• Article

Identity & Access Management

Automate Active Directory Group Management

Craig Owen

 

At a Glance:

  • Important uses of MIIS
  • Group management in MIIS
  • Features of MIIS

Group management is central to today's businesses. Groups are commonly used to control access to network resources, computers, buildings, and so on. Simultaneously, they need to grant access to

resources that people need to get their work done, while also protecting those resources from intentional or inadvertent harm. E-mail distribution lists, where users, contacts and other groups are logically associated with one another, exemplify the potential difficulties. The implications of controlling these groups range from users getting more information than they want (information overload) to getting more information than they should have (information security).

Groups need to be properly maintained to both minimize security risks and enhance the work environment. But many organizations have more groups than users. Even if yours doesn't, chances are it does have a high group-to-user ratio—and these groups are often being managed manually. That's an administrative nightmare.

Ever wish you could bring some automation to group management? Microsoft® Identity Integration Server (MIIS) 2003, along with a downloadable group management application, can alleviate a lot of the headaches. Automation of group management not only reduces the administrative overhead associated with group management, but it also helps you solve your security concerns.

How MIIS Fits Into Group Management

MIIS 2003 allows companies to perform data synchronization and object provisioning between otherwise disconnected systems. It does this by collecting information from external data sources (such as Active Directory®, SQL Server™, or SAP) and merging that information into a central repository called the metaverse. Once the information has been collected in the metaverse, you choose the information to be shared among the different data sources.

MIIS 2003 can communicate with a large number of external data sources and maintain information about the objects in those systems. Because of this, the metaverse in MIIS is a logical source of information for making decisions about group membership.

A Group Management Solution

A good way to learn about MIIS is to look at the whitepapers in the Identity and Access Management series. You'll find the latest version at microsoft.com/technet/security/topics/identitymanagement/idmanage. One of the scenarios in the Provisioning and Workflow section walks through a group management solution that's the basis of our discussion. We'll start with an overview of the solution, then cover some of the setup details including defining two types of groups, and finally we'll look at the benefits of this solution.

Using MIIS as a basis for group management starts with an MIIS installation. If you already have MIIS deployed, you can use the information that is already there to create groups. Otherwise you'll want to connect MIIS to your HR database, Active Directory, or any other system that you feel has helpful information to formulate groups. Next, you'll create definitions or rules that describe how the groups should be composed. In the solution we're following, this is done by leveraging a Group Management Web application. You input information about how the group should be created, including the most important part—the membership clause. This clause is literally part of a SQL query that will be executed against the information stored in the MIIS metaverse. The clause might tell the query to return all objects that have a state attribute equal to "California" or all objects that have a title that contains the word "Senior." This is how the group's membership gets dynamically maintained.

MIIS originally shipped with a program called Group Populator, which came included in the walkthrough scenarios. The solution was expanded in the Identity and Access Management Series, and is the one I'll discuss here. It uses information entered into the Web application in conjunction with information in the MIIS metaverse to build group membership. It is the engine that runs periodically to calculate and output the group membership. You can decide how often your membership information is regenerated, based on the needs of your company.

Once the group populator generates a group's membership, you turn back to MIIS to synchronize that group information to any connected directory that supports the group concept. This is done with the help of a management agent (part of MIIS that allows it to communicate with different data sources) that works with the group management database to import group and membership information. Figure 1 illustrates how groups are built using MIIS.

Figure 1 Building and Populating Groups

Figure 1** Building and Populating Groups **

Solution Setup

We won't cover installation of the entire solution—that's detailed in the Provisioning and Workflow whitepaper. (In Appendix A you'll find supplemental information specifically about the group management solution.)

The first step involves creating the SQL database that stores the new group information. A script will create the database and tables for you. The database consists of eight relational tables.

Next you need to compile, install, and configure the group management Web application and group populator application. The final step is to configure MIIS with a management agent that will work with the SQL database to inform MIIS of group and membership changes. All steps of installation and configuration are outlined in the whitepaper.

After the solution is installed you will need to define some groups in the Web app. Two types of group definitions can be created. To create a normal group definition, which will result in one group being created (see Figure 2), click the Add Group button on the default page. This will allow you to define the basic attributes: Group Name, Description, and Group Type. There are also more complex choices for setting the mail properties, clause, and exceptions.

Figure 2 Creating a Normal Group Definition

Figure 2** Creating a Normal Group Definition **

The second type of group is an attribute-based definition (see Figure 3), which create families of groups automatically for each distinct value of a specified attribute. An example might be an attribute group definition based on job title. Each distinct title value in the metaverse will then get its own group. You will specify the name of the group and the group populator will plug in the distinct value when it creates the group. For example, you can specify that the group will be called Title of {attributeValue}. Possible names of groups might include Title of Administrator and Title of Consultant, where each distinct title in the metaverse will have a group represented and each object with that title will be a member of that group.

Figure 3 Creating Attribute-Based Group Definitions

Figure 3** Creating Attribute-Based Group Definitions **

Within the settings for attribute-based definitions, you can create a linked definition. This will allow you to create families of groups based on reference attributes in the metaverse. A reference attribute in MIIS is an attribute that points (links) to another object. A good example of this is the manager attribute. After importing the manager attribute into the metaverse as a reference attribute, you can create a linked attribute group definition. The end result would be groups that might look like Direct Reports of Bob Smith and Direct Reports of Fred Brown, where each person with direct reports in the metaverse has a group created.

Top User Benefits

Why should you take advantage of this group management solution? Here are a number of benefits you'll see.

Web Administration App The UI allows for group definitions to be created and managed from the Web. The Web application also helps you create accurate definitions.

Delta Imports Only the groups that have changed since the last synchronization are evaluated by MIIS. This reduces the processing time and allows you to run the synchronization more frequently, which results in groups that are more up to date.

Attribute-Based Families of Groups You can create families of groups for each distinct attribute value. An example might include setting a rule to create a new group for each state where employees reside, resulting in a group being created for each state in the metaverse. Additionally, when your company expands into a new state and there are new employees in the metaverse, a new state group will be created automatically.

Mail Enable Groups and Set Group Type You have the ability in the Web administration console to mail-enable groups and make them security or distribution-only groups. Here's where you can change the mail alias and other properties of the group (see Figure 4).

E-Mail Notification The group management solution can e-mail the members of the group as they are added or removed.

Figure 4 Mail Status Options

Figure 4** Mail Status Options **

Group Clause Builder The original group populator required you to form a SQL statement to define how the group would be populated. The new solution allows you to choose a list of available attributes from a dropdown box and have the Web console build the SQL query for you (see Figure 5). The SQL-savvy can still manually create the SQL statement if they choose.

Figure 5 Clause Builder

Figure 5** Clause Builder **

Preview the Results As you are creating a group definition, you have the ability to preview and check the results of your actions. It will show the number of potential members and a list of each person who will be included in the group.

Manual Exceptions to the Groups This feature allows you to manually include or exclude someone from the group whether or not they fit the clause criteria.

Share the Group Clause Between More than One Group If you need two or more groups with the same basic membership, but different attributes, you can share the clause between them.

Delayed Membership Deletion Often, HR data in the metaverse does not get changed concurrently with an employee's status. Employees who change jobs may get a whole new set of groups from the group management application. If you want to allow them a short period of time to transition their work, you can specify that they will not be removed from their previous groups for a configurable number of days, essentially delaying their removal. This option is set on a per-group basis for all members in the group.

Conclusion

The automation of group management will help ensure that the right objects are in your groups. Group management can improve your organization's security and help ensure that your group owners are spending a minimal amount of time managing groups. The Identity and Access Management Series has the tools to aid you in evaluating, designing, and deploying this solution.

Craig Owen is a Senior Identity Architect at Oxford Computer Group. Oxford specializes in identity and access management consultancy. Services include strategic and functional consulting, system integration, solution development, and skill development. Reach Craig at technet@oxfordcomputergroup.com.

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.