ID-Access White Paper

Abstract

ID-Access® is software from Hitachi ID for managing membership in groups, where groups exist on ID-Access target systems -- principally Active Directory. It allows users to initiate security change requests -- principally requests to join or exit network operating system security groups -- in a self-service manner, without the need for users to understand the underlying security infrastructure.

ID-Access can administer user access to folders, printers, distribution lists and other network resources whose access control mechanism leverages user groups.

Challenges in Large-Scale Active Directory Group Management

Many organizations have deployed Windows servers and Active Directory, and leveraged the powerful access control infrastructure in this platform to manage user access to data. This infrastructure uses security groups to control user access to resources:

Groups are defined in Active Directory to reflect business functions or organizational structure.
Groups are assigned rights to network resources, such as shares, folders and printers.
Users are attached to groups based on their job requirements.
Groups may be nested, to simplify management.

Over time, the number of groups grows and in some organizations may surpass the number of users. Moreover, in dynamic organizations users frequently change responsibilities and are assigned new projects. This churn creates complexity:

User requirements must be reflected by changes to user membership in groups.
A user support group must be setup to respond to user access problems by attaching users to appropriate groups.
Users are frequently unaware of the security infrastructure, so their calls to the help desk typically begin with: "I got an `access denied' error..."
Problem resolution is time consuming: first map the user's problem description to a network UNC, then find the groups with rights to that resource, then find owners for the groups, then call them to get permission to attach the user and finally attach the user to the group.

Complexity in managing large numbers of changes in security group membership leads to real business problems:

Staffing cost in the user access management group, due to high call volumes.
Long turnaround and lost productivity when users wait hours or days to get required access rights.
Users with inappropriate access rights, as a result of failures in the change authorization process.

Addressing Complexity Using Self Service

The complexity of group membership management can be greatly reduced by implementing a self service solution in place of the security administration group. Users should then be able to:

Sign into an Intranet web application.
Search or browse for the resource they would like to access.
Request access rights directly.
Automatically route requests to the appropriate authorizers, namely the owners of the appropriate AD security group.
Use e-mail and web-based workflow to enable authorizers to approve requests directly.
Automatically attach users to requested groups, upon approval.

Deploying self-service to reduce the complexity of group membership management eliminates:

The need for users to understand the security infrastructure.
The cost of operating a security administration group.
Security exposures due to unauthorized group memberships.
Lost productivity due to long delays in change authorization.

Introducing ID-Access

ID-Access is software from Hitachi ID for managing membership in groups, where groups exist on ID-Access target systems -- principally Active Directory. It allows users to initiate security change requests -- principally requests to join or exit network operating system security groups -- in a self-service manner, without the need for users to understand the underlying security infrastructure.

ID-Access can administer user access to folders, printers, distribution lists and other network resources whose access control mechanism leverages user groups.

ID-Access is a component of Hitachi ID Management Suite® designed to streamline user requests to network resources.

Using ID-Access, users sign into a secure web application and request new access to a network resource, such as a share, folder, printer or mail distribution list. From the ID-Access web form, users first select a resource container (examples: share; directory OU) and then use a tree view to browse for a specific resource (examples: folder, mail DL). Once they have selected a resource, users simply submit the request.

Once the user has selected a resource, ID-Access:

Dynamically maps the user resource selection to a specific managed target system and to a security group on that system.
Determines whether the security group is already under ID-Access access control and if not automatically adds the group to its workflow system.
Checks whether at least one authorizer is already available for the group and if not automatically extracts a new authorizer list from the managed system itself (e.g., identifies the group's owners).
Initiates a workflow request, asking the appropriate authorizer(s) whether the user should be allowed to join the group in question.

The ID-Access workflow system automatically tracks change authorization and adds the user to the requested group if and when the proposed change is approved.

ID-Access produces real, concrete business value:

ID-Access:

Is ideal for contractors or employees who are given short term assignments and need to be quickly provisioned with security privileges that pertain to their new assignment or project.
Reduces workload on IT administrators by offloading group membership management to users.
Improves productivity for all users who need to access network resources to which they did not previously have rights.

ID-Access Technology

ID-Access is currently designed to target a single platform -- Active Directory. Its user interface exposes resources that are typically made accessible by user membership in AD groups:

Shares on file servers.
Folders on shares, including the full depth of folder hierarchy.
Printers and print server queues published in AD.
Mail distribution lists, for example as used by MS Exchange.

ID-Access uses plugins to connect to target platforms. The Windows/AD resource discovery plugin is able to drill down into Windows-based network resources, find out which groups have rights to which resources, and lookup group owners on Active Directory. The Hitachi ID Management Suite Active Directory connector, included with ID-Access, can enumerate AD users and groups, authenticate AD passwords and update AD group memberships.

User Interface Workflow

ID-Access can be used to manage many different types of resources. A plug-in program binds ID-Access to a specific type of resource, such as Windows shares, whose access is mediated by membership in an Active Directory group. Other resources include network printers and mail distribution lists.

The description is best clarified with a concrete example:

	User	ID-Access	Resource-Type Plug-in	Target System
1	Sign in using a network login ID and password.	Validate credentials
2	Initiate a new resource-access request.
3		Display a list of descriptive names for configured Windows file servers and shares.
4	Select a share.
5		Display a tree view of folders in the selected shares
6	Browse for and select a folder where access is desired.	Interactive tree view display	Iteratively provide a list of sub-directories from the selected share.
7	Select a set of privileges and an authorizer to request.	..Display and user input..	Provide a list of groups that have privileges on the share and the security privileges each one has been assigned. (read-only? read-write? etc.) One or more owners (authorizers) are provided for each group.
8		Workflow to track change authorization
9		(Change approved) Run agent to update the user's group membership. Send a confirmation e-mail to the user and to all owner/authorizers.		Updated privileges. User can now access the folder.

Requests Workflow: Parallel Authorization by Multiple Approvers

Starting with Windows 2003SP1, it became possible to attach a group of users as the owner of another group. This effectively means that an AD group can have multiple owner/authorizers.

ID-Access supports approval by multiple owners, and/or by a specified subset of them (e.g., 1 out of 2 or 3 out of 5 authorizers).

ID-Access supports both parallel and serial change authorization, but Hitachi ID encourages all of its customers to use parallel authorization.

With either parallel and serial authorization, every authorizer must approve a change before it is implemented. As a result, there is no security implication to choosing one method over the other.

The difference between parallel and serial authorization is that parallel authorization favors efficient SLA, while serial authorization shields subsequent authorizers from the occasional, spurious request that an earlier authorizer would reject. In Hitachi ID's experience, users are aware that their requests will be highly visible and almost never make requests that are unlikely to be approved. Consequently, the number of spurious requests is close to zero in practice and there is no real business advantage to shielding later authorizers from spurious requests. As a consequence, the advantage of parallel authorization -- improved SLA and reduced process complexity -- are the deciding factor.

The bottom line is that parallel authorization offers better SLA to the organization and is simpler to configure and maintain. It is therefore preferable.

Requests Workflow: Escalation and Delegation

Once a user has requested access to a network resource, a workflow process takes over, prompting the appropriate authorizer(s) (AD group owner(s)) to review the request.

Sometimes, authorizers will not respond promptly. To meet IT service level agreements (SLAs), requests must be supported by automatic reminders, automatic escalation and manual delegation of authority.

The ID-Access workflow engine has built-in support for automatic reminders, escalation and delegation:

Non-responsive authorizers that have been asked to review a change requests receive automatic reminders to respond to a change request. Reminder intervals are programmable.
Authorizers who continue to be non-responsive are automatically replaced with alternate authorizers, identified using escalation business logic. Escalation normally involves external data access -- e.g., to a corporate directory to lookup the original authorizer's manager or peers.
Authorizers may elect to delegate their authority, either temporarily (for a scheduled, finite period of time, such as a scheduled holiday) or permanently (for example, when an authorizer changes jobs). Delegation may require that the new authorizer respond and accept responsibility before it takes effect.
A workflow manager can reassign requests to different authorizers at any time and can administratively set and clear delegation rules.

Installing, Configuring and Managing ID-Access

ID-Access is very simple to set up and administer. For example, to configure it to manage group membership in Active Directory, to enable users to gain access to group-controlled file folders, one need only:

Set up Active Directory as a ID-Access target system.
Enter the base UNC for each share in which ID-Access will manage access.
Ensure that the owner field is correctly populated on each AD user group.

ID-Access deployment is typically very quick:

Install the product.
Configure the primary target system -- a Windows / Active Directory domain.
Install the resource location plugin (currently a Windows resource plugin is available, supporting shares, folders, printers and Exchange mail distribution lists).
Configure root nodes for resource browsing, such as share UNCs.
Verify that group owners are correctly defined in AD, as these people will be used as authorizers.
Test and debug the installation as appropriate.

The entire process typically requires just 2-3 days of technical setup effort.

Logging and Reporting

ID-Access logs all attempted and completed requests for group membership. The built-in ID-Access workflow engine is supported by built-in reports, including:

Request summary.
Request lifecycle.
Request statistics.
Request details.
Implementers summary.

All workflow requests are retained indefinitely, and so are available for reports at any time.

Network Architecture

The ID-Access network architecture is illustrated in Figure [link].

ID-Access Network Architecture Diagram (1)

In the diagram:

A requester signs into ID-Access and locates a network resource of interest, using some combination of searching and browsing.
The requester asks for access to the resource.
ID-Access looks up the ACLs on the resource, and determines which group membership would be appropriate.
ID-Access looks up the group's owners, and sends them an e-mail on behalf of the requester, asking that the requester be attached to their group, in order to enable the requester to access the resource of interest.
At some later time, the group owners receive the e-mail, sign into ID-Access, and either approve or deny the request.
If the request is received, ID-Access updates the user and group objects in AD, to create a new group membership.

Access by the requester and authorizer to ID-Access is typically HTML over HTTPS.

Access by both the requester and ID-Access to the network resources in question may be SMB, DFS or LDAP.

Platform Support

ID-Access currently supports Active Directory group membership management, where AD runs on Windows 2000 and Windows 2003 servers.

It also supports management of:

SMB and DFS based filesystems.
Nested groups. Users and/or policy plugins choose the group for which membership will be requested.
Access to shares (i.e., share-level ACLs).
Access to folders (i.e., NTFS folder-level ACLs).
Access to printers (i.e., ACLs on AD-published print queues).
Access to mail distribution lists (i.e., membership in AD mail DLs).

ID-Access Development Roadmap

Support for other platforms, such as NetWare/NDS/eDirectory, will be forthcoming, with timing based on customer demand.

The plugin architecture makes ID-Access suitable for enabling users to browse for and request access to any type of resource, including any type of LDAP-published group, any network-enabled filesystem, and any complex application ACLs.