A recent implementation on the Tools4ever Enterprise Single Sign On Manager (E-SSOM) for a group of automotive dealers in Louisiana presented a unique opportunity. This group has a total of 15 dealerships and all were running the same HR, CRM, inventory and dealer management applications, along with a number of web-based tools. They had been utilizing an SSO application from their CRM/ dealer management vendor that automatically logged personnel into the appropriate applications based on their Active Directory credentials.
The major problem occurred when the supplier made a decision to stop supporting the SSO application in a few months.
The dealership started an immediate search for a replacement product. They knew all too well that the calls to the help desk for password assistance would skyrocket once the old SSO application was removed. Tools4ever was selected as a potential vendor and after a thorough Proof of Concept, and a few tweaks to E-SSOM, we were able to demonstrate the basic functionality of our solution in the client’s production environment by automating the logon process for 8 unique applications, including the most crucial CRM and dealer management systems.
After the roll out to all current employees was completed, a decision was made to pre-enroll new users. Basically, the only credentials anyone will ever receive going forward is their AD username and password. Access to all other applications will be handled via E-SSOM and the end users will never actually know the passwords to the eight applications they need to access. The benefit is that by disabling a terminated employees AD account, or removing their E-SSOM profile, their access to every other application is automatically revoked thus eliminating a potential security concern.
To learn more about Tools4ever solutions for Identity and Password Management, please visit our website.
Showing posts with label identity management. Show all posts
Showing posts with label identity management. Show all posts
Wednesday, June 1, 2011
Wednesday, January 5, 2011
Password Management Leads to More!
A recent pilot project at a large Canadian manufacturing firm, with about 3,500 employees, resulted in successful implementation and purchase. After evaluating numerous vendors over a 6 month period, this diverse, global manufacturer decided on a pilot implementation of Tools4ever products as a proof of concept. We deployed several of our standard products, along with professional services, to meet the client requirements. Here is a brief synopsis of their requirements and how we set about providing a total solution.
The first phase of the project was to provide a standard methodology to allow end user to reset their Active Directory passwords without calling the helpdesk. In addition to modifying the Windows login screen, a web portal was also required to facilitate resets from machines that were not part of the domain. Further, both components needed to be available in English, French, Spanish, German and Finnish. Self Service Reset Password Manager (SSRPM) provided the needed functionality out of the box with the only shortfall being native support for Finnish. However, as all the text for the Enrollment and Rest Wizards is contained in a locale file, the modification for Finnish was accomplished by the client in about 45 minutes.
The second phase of this project involved the use User Management Resource Administrator (UMRA) Web for Employee Self Service and Delegation and Password Synch Manager. The desired result of this phase was to be able to reset a user’s SAP password at the same time and using the same password as the AD password. In order to accomplish this, it was necessary to collect the SAP user name form the end users as there was no relationship established between the AD and SAP credentials. A number of other attributes, such as manager’s name and cell phone were also collected for populating AD. Once this phase was completed, an end user could perform a normal password reset through ALT-CTRL-Del or reset a forgotten password through SSRPM, and the password would automatically be reset in both AD and SAP.
The third and final phase of the project involves the UMRA Delegation and Workflow components. The company has a large number of consultants and temporary employees. When their accounts are created in AD, they will be tagged with an anticipated expiration date in Active Directory. Two weeks prior to this date, the manager will be notified of the pending action and given an opportunity to extend the date. If no action is taken a second notice will be generated one1 week and then again the day prior to expiration. If no action is taken prior, the account is automatically disabled and moved to a separate OU. After 30 days in a disabled state, the account is automatically deleted from AD. This process allows an automated methodology for keeping AD clean.
Shortly after wrapping up Phase 3, the company will begin to look at other Tools4ever solutions including Enterprise Single Sign on and automated user account provisioning. To learn more on Tools4ever solutions, visit our website:
Identity Management
The first phase of the project was to provide a standard methodology to allow end user to reset their Active Directory passwords without calling the helpdesk. In addition to modifying the Windows login screen, a web portal was also required to facilitate resets from machines that were not part of the domain. Further, both components needed to be available in English, French, Spanish, German and Finnish. Self Service Reset Password Manager (SSRPM) provided the needed functionality out of the box with the only shortfall being native support for Finnish. However, as all the text for the Enrollment and Rest Wizards is contained in a locale file, the modification for Finnish was accomplished by the client in about 45 minutes.
The second phase of this project involved the use User Management Resource Administrator (UMRA) Web for Employee Self Service and Delegation and Password Synch Manager. The desired result of this phase was to be able to reset a user’s SAP password at the same time and using the same password as the AD password. In order to accomplish this, it was necessary to collect the SAP user name form the end users as there was no relationship established between the AD and SAP credentials. A number of other attributes, such as manager’s name and cell phone were also collected for populating AD. Once this phase was completed, an end user could perform a normal password reset through ALT-CTRL-Del or reset a forgotten password through SSRPM, and the password would automatically be reset in both AD and SAP.
The third and final phase of the project involves the UMRA Delegation and Workflow components. The company has a large number of consultants and temporary employees. When their accounts are created in AD, they will be tagged with an anticipated expiration date in Active Directory. Two weeks prior to this date, the manager will be notified of the pending action and given an opportunity to extend the date. If no action is taken a second notice will be generated one1 week and then again the day prior to expiration. If no action is taken prior, the account is automatically disabled and moved to a separate OU. After 30 days in a disabled state, the account is automatically deleted from AD. This process allows an automated methodology for keeping AD clean.
Shortly after wrapping up Phase 3, the company will begin to look at other Tools4ever solutions including Enterprise Single Sign on and automated user account provisioning. To learn more on Tools4ever solutions, visit our website:
Identity Management
Monday, August 23, 2010
A flying start with Role Based Access Control (RBAC)
RBAC or Role Based Access Control is hot! With increasing frequency, organizations that I meet see the importance in a structured way of managing and granting authorizations in the network. The situation is often, in granting authorization, a copy is made of a colleague who has "about" the same function. This results in many new employees gaining access to systems and applications that they do not need. There is rarely attention paid to the withdrawal of authorizations after copying a user and that has consequences for licensing costs and information security.
RBAC is one of the possible ways to solve this problem. RBAC consists of a matrix of roles, functions and specific access rights. For example, if a new employee joins the organization, utilizing the RBAC matrix determines what the new employee will be allowed to do in the network. That's the theory. In practice it appears the population of such a matrix brings many problems. Because people often feel their needs are one of a kind, this often leads to as many roles as there are employees. Ultimately, that results in an infinite and unworkable matrix. Companies are therefore afraid to implement RBAC within their organization. However, there are organizations that get started and strive to get 100 percent of the employees in the RBAC matrix. I think this is improbable and may takes years of both management’s and the Security Officer’s time to implement.
Want a quick start with RBAC? It is quite feasible if you do not target 100 percent in the first instance. Based on information from the HR system, it is possible to explore the 50 most common combinations of departments and functions within the organization. This allows the completion of up to 80 percent of the RBAC matrix immediately - . all within a few days! Then, a workflow application can be used to fill using the remaining 20 percent - manually entered by the manager of an employee.
It may be years before the RBAC matrix is completed 100 percent, but by incorporating existing systems and sources - such as the HR system - and the focus of the manager - the population of the RBAC matrix is a manageable process with direct result. The result is a positive ROI with respect to the feasibility of RBAC and the amount of effort required to enforce positive IT auditing standards. An indirect benefit is often a reduction of licensing costs, storage requirements and security incidents.
How to deal with Role Based Access Control (RBAC) in relation to Identity Management
RBAC is one of the possible ways to solve this problem. RBAC consists of a matrix of roles, functions and specific access rights. For example, if a new employee joins the organization, utilizing the RBAC matrix determines what the new employee will be allowed to do in the network. That's the theory. In practice it appears the population of such a matrix brings many problems. Because people often feel their needs are one of a kind, this often leads to as many roles as there are employees. Ultimately, that results in an infinite and unworkable matrix. Companies are therefore afraid to implement RBAC within their organization. However, there are organizations that get started and strive to get 100 percent of the employees in the RBAC matrix. I think this is improbable and may takes years of both management’s and the Security Officer’s time to implement.
Want a quick start with RBAC? It is quite feasible if you do not target 100 percent in the first instance. Based on information from the HR system, it is possible to explore the 50 most common combinations of departments and functions within the organization. This allows the completion of up to 80 percent of the RBAC matrix immediately - . all within a few days! Then, a workflow application can be used to fill using the remaining 20 percent - manually entered by the manager of an employee.
It may be years before the RBAC matrix is completed 100 percent, but by incorporating existing systems and sources - such as the HR system - and the focus of the manager - the population of the RBAC matrix is a manageable process with direct result. The result is a positive ROI with respect to the feasibility of RBAC and the amount of effort required to enforce positive IT auditing standards. An indirect benefit is often a reduction of licensing costs, storage requirements and security incidents.
How to deal with Role Based Access Control (RBAC) in relation to Identity Management
Subscribe to:
Posts (Atom)