Password synchronization solutions can prove extremely useful for increasing efficiency and reducing costs. As with Tools4ever’s Password Synchronization Manager, they allow end-users to use a single password for logging into their network, and all other applications they require access to. After end-users have changed their password, PSM ensures that they can log in directly to all the required systems and applications with a single set of log-on credentials. This can improve end-user productivity and minimize the number of password-related helpdesk calls. But is it possible to enhance efficiency and workforce productivity further still?

Password Synchronization solutions alone still require the end-user to manually log-in to each application and system they use, which can be extremely time-consuming. A recent survey has shown that an alarming 28% of us have to remember over 12 different username and password combinations in order to do our work on a daily basis, with the majority of us having to key-in up to seven. In addition, 85% of us think that we would be able to work more efficiently if the time it took to log-in to systems was reduced.

Single Sign On (SSO) solutions, such as Tools4ever’s E-SSOM offer effective solutions to these issues. Once a user has logged into the network, and logged on to their required applications, E-SSOM will remember the login credentials required for each applications/system and automatically log the user in thereafter, whenever the applications/systems are launched.

However, with the combination of PSM, there is no need for this process as PSM communicates directly with E-SSOM. When a password is changed in Active Directory, PSM will immediately ensure that all applications/systems receive and apply the new credentials, and will communicate the current password credentials to E-SSOM, which will then launch all applications and systems automatically.

The combination of these two solutions makes login procedures significantly more efficient. Optimizing user convenience and simplifying the process for system administrators when access to new applications have to be added to user accounts, and when applications/systems require users to frequently change their login credentials.
With the combination of the two solutions, time-consuming log-in procedures can become a thing of the past. End-user convenience can be at an optimum level, with increased workforce productivity.

More information on Single Sign On and Two-factor Authentication on our website.

Single Sign On not enough?

2011-10-18T00:43:00.000-07:00

A major concern for hospitals is the security and accessibility of their computers, applications and data. Clinicians often share a common user name and password with several of their peers in an area of the hospital in order to make it easy for them to sign on the computer and not have to waste time switching users. With several users logged in together, it is impossible for the hospital to track what each individual user is doing in the system to construct an audit trail. Recently, HIPAA reviewed these practices and recommended changes to improve the security risks. They no longer want user names and passwords to be shared and instead want each user to be identified in the system.

The most practical solution to this problem is the use of a Single Sign On product. Single Sign On would allow each user to sign into the system once and thereafter be automatically logged into each of their applications on the computer without having to enter additional credentials. Results from a Single Sign On pilot in the healthcare market revealed some concerns though with Single Sign On. Their concern was that the e-mail applications of the users might be available to others. The users voiced concerns that they felt very protective over their e-mail and wanted to make sure that no one is viewing their personal information.

This concern could be easily alleviated though with Two-factor Authentication. Two-factor Authentication would ask users to present two forms of identification (pass card, pin code, USB token, etc.) in order to access the workstation which would ensure security of their e-mail accounts. The conjunction of Single Sign On and Two-factor identification solves the HIPAA problem of security while also addressing the users concerns of privacy of their email accounts. The Two-factor Authentication also allows for fast user switching thereby reducing time spent by clinicians waiting on their profile to load.

More information on Single Sign On and Two-factor Authentication on our website.

Identity Management Metrics

2011-10-05T11:34:00.000-07:00

A recent article in PC WORLD, identified ten important metrics that are critical to success if any IDM project. I would like to take a look at a few of these items and expound upon how Tools4ever can provide software and services to provide a clear and concise implementation that will lead to a quick ROI.

Monthly Password Reset Volume – The article points to this as an indicator of password policy effectiveness. Too few resets requests might mean users are using simple passwords or writing them down on sticky notes. Too many requests could indicate the complexity standards are very stringent and users are having difficulty remembering their passwords

Solution

(SSRPM)

Number of Credentials per User – A recent Tools4ever survey uncovered the average user has 10-12 separate, distinct sets of credentials and the article reiterated this fact. Once again, the large number of credential can lead to a large number of calls to the help desk and sticky notes with user name and passwords on the monitor.

Solution

(E-SSOM)

Average time to provision or de-provision a User - No one wants a new employee to sit idly for days waiting on network and email access. Even worse, a terminated employee should not have access to anything once they have left the building. Too often the information flow from HR to IT is slow or non-existent in both of these scenarios leading to a loss of productivity or a potential security breach.

Solution

(UMRA)

The article has many other great discussion topics and is a quick, informative read.

To learn more about Toosl4ever solutions for Identity and Password Management, please visit our website.

Getting Started with IDM

2011-09-21T11:58:00.000-07:00

One of the questions often encountered when an organization decides to start an Identify Management project is “where do we start?” Undoubtedly, when looked at as a whole, the task can be daunting if not completely overwhelming. What is the source of data, how do we define roles, dozens of applications to interface with and the list goes on.

The approach we recommend is to start small – replace the manual, paper intensive process that is currently in place with a more automated, web based solution. Most organizations have a new hire form that has basic information – department, location, title, etc. and this is frequently coupled with another form that outlines what the new employee will need – network account, email, computer, phone, access to certain applications and group memberships to name a few.

A portal, such as the one in UMRA, can easily replace the paper request forms with web forms. The HR department or hiring manager completes the form online in lieu of the paper. Workflow processes automatically take over and distribute the information to the appropriate parties for approval or action. Active Directory and email accounts can quickly and securely be created while emails can be delivered to the system owners to insure provisioning occurs and hardware requirements are fulfilled. As items are completed, the owners indicate such in the portal allowing for ease of tracking.

A similar process can easily be set up for termination. Instead of HR sending the help desk an email, a quick entry into a web form can kick off the entire account disable and delete process. This allows for a much better level of security and reduces the risk a terminated employee will continue to have access to systems for days, weeks or even longer!

Once the “electronic” forms are in place, more time can be spent defining further requirements such as Role Based Access Control, electronic interfaces to other systems and even employee self-service. The net result, however, is a quick win for the entire organization – reduced paper work, better accuracy, timely account creation and, just as important, account deletion.

For more information, please visit our website to learn more about our phased approach Tools4ever.com.

Combining migration with implementation?

2011-08-15T08:29:00.000-07:00

Many companies are apprehensive about implementing UMRA when they are in the middle of a migration process to an Active Directory (AD) environment. This may be due to the misconception that the migration must first be completed before UMRA will work properly, or starting another project while they are in the process of migration might overcomplicate the project, thus delaying the project deadline. The fact is that UMRA assists with migration both pre and post project and streamlines the process. Tools4ever expertise in this area provides a valuable project management asset and speeds up the migration process.

There are two common migration scenarios. The first of which is domain consolidation, multiple AD domains are being collapsed into a single domain. In this scenario UMRA is able to recreate the user account and, more often than not, retain the username in the new domain. Organizations also have the choice to implement new naming conventions. This occurs in circumstances where the migration results in several duplications of names. UMRA will then create a new user name and alerts end users, via email, what their new username will be along with the date that name will be made effective.

Not only is the user migration process streamlined, but the resources of those users as well. This includes items like group memberships and home directory data. As users are migrated UMRA will retain their group memberships, and if one of groups in question doesn’t reside in the new domain UMRA creates it automatically. Home directory data can either be copied to a new server in the new domain or re-permissioned on the existing server with the SID of the newly migrated account.

UMRA also assists and eases the migration process by:

Eliminating Pollution-Most migration tools will copy 1:1 which will includes erroneous and/or stale accounts. UMRA migrates users by reconciling them against a HR/SIS system so that pollution is not included. Activity reports on which groups are not being used are generated so that unused objects are not migrated.

Fill Attributes-When migration takes place there might be some missing information such as “title” or “Department”. UMRA automatically populates this information as needed.

To learn more about UMRA please visit our website.

What’s in a Password?

2011-08-08T06:41:00.000-07:00

Find out how a recent study uncovered alarming news about the security risks in employee passwords

Would you believe it if I told you that there are less than 1% of truly random passwords in use today? Well the unfortunate reality is it’s true. A recent report* shows that less than 1% of passwords used today are random in nature. In fact, the report breaks down how some people derive their passwords; for example:
• 14% of passwords are derived from a person’s name (JohnSmith)
• 8% of password are derived from a place name – most likely the place where the person lives or was born (SeattleWA)
• 14% of passwords are purely numeric and in some situations are consecutive numbers (12345)
• 25% of passwords are random dictionary words (computer)
• Another 8% or so are made up of keyboard patterns, short phrases, words within the email address, and repeating words (asdf, myblackcat, @apple, redred – respectively)
• While the remaining 31% could not be verified during the study

This information is alarming to network and security administrators in any field. While most system administrators will set password complexity rules, not all do; and those that do may still find that employees may use passwords that are easy to replicate. So to help circumvent network breaches organizations should consider adding identity management solutions to protect themselves. There are several easy solutions an organization can implement to help reduce the risk of password security breach.

One I’d like to focus a little on is implementing a solution that requires two-factor authentication. This practice requires securing the primary login using a pass-card or biometrics. Instead of entering a username and password, users can log in by presenting a pass-card/biometric to a reader and entering a PIN code. Combining a pass-card/biometrics and a PIN code ensures strong authentication. Because this two-factor authentication is based on something users own (the pass-card/biometrics) and something they know (the PIN code).

Tools4ever’s Enterprise Single Sign On Manager(E-SSOM) offers full integration with all common two-factor authentication readers, such as HID, Mifare, Biometrie, Gridtoken, proximity-based devices and RFID readers. E-SSOM offers native integration with the driver software of the (card) reader and links the pass-card ID to the user credentials (username/password) in Active Directory. No additional software is required to create this link. This feature guarantees an user friendly and secure login for all users.

Stay tuned for my next blog where I explain how implementing a self-service password reset option can also help ensure your employees are using secure and complex passwords.

*Source: The science of password selection by Troy Hunt

Two-Factor Authentication for Password Resets

2011-07-13T09:56:00.001-07:00

In order to increase security of websites, applications and networks, many organizations are increasingly turning to two-factor authentication. Recently I tried to log into my online banking from a new laptop. The website returned a message that it did not recognize the computer and I would need a PIN to log in. The PIN could be delivered via email or SMS to my mobile phone. Further, the PIN could only be delivered to an email or cell number the bank already had on record – no ability to enter new information.

Tools4ever has recently made enhancements to our Self Service Reset Password Manager (SSRPM) software to take full advantage of two-factor authentication by several methodologies. The first enhancement, released earlier this year, delivered a PIN via an email account. The email adds had to be previously entered by the end user to insure no spoofing can occur. Once a user initiates the “Forgot My Password” wizard and completes the challenge questions, they are prompted for the PIN to complete the password reset.

The most recent version of SSRPM, released on June 24th, takes two-factor authentication to the next level and provides the ability to deliver an SMS message containing the PIN. The cell phone number needs to be entered during enrollment by the end user, once again to prevent spoofing when a reset is actually performed. In a similar fashion to the email functionality, once an end user initiates the reset wizard and completes the challenge questions successfully, they are prompted to enter the PIN delivered to their cell via SMS.

To learn more about two-factor authentication, this Wiki article has excellent information. To learn more about Tools4ever and SSRPM, please visit our website.

Complete an SSO Survey for a chance at an IPAD2!

2011-06-15T13:11:00.000-07:00

Toosl4ever is busy finalizing the next release of its Enterprise Single Sign On Manager. The release currently slated for June 17, 2011 will incorporate many new features and enhancements to existing supported application types.

We would like to learn more about your interest and requirements for SSO. Please take a minute to complete a brief survey and we will enter you for a chance to win an iPAd 2. This survey is limited to 500 participants so don’t delay! Click HERE to take the survey and good luck!

Enterprise Single Sign On for Automotive Dealerships

2011-06-01T11:34:00.000-07:00

A recent implementation on the Tools4ever Enterprise Single Sign On Manager (E-SSOM) for a group of automotive dealers in Louisiana presented a unique opportunity. This group has a total of 15 dealerships and all were running the same HR, CRM, inventory and dealer management applications, along with a number of web-based tools. They had been utilizing an SSO application from their CRM/ dealer management vendor that automatically logged personnel into the appropriate applications based on their Active Directory credentials.

The major problem occurred when the supplier made a decision to stop supporting the SSO application in a few months.

The dealership started an immediate search for a replacement product. They knew all too well that the calls to the help desk for password assistance would skyrocket once the old SSO application was removed. Tools4ever was selected as a potential vendor and after a thorough Proof of Concept, and a few tweaks to E-SSOM, we were able to demonstrate the basic functionality of our solution in the client’s production environment by automating the logon process for 8 unique applications, including the most crucial CRM and dealer management systems.

After the roll out to all current employees was completed, a decision was made to pre-enroll new users. Basically, the only credentials anyone will ever receive going forward is their AD username and password. Access to all other applications will be handled via E-SSOM and the end users will never actually know the passwords to the eight applications they need to access. The benefit is that by disabling a terminated employees AD account, or removing their E-SSOM profile, their access to every other application is automatically revoked thus eliminating a potential security concern.

To learn more about Tools4ever solutions for Identity and Password Management, please visit our website.

Enterprise Single Sign On

2011-05-20T13:29:00.000-07:00

I recently attended the Interop Las Vegas trade show and one of the most asked about products we offer was our Enterprise Single Sign On Manager.. One of the things I noticed was that there seem to be a lot of different takes on want companies are looking for in this arena.

The Tools4eversolution has been on the market for a couple of years now and, as of late, has been gaining a lot of traction in the market. Some of our recent deployments include a City Government in Florida, an automobile dealer, an insurance company, a division of the Federal Courts, a charter school and a bank – quite a representation of the types of organizations looking to deploy SSO functionality.

The Tools4ever implementation of SSO utilizes Active Directory as the authoritative source for Password Management. An end user will log into AD and provide their credentials one time for every other application they are authorized to use. It does not matter if it is a web page, standard Windows app, mainframe session or Citrix desktop. After that, our E-SSOM solution remembers the credentials and securely provides them as required. No more sticky notes with dozens of user names and password on the side of the monitor. No more calls to the help desk to reset a password for a specific application. One secure, complex password will, in essence, provide access to any authorized application.

The issue of security often arises with SSO implementations as well. What if someone hacks that one password, they know have access to everything! The common item we see here is the use of simple passwords to make them easier to remember, not enforcing regular password changes and the inevitable sticky notes! With SSO, you can make the one password more complex and enforce a regular change, making this aspect even more secure. Further, our SSO solution can randomly reset password to applications so by disabling the SSO profile, you revoke access to everything!

To learn more about Tools4ever and our Identity and Password management solutions, please visit our website.

Password Management - Self Service and Single Sign On

2011-04-27T12:42:00.000-07:00

According to a number of recent studies, calls to the help desk for password reset assistance make up 10 to 30% of the total call volume. Further research asserts that the costs associated with each call range from $51 to $147 in labor costs, not to mention loss of productivity while the employee attempts to login, gives up, waits in the help desk queue and, eventually resets the password. One further complication, the average employee is required to maintain 8 unique combination of user ID’s and passwords, usually with varying complexity and expiration rules.

So, how can the typical organization reduce the costs associated with password management and maintain the highest level of security? The answer lies in the Password Management solutions form Tools4ever and includes Self Service Password Reset Manager (SSRPM) and Enterprise –Single Sign On Manager (E-SSOM).

The first application, SSRPM, is an enrollment based application that allows users to register by answering a series of challenge questions – much like they would do for an on-line banking site. Once enrolled, they can reset their own password directly from the Windows login screen by clicking on a “Forgot My Password” link. Alternate methods of service can be found from either a website or via Outlook Web Access integration. To insure high adoption rates, such organizations elect to pre-enroll employees by pulling personal information form the HR system. This software is extremely secure and is in use by organizations ranging from25 to 350,000 employees worldwide.

The second application, E-SSOM, reduces the number of user name password combinations form the average of 8, to exactly one – the AD credentials. By securely capturing and storing a user’s credentials for all applications they are authorized to access, E-SSOM eliminates the need for a user to right passwords on a sticky note or attempt to remember them. E-SSOM can automatically handle password changes at required time intervals and allow user to delegate credentials to a specific app for a period of time – such as a vacation.

When both SSRPM and E-SSOM are used in combination, the number of calls to the help desk drops to nearly zero. The result is a tremendous savings of time, money and an overall increase in security.

For more information on the complete Tools4ever Identity and Access Management suite, please visit our website.

School Districts save time and resources by embracing network automation

2011-04-26T07:51:00.000-07:00

I have been getting more questions about streamlining IT department operations and finding ways to be more efficient with fewer resources. We have many implementations across the country for automated network account provisioning by synchronizing authoritative data sources to different directory services. Utilizing Tools4ever’s User Management Resource Administrator (UMRA), our consultants bridge the gap between student information systems like Skyward and Active Directory.

School districts often struggle to create and manage user accounts in a timely manner due to lack of resources, data integrity or out-dated scripts. Additionally, when districts rely on third party scripts, they become vulnerable when the author of those scripts departs the district. Suddenly the scripts are unsupported and when the infrastructure changes the scripts break leaving the district in a bind.

UMRA protects the integrity of the district network data by providing easily supported projects files rather than scripts or code. UMRA’s enhanced development environment allows for rapid deployment of identity management systems at a very competitive price point. As school districts look for additional ways to save money they tend to stop hiring and incorporate more automated processes.

Benefits of UMRA for Education:
•Manual IT procedures are automated via student information system connectors;
•Connecting the student information system with various teaching applications, such as Destiny, library system, access system, Live@edu, Google Apps, etc. ;
•User account uniformity;
•Reduced input time by system and application managers through the automated of tasks;
•100 percent logging of all activities in the domain;
•Enhanced data integrity: the domain is always fully up-to-date and pollution free;
•Complete implementation within a few days for immediate ROI.

Common UMRA Connected Student Information Systems
•Banner
•Infinite Campus
•PowerSchool
•Aeries
•Jenzabar
•Pentamation
•DataTel
•Campus Management
•Teams

To learn more about UMRA please visit our website,. To read about how one school district implemented UMRA read our Lewisville Independent School District case study.

Identity and Password Management in Healthcare

2011-04-01T11:39:00.001-07:00

As of late, Tools4ever has been implementing more solutions on the healthcare market and I wanted to take a look at our clients and ascertain if there are common issues that this market sector needs to address. Not surprisingly, there were a number of common themes in these accounts.

Shared User Accounts
One of the top reasons for implementing Identity Management in healthcare is the need to eliminate the “shared” accounts. Quite frequently, all the nurses on a floor will have one or more shared computers. Everyone utilizes the machine utilizing a common, generic account. The issue becomes security and privacy. It is impossible to restrict access or determine who is doing what and when.
Identity management solves this issue typically by linking an HR application to the Active Directory and creating individual logon accounts. Fast user switching, available in Vista and 7 makes this a quick process for busy healthcare professionals. Further, the Tools4ever Single Sign On product allows for credentials of users to be provided automatically fro authorized applications when utilizing fast user switching.

Downstream Provisioning
Active Directory and email systems are just one of the many applications that require user accounts. Pharmacy, medical records, radiology and IP phone systems are just the surface of what users need to have access accounts set-up and managed. By setting simple templates based on department and titles, it is possible to configure accounts in a majority of the applications and assign appropriate group and distribution lists as well. In more complex environments, the use of web-based workflow utilizing single or multi-level approval can be the first step in completing and advance Role Based Active Control (RBAC) matrix.

Stale Accounts
By far one of the most common issues, and the one with the most potential for security breaches, is the potential for stale accounts – accounts still active when an employee, consultant or temporary employee leaves. Tools4ever provides several of options for dealing with this issue. The first is to detect a terminate date or flag in the HR system during a daily synch and immediately disable the account. Another option is to scan the Active directory daily for unused accounts. IF an account has not been used in for example, 60 days, automatically send an email to the user’s manager notifying that the account will be disabled the next day if no action is taken. Finally, by implementing a strict policy of requiring a “disable on” date when creating accounts for consultants or temporary employees, automated email notification can take place warning of the impeding disable at 5 ,3 and day prior, allows time for an extension to be entered.

For further information please visit our website Tools4ever, Inc., or Click Here to download a health care case study or brochure.

Education and Free Email Services

2011-03-28T12:55:00.000-07:00

One of the recent trends in the Education market over the last couple of years are the free email offerings from Google and Microsoft. While Gmail and MSlive@edu offer a number of tangible benefits to schools and universities, including a permanent account for alumni, creating and managing the accounts can be a challenge. Adding to this issue, password from Active Directory are no longer automatically synchronized and, especially if you were using Exchange, an additional burden can be placed on the helpdesk to reset email passwords.

Tools4ever offers solutions to both of these common issues when moving to Gmail or MS Live. Our User Management Resource Administrator can take a feed from your Student Information System and use data from there to automatically create user accounts in the hosted email solution. Further, when students graduate, their AD accounts can programmatically be moved to an Alumni OU and the appropriate indication made in either Gmail or MS Live.

Our PSM (Password Synch Manager) and SSRPM (Self Service Reset Password Manager) also have links in both of these email applications. IF a user forgets a password in AD or the email solution they can visit a web page, answer a series of challenge questions, and reset both passwords simultaneously. Although not as common for students, faculty and staff typically will have expiration dates on passwords and will need to reset them on a regular basis. PSM allows the capturing of this new AD password and can send it off to the email application to insure the passwords remain in synch.
To learn how Tools4ever can help prevent your free mail system from costing a fortune in maintenance and help desk time, please visit our website: Tools4ever, Inc.

Your Identity Management Strategy: What’s on the Menu?

2011-03-22T13:36:00.000-07:00

Identity Management projects have a reputation for being long, costly and technically complex. What if the benefits of an Identity Management strategy could be yours without the hassle, including overhead that goes with technically complex projects; and within the limits of your budget?

Thanks to hundreds of Identity Management projects managed by our technical consultants, Tools4ever has been able to create a number of Identity Management best practices, aiming at achieving the maximum result with minimal effort.
One best practice is establishing a real Identity Management maturity model. Another result is the Tools4ever Identity Management à la carte menu, demonstrating Tools4ever’s capacity to deliver point solutions as well as integrated Identity Management approach.

Here are some examples of the Identity Management à la carte menu of solutions that have been implemented. (The estimated implementation time refers to average size organizations of about 2000 users.

• Delegation and tracing of the management of all user accounts and their resources(2 days);
• Synchronization with HR system(2 days);
• Identity Management Self Service Portal and Workflow Management(5 days);
• RBAC - Role Based Access Control level 1(3-5 days);
• Web portal for auditing and managing NTFS rights or Group Management(2 days);
• Single Sign-On for your 10 main applications(3 days);
• Self Service Password Management(1-3 days);
• Password Synchronization(1 day).

Interested? Please visit our website; Tools4ever, Inc. to learn more about our solutions and how they will help you achieve your Identity Management goals.

Doing More with Less

2011-03-22T08:43:00.001-07:00

In Identity Management, balancing efficiency and security can be a tough and expensive proposal. IdM projects are complex, require broad support and can very easily fail, so it's understandable that many organizations have resisted these changes in favor of business as usual. Although this is changing due to countless regulatory standards and industry trends, many businesses still relying on antiquated and painfully manual processes for performing simple tasks such as updating phone numbers or removing access for an employee on leave.

Just last week, a colleague met with a hospital whose onboarding process for a new employee involved at least 3-5 different people, two sheets of paper, several emails and a response time of two days. On top of this, it was expected that parties involved would provide accurate information and do their own error checking. With over 1400 employees, you don't need to do much calculating to realize how much time is involved with this one process and the risk that is created. The good news is that the hospital is beginning the one year process of assessing and evaluating identity management options, however, it is still unclear what role of workflow automation will play in their eventual solution.

Any organization, like the hospital visited can easily implement a project that provides a series of web forms and automatic notifications that will provide a means to request, verify and approve facilities and implement network changes independently. Using a provisioning package such as Tools4ever's UMRA, these changes can be executed across the network according to predefined rule sets. The graphic below outlines such a process.

A solution like this is easy to implement and can be an inexpensive way to manage security risks and improve the speed in which user management functions can be accomplished.

For more information, visit our workflow page: Tools4ever, Inc.

We want to automate everything, but …

2011-03-18T13:24:00.001-07:00

With an increasing frequency, we hear from our prospects the desire to automate every aspect of their Identity Management process. Inevitably, during the discovery phase, specific items are uncovered that are exceptions to the rule and difficult, or in some cases, impossible to address programmatically. It is conceivable that the vast majority of new user accounts will be handled systematically and only a rare exception will need special treatment.

To this end, Tools4ever can offer a hybrid solution of automating the account lifecycle management. AS new users are entered into the Human Resource (HR) system an automated process occurs that generates the new user account automatically based on the predefined criteria but instead o factually committing the account in Active Directory, a “request” is queued for further review.

An email is delivered to a group stating there are pending items to be reviewed. At that point, a Systems Administrator or Help Desk person accesses a web portal and reviews the request. If all appears correct, simply clicking a submit button will execute the account creation in AD, email (Exchange, Google, Lotus) and numerous other systems. If further details are necessary – possibly specific group memberships, larger mailbox store or distribution list access to name a few – the Sys Admin or Help Desk person can add the required resources and then click submit to complete the processing.

Extending this concept further, particularly to schools, college and universities, the account creation for students is often straightforward and can be automated entirely – without the queued request. While account creations for faculty and staff are often more complex, lower in frequency and can be handled using the queued process.
By utilizing this hybrid methodology, it is extremely easy to handle both simple and complex account creation scenarios.

To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.

Active Directory: Dealing with Reorganizations

2011-03-17T12:57:00.000-07:00

The health care sector is undergoing various reorganizations. These require a change in the organizational hierarchy as well as the merging or separation of organizational units. A properly configured Active Directory structure is a precondition for dealing with organizational changes in a flexible way. If the organization has opted for a branched OU structure that is closely aligned with the organizational model, a major effort may be required to modify this structure in case of changes.

The structure depicted below provides an idea of how you can set up Active Directory in such a way that IT can conveniently implement organizational changes, while sufficient room is left for security mechanisms. This structure is based on the assumption that it is possible to retrieve cost centers, functional codes, departments and locations from the HR system (e.g. Meditech or Lawson).

- Administration
-|- Service accounts
-|- Administration accounts
- Organization
-|- Computers
-|- Users (1 OU for all user accounts)
-|- Groups
-|-|- Cost centers (HR interface)
-|-|- Functions (HR interface)
-|-|- Departments (HR interface)
-|-|- Locations (HR interface)
-|-|- Data (nested in the above groups)
-|-|- Mail (nested in the above groups)
-|-|- Applications (nested in the above groups)

In this way, the user accounts can be made a member of one or more functions, departments, cost centers and/or locations. Resources such as data, mail and applications are linked to these user accounts in turn. In case of organizational changes, it will suffice to create additional HR groups. It is up to IT to link the right resources to these groups. Using Tools4ever´s UMRA solution to set up a link with the HR system allows you to link any user to the right HR group(s). Added to which, IT will be in control over the assigned resources.

It is possible to create each HRL group in a proprietary OU by, for example, using UMRA in the event more GPO capabilities are required because all users are now accommodated in a single OU. In that case it will be possible to roll out a GPO for each HR object. If you use, say, RES PowerFuse, comprehensive GPO settings are usually not required. You will be able to accommodate all HR objects in a single OU and to distinguish them, e.g. through their naming.

To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.

Two-factor Password Authentication

2011-03-17T06:40:00.000-07:00

Tools4ever’s Self Service Password Management has always been available with a web interface, in order to allow users to reset their Active Directory passwords from an intranet or via the web. On the basis of a number of simple, predefined questions end-users can reset their password. Although this has been widely adopted in mostly educational establishments, some form of two factor authentication has been requested by many of our corporate customers.
On the 18th of February we released SSRPM Security Module, which adds two-factor authentication via email. Two-factor authentication (TFA or 2FA) means using two independent means of evidence to assert an entity's identity to another entity.

When a user logs onto the Active Directory domain for the first time following an SSRPM deployment, as well as answering a question set configured by the administrator, they will also be asked to supply a private email address. If an end user should subsequently forget their password, they can answer the challenge questions in the standard way. However, before they can reach the final stage and submit a new password, they must first enter the PIN emailed to their private address. This scenario illustrates the basic parts of most two-factor authentication systems; the "something you have" + "something you know" concept.
Two-factor authentication secures the web interface already. But we intend to extend this even more by enabling the forwarding of PINS to mobile phones by SMS. Watch this space for further information!

To learn more about our solution, visit:Tools4ever, Inc.

Automatic handling of helpdesk tickets related to users and access rights

2011-03-16T07:05:00.001-07:00

Many organizations today already have web forms in place to handle requests for user accounts, access rights or other resources. Typically a manager can use such web forms from their intranet to announce the arrival or departure of an employee. They can request an account, mailbox, shares, groups or application rights. At the end of the form or workflow, a ticket arrives at the helpdesk who will then create the account and resources or request that this be done by the system administrators.

This time consuming and error prone work is directly entered in Active Directory or on other systems, and what’s more, it involves entering the same data as already exists in the help desk ticket.
Although UMRA has its own work flow management systems and the option to create web forms, we recently found a way to deploy UMRA in an existing situation. In the example of a financial institution, we configured UMRA to automatically process all the new tickets related to users, and their rights and resources.

The advantages:
• A short implementation time of 2 days to automatically process all tickets related to users and access rights;
• Saves a lot of time for the system administrators;
• Guarantees that all the standards are respected;
• Eliminates manually keying in the same information twice with possible errors;
• Possible to process the request in different systems (Active Directory, Mail system, databases and applications).

Using this methodology, all the available information from the request is utilized in the optimal way.

A potential disadvantage of this situation lies in the fact that web forms that are managed within the company’s intranet are often not dynamic, creating a ‘static’ ticket. The configuration data such as departments, OU’s or groups in the Active Directory, and relationship between an employee and his manager, have to be managed separately and often manually. By utilizing UMRA forms, which are fully dynamic, and able retrieve information real time from the Active Directory or the HR system, the data can be used to create the appropriate drop down lists, eliminating another potential for errors and manual entry.

To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.

Keeping Active Directory Clean

2011-03-11T11:47:00.001-08:00

One of the issues that frequently arise, especially in larger organization, is the need to provide contractors, consultants and temporary employees with access to network resources and email. The concept of automating the lifecycle by integrating with a Human Resource system breaks down because these types of employees are rarely entered there.
We have solved this dilemma numerous times for companies by implementing a web-based workflow. The hiring manager access an internal web page and completes the relevant information - name, department, type of employee, expected length of service, etc. Once the form is submitted, the IT or helpdesk can review the information and process it automatically. An email is delivered back to the hiring manager with the username, email address and initial password.
The key element here to keep AD clean is the expected length of service date. As that date approaches a notification can be delivered to the manager asking if the date should be extended. If yes, the manager clicks on a link in the email and can enter a new end date. If no, the process automatically disables the user on the last day of service. A manger can also be given an option to disable or terminate immediately if the person has already left.
After sitting in a disabled status for a period of 60 to 90 days, the record can automatically be purged from AD. Implementing a process like this saves time, potential licensing costs and increases security all while making life easier for the OIT department.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.

Can an identity management solution save lives?

2011-03-11T11:33:00.001-08:00

Can an identity management solution save lives?

Managing double entries in hospital information / medical systems

In the field of Identity Management we are usually concerned with the management of employees and their user accounts, access rights and authorizations. Sometimes it occurs that the same principles and tools that we use in identity and Access management projects can be applied to a wider range of situations not usually associated with identity management. Here’s a recent example:

A hospital has to be very secure about the management of access rights for its employees, but also when it comes to the patient data within their applications. Recently when meeting with IT management of a big hospital the question was asked whether we could also prevent double entries of ‘patients’ in Hospital Information Systems (HIS) like Meditech, McKesson, Epic, CPSI, Sage Health, EClinical Works, Allscripts and Eclipsys.

Imagine a patient existing two times in the hospital information system due to a typo or other mistake. That means the patient has two files containing different information. The doctors may then miss important information if they don’t access the right patient file. Imagine a patient that is allergic to penicillin being given a penicillin treatment just because of a typo in the HIS.

Using the same mechanisms and tooling used by identity management solutions in this case Tools4ever’s UMRA, and applying UMRA’s capacity to detect doubles or possible double entries in various systems, can save lives. And with the different kinds of matching mechanisms in UMRA this is quite easy to do - a possible double can then be detected very early and a notification be sent to the person managing that particular data to validate whether or not we are really talking about the same patient. UMRA can of course also manage all the tracking and tracing required regarding the alerts and the way they have been dealt with.

To learn more about Tools4ever solutions, please visit our website,
Tools4ever, Inc.

Manage Outlook Office Assistant without direct access to the mailbox

2011-02-22T13:39:00.000-08:00

A common situation in organizations: an employee is ill and/or absent for a long period of time and his/her Outlook Assistant is not activated. Result: e-mails are not answered, poor service and angry customers.

Because of data protection, it is not possible to turn on the Outlook Office Assistant without direct access to the mailbox. Another employee must be aware of the login credentials of the absent worker to read e-mails, forward e-mails and turn on the Outlook Office Assistant.

This can create an insecure situation. However, this situation can be easily resolved with Out of Office Manager Tool (OOMT) by Tools4ever, .

With OOMT, administrators or helpdesk personnel can turn on Outlook Office assistant wizard without logging into the mailbox of the user. This task can also be delegated to departments, even without additional admin rights.

It is also possible to integrate OOMT in Tools4ever’s User Management Resource Administrator (UMRA) in order to make a connection with the HR system of the company. The HR system keeps up with employees that are sick, on vacation or on business trip, and when an employee leaves the organization. Thanks to this integration, UMRA can automatically install the Out of Office Assistant and forward e-mails so they can be answered promptly.

Professional handling of email traffic in your organization is guaranteed.

A school system registers parents...

2011-01-31T11:01:00.000-08:00

As part of this blog, I strive to present unique cases where clients have requirements that are “outside” the box of normal Identity Management solutions and I think this one definitely fits the bill.

One of the top 10 school districts in the State of Florida, and top 25 in the country, had an Identity Management issue that did not involve students or faculty/ staff but rather the parents. Legislation had been passed that required any parent wanting access to their child's on line learning environment present themselves in person with identification and request an account. With over 125 physical locations and 500 + users that would be handling the process, a paper system was out of the question.
The solution that was settled on was a combination of standard Tools4ever products and just a little bit of custom web work.

Tools4ever worked very closely with the technical staff of the district to insure the requirements were very detailed to avoid any missed components. In the end, a solution was delivered utilizing User Management Resource Administrator (UMRA ), in about 30 hours of consulting that fully met their needs.

Here is a brief overview of the solution:

A parent shows up at a school and requests an account to access their child(s) information.

A secretary or administrator verifies their ID and enters relevant information into a web page including:

Name

ID type, number and expiration date

Phone number(s)

Address

E-mail

The secretary then searches for the student(s) using name or student ID criteria and verifies with the parent the correct name is displayed.

The individual then hits a “Create Parent Record” and, if no duplicate entries are found, the record is created in Active Directory and the student information system and a link between the parent and child is created.

A temporary password is returned and the secretary records the information, along with the user name, and delivers it to the parent.

As part of the project, Self Service Reset Password Manager (SSRPM ) was also deployed for the parents to allow them to enroll and reset their passwords via challenge questions and avoid an unnecessary burden on the help desk staff.

Additional web forms were delivered to allow administrative staff to reset passwords for parent’s accounts, check their SSRPM enrollment status, to run last logon reports, disable accounts, update accounts and SSRPM enrollment reporting.

Since deploying the system, over 100,000 parents have been successfully enrolled and can access their child’s records with ease. Paperwork that had previously utilized for the process has been eliminated and, through SSRPM, the additional burden on the help desk has been non-existent.

To learn more about Tools4ever solutions, please visit our website,
Tools4ever, Inc.

UMRA & Controlled Assessment

2011-01-26T08:31:00.000-08:00

UMRA & Controlled Assessment

Traditionally, schools and colleges use Tools4ever Identity Management Suite is UMRA Forms, a secure interface to quickly and accurately manage the life cycle of a user. However, when a school links Active Directory to their student information system, all student account changes are automated, with no need for manual intervention. This negates the requirement for UMRA Forms.

However, a couple of months ago we were approached by a school with an interesting problem regarding controlled assessment. The school’s IT Manager creates exam accounts for pupils, with home directories shared in the normal way to each user. In the home directory he creates a series of "Exam" folders, which the pupil should only access during a Controlled Assessment session. As a boarding school, the pupil may need to use their exam account outside of a controlled assessment period, so enabling and disabling the account as required is not a suitable solution.

What the IT Manager really required, was a way to control NTFS permissions on the exam folders within the home directory for each account. So, Tools4ever built a simple interface, delegated to teaching staff, that switches access to the exam folders on and off at the click of a button.

Now he has shifted the tedious task of controlling exam accounts back to teaching staff. More importantly UMRA is logging every action to keep the auditors happy.

To learn more on Tools4ever solutions, visit our website:
Identity Management

Password Management Leads to More!

2011-01-05T11:39:00.000-08:00

A recent pilot project at a large Canadian manufacturing firm, with about 3,500 employees, resulted in successful implementation and purchase. After evaluating numerous vendors over a 6 month period, this diverse, global manufacturer decided on a pilot implementation of Tools4ever products as a proof of concept. We deployed several of our standard products, along with professional services, to meet the client requirements. Here is a brief synopsis of their requirements and how we set about providing a total solution.

The first phase of the project was to provide a standard methodology to allow end user to reset their Active Directory passwords without calling the helpdesk. In addition to modifying the Windows login screen, a web portal was also required to facilitate resets from machines that were not part of the domain. Further, both components needed to be available in English, French, Spanish, German and Finnish. Self Service Reset Password Manager (SSRPM) provided the needed functionality out of the box with the only shortfall being native support for Finnish. However, as all the text for the Enrollment and Rest Wizards is contained in a locale file, the modification for Finnish was accomplished by the client in about 45 minutes.

The second phase of this project involved the use User Management Resource Administrator (UMRA) Web for Employee Self Service and Delegation and Password Synch Manager. The desired result of this phase was to be able to reset a user’s SAP password at the same time and using the same password as the AD password. In order to accomplish this, it was necessary to collect the SAP user name form the end users as there was no relationship established between the AD and SAP credentials. A number of other attributes, such as manager’s name and cell phone were also collected for populating AD. Once this phase was completed, an end user could perform a normal password reset through ALT-CTRL-Del or reset a forgotten password through SSRPM, and the password would automatically be reset in both AD and SAP.

The third and final phase of the project involves the UMRA Delegation and Workflow components. The company has a large number of consultants and temporary employees. When their accounts are created in AD, they will be tagged with an anticipated expiration date in Active Directory. Two weeks prior to this date, the manager will be notified of the pending action and given an opportunity to extend the date. If no action is taken a second notice will be generated one1 week and then again the day prior to expiration. If no action is taken prior, the account is automatically disabled and moved to a separate OU. After 30 days in a disabled state, the account is automatically deleted from AD. This process allows an automated methodology for keeping AD clean.

Shortly after wrapping up Phase 3, the company will begin to look at other Tools4ever solutions including Enterprise Single Sign on and automated user account provisioning. To learn more on Tools4ever solutions, visit our website:
Identity Management

Single Sign On in the Healthcare Market

2010-10-18T08:17:00.000-07:00

Single Sign On access to the electronic health record (EHR)

Lately, numerous healthcare organizations have shown interest for Single Sign-On. With several audits and regulations in mind, the healthcare market is working hard to improve access security. Group accounts are replaced by individual accounts and password complexity requirements are tightened. Passwords must now meet increasing demands, such as a minimum length, contain a strange character and sometimes exclusion of known words such as the department name or the name of the institution. In addition, passwords must be changed regularly and simply increasing a digit is not allowed.

Privacy and access control
The enhanced access control is a good thing to ensure patient privacy and potential abuse of data. Unfortunately, these measures have a downside. Stronger access control not only makes it more difficult to gain access to systems and applications but access becomes more difficult for the care giver. The care giver is frequently required to access data quickly from multiple applications and multiple workstations. If all of these applications need a complex / strong password and these passwords are all different, it quickly results in frustration among the users! The IT department is quite often blamed and can become overwhelmed with password reset requests. To be able to quickly access the desired applications, users often place a note under the keyboard or on the side of the monitor with the passwords. It goes without saying, that from a security perspective this highly undesirable!

Access with Single Sign In
Fortunately, there is a strong security solution that combines a high degree of usability for the above problems. Enterprise Single Sign-On (SSO) allows care givers to quickly access applications and systems yet guarantees a level of optimal security. Enterprise SSO allows users, after logging in once, to access all applications and systems where the user is authorized. The SSO software then captures the login screen and provides quick access to data. The user now only needs to remember one password or in case of a secure card system, only use the card with code and skip the password altogether.

Authentication
At first glance, it appears that this solution might weaken the security since all major applications are now are behind a single access. In practice, the access security with SSO has greatly improved. The condition is that the user authentication is very well protected. Think of a strong password that should be changed regularly or the use of access cards (UZI card, RFID pass, smart cards, tokens or biometrics) and possibly combined with a code. If this card can also be used to log on to the computer and access to the EHR and other healthcare systems, the user friendliness for the healthcare market is optimal. Of course a high level of user friendliness also means a higher price tag. Authentication via a token card or biometrics takes a significantly higher investment than implementing single sign-on through a complex password. With the cuts in healthcare market and increasingly tight budgets, often the choice is made for single sign-on through a complex password. This still results in very fast access to data and provides significant user friendliness without high investments and long implementation times.

Technically, both offer a strong access security solution that fully meets the requirements of most auditors and regulations. The purported weakening of the security access brought on by implementing Single Sign-On appears unfounded in practice. Because the users only need to remember one password or even just carry a card, having to have the characteristic post-it style notes under the keyboard or monitor disappear and attackers can no longer easily access vital data. Also, the IT department can now implement a strict password policy without fearing major resistance from users.

Fast-user switching
In relation to Single Sign-On, the term fast-user switching is frequently used. Through fast-user switching, it is possible that users can quickly log on and access information, such patient data, in the Medical Records systems. The delay caused by logging on and off the Windows operating system is bypassed. In some networks, this log off/on can take several minutes and this is very discomforting, especially in the healthcare market. With Fast User Switching in combination with SSO, changing the user context is handled within the SSO environment and therefore a user can change from one account to another within 10 seconds. This functionality is appealing to doctors who, while performing their rounds, often have to logon to multiple workstations. For many hospitals, a long standing fear was that the abolition of group accounts would result in long delays while logging on shared computers. After all, the employees must identify themselves with their own username and password before they can access medical records. With fast user switching, there is no longer the long delay. Users can log in quickly on different systems -especially in combination with a card system, the user can access the information in various systems and applications within a few seconds.

More information on Enterprise Single Sign On can be found at:ESSOM Solutions

HR link with Lotus Notes Address Book

2010-10-12T11:43:00.000-07:00

With UMRA we create a lot of links from HRM systems to Active Directory in order to automate user account management. UMRA is capable, with one of the 130+ connectors, to collect data that is important for creating, updating and disabling user accounts. As an example, we can read from an HR system when new users are employed or changes occur in titles, transfers to other departments and other associated contact data.

Besides user account management in Active Directory, UMRA can also be applied to update the Lotus Notes. We are regularly in contact with clients who have a Lotus Notes address book containing outdated information about staff. Phone numbers are no longer correct or manually completed titles and department names contain spelling errors.

Through UMRA we can easily and quickly – typically within 1 to 2 days - connect the Lotus Notes address book to the HRM systems, such as SAP or PeopleSoft. These systems include the most up-to-date information for employees, which UMRA can rapidly synchronize to Lotus Notes Address Book. On the Lotus Notes side, nothing needs to be changed to accomplish this. UMRA can intelligently decide which data needs to be modified and then update only those specific details. For the IT organization, UMRA can provide detailed reporting about what data on what people has been changed and at what time. It is also possible to configure UMRA so that certain data will not be transferred on a one-to-one basis to Lotus Notes. UMRA offers full support for Lotus Notes, including complex operation and account management.

More information on connectors to HR systems can be found at:How to connect with an HR system.

A flying start with Role Based Access Control (RBAC)

2010-08-23T08:35:00.000-07:00

RBAC or Role Based Access Control is hot! With increasing frequency, organizations that I meet see the importance in a structured way of managing and granting authorizations in the network. The situation is often, in granting authorization, a copy is made of a colleague who has "about" the same function. This results in many new employees gaining access to systems and applications that they do not need. There is rarely attention paid to the withdrawal of authorizations after copying a user and that has consequences for licensing costs and information security.

RBAC is one of the possible ways to solve this problem. RBAC consists of a matrix of roles, functions and specific access rights. For example, if a new employee joins the organization, utilizing the RBAC matrix determines what the new employee will be allowed to do in the network. That's the theory. In practice it appears the population of such a matrix brings many problems. Because people often feel their needs are one of a kind, this often leads to as many roles as there are employees. Ultimately, that results in an infinite and unworkable matrix. Companies are therefore afraid to implement RBAC within their organization. However, there are organizations that get started and strive to get 100 percent of the employees in the RBAC matrix. I think this is improbable and may takes years of both management’s and the Security Officer’s time to implement.

Want a quick start with RBAC? It is quite feasible if you do not target 100 percent in the first instance. Based on information from the HR system, it is possible to explore the 50 most common combinations of departments and functions within the organization. This allows the completion of up to 80 percent of the RBAC matrix immediately - . all within a few days! Then, a workflow application can be used to fill using the remaining 20 percent - manually entered by the manager of an employee.

It may be years before the RBAC matrix is completed 100 percent, but by incorporating existing systems and sources - such as the HR system - and the focus of the manager - the population of the RBAC matrix is a manageable process with direct result. The result is a positive ROI with respect to the feasibility of RBAC and the amount of effort required to enforce positive IT auditing standards. An indirect benefit is often a reduction of licensing costs, storage requirements and security incidents.
How to deal with Role Based Access Control (RBAC) in relation to Identity Management

Second of a series

2009-06-01T13:05:00.000-07:00

A 6,500 employee company that provides professional services and technology solutions in energy and climate change to government and commercial clients had a problem. The scripts that they relied on to manage accounts in Active Directory, based on twice daily PeopleSoft dumps, were becoming tedious to maintain and with the imminent departure of the head programmer, an off the shelf solution became imperative.

The details of the requirements were quickly relayed and a proof of concept was established in the client’s environment. Basically the information from PeopleSoft was utilized to implement account lifecycle management for employees while web forms were created to manage contractors. Employees needed an Active Directory account, Exchange 2007 mailbox, a base set of group memberships, and the proper OU container, were to be based on location codes. Approximately 10 attributes including office address and phone number need to be set as well.

As information in the file changes, such as location or specific attributes, the AD account needed to be updated and if necessary, re-provisioned with new groups and moved to a different OU. If the terminate date field was set in PeopleSoft, the account needed to be disabled, hidden form the GAL and moved to a specific OU. Every time an account is created, modified or disabled, an export file is generated by User Management to feed back relevant data to PeopleSoft.

While the automated process easily handled the direct employees, the company also had a large population of contractors that were never entered into PeopleSoft. To address this, web forms were created and deployed to hiring managers. The form contained the fields necessary to create an AD and, if required, Exchange mailbox. All contractor accounts are set to expire after 90 days and the hiring manager is notified 2 weeks before account expiration. A second form is available to allow the manager to easily extend the timeframe. If no action is taken, the account is disabled automatically and the hiring manager is again notified.

All told, the implementation of both the automated process and the web forms required about 3-4 days of work by a Tools4ever consultant. After through testing, the product was tolled out company wide. As an added benefit, the customer was able to implement Tools4ever’s Self Service Reset Password Manager to reduce the most common call to the help desk.

Group Management and Auditing

2009-05-08T09:21:00.000-07:00

Welcome to my blog. As the managing director of Tools4ever Inc., I have involvement at some level with virtually every prospect and client that we have in the eastern half of the United States. Over time, I will endeavor to explain some of our clients unique situations and how were able to assist. To protect our clients and confidential information, I will not disclose the companies’ names. Feel free to contact me via this blog to learn more.
The first situation I would like to discuss involves a medium-sized financial institution located in the northeast. When they approached us, they were in need of a web-based system for group management compliance auditing. Every 90 days, they required managers to sign off a paper report indicating the members of distribution and security groups they managed were accurate. Obviously, the shortfalls were many. When the paper was returned, IT admins need to go into Active Directory and make edits as required. Other times managers simply ignored the paper work leaving potential security breaches.
After a thorough analysis of the requirements, we presented a solution that delivered what the client was looking for and also provided suggestions on how to expand the use of the product. A decision to move ahead was made by the client and we set about delivering a proof of concept, at no risk, to prove the capabilities.
In the end, the client was satisfied with the proof of concept and purchased the solution. Basically, the end result provided the following:
For Managers

Automated email notification to managers that a review of their groups was pending.
A website to allow managers to view all of their groups and the members thereof.
The ability to add / remove individuals from each group as appropriate.
The ability to electronically sign off on the accuracy.

For IT

Consolidated reporting on who has/ has not verified the groups
Automatic escalation procedure when a review has not occurred within a defined timeframe. (15, 30 and 60 days)
A portal to provide easy modification of group ownership when a manger departed.
Ability to maintain white lists of groups that should never need verification.

For all employees

An easy method to view what groups they belong to.
Ability to request membership in other groups (requires managerial / IT approval)

In the end, we were able to implement a web-based solution for this client in approximately 40 hours of remote consulting services. Thorough testing in their environment and modifications to the original scope resulted in another 10 hours of work. The client now has a fully automated solution to time consuming issue and can generate audit reports on demand. The project was delivered on time and under budget