Active Directory Role-Based Security made easy
By Neil Burton
Active Directory Management allows you to distribute and delegate the administrative responsibilities that tie up your IT department among multiple users including Help Desk operators or department managers.
But over the last 20 years of working with large organisations we’ve found that the native means for Active Directory delegation introduce a number of challenges, are often ineffective and even pose security risks.
That’s partly because the process involves modification and maintenance of multiple Access Control Lists (ACLs) across many objects in Active Directory. This is prone to errors and often results in users either not having the access they need or being given elevated administrative privileges they don't need - or shouldn’t have.
There’s also no central place to store and manage permissions, and, as a result, it’s difficult to control who has what privileges and why. In addition, permissions can be applied either at the domain or Organisational Unit levels only which significantly complicates the delegation process.
At Armstrong IT, we recommend Adaxes to address all these challenges - and more. By providing Active Directory role-based access control it offers a very high and granular level of control over the permissions you grant to administrators and end-users within Active Directory. The role-based security model enables you to assign permissions to users based on the job roles they hold and eliminates the need to manually modify ACLs across Active Directory.
What’s more, as delegation of rights using Adaxes doesn't affect the native Active Directory permissions, you can significantly reduce the number of users with administrative access to the security-sensitive resources in AD too.
Role-Based Access Control for Active Directory
Every time you want to assign or revoke privileges, you need to grant or withdraw a set of permissions necessary to perform a certain job function. To simplify the process, Adaxes allows you to consolidate permissions into Security Roles and then assign these roles to users in accordance with their role in the organisation. To grant or revoke access rights to all users performing the same job function, you just need to modify the permissions of the security role associated with that job function. Centrally, easily, and reliably.
Since Adaxes includes built-in security roles for typical responsibilities out of the box, you don't need to undertake an extensive process of defining your own security roles. If necessary, you can modify the built-in roles to meet your own needs or inherit your security roles from already existing ones.
Role-Based Permission Assignments
When you assign an administrative role to users, you are essentially saying these users have the privileges granted by this role within the specified scope of influence. The scope of influence determines where in Active Directory the users of the role can perform the delegated activities. (For example, your Help Desk team can be given permission to perform account management tasks on members of the Manufacturing department.) But this becomes trickier when members of the Manufacturing department are spread across different OUs, domains or forests sharing a global uniform catalogue. Or if the Manufacturing department is located in one and the same OU with members of other departments. Although the native Active Directory delegation model cannot address these issues Adaxes can, giving you much more flexibility by enabling a more granular and accurate assignment of rights by allowing you to delegate permissions over all objects located in one or several AD domains or forests for example or specific AD objects.
Book a demo
Our team of technical experts have been guiding organisations through the complex challenges of a rapidly changing digital world and making IT easier for over 20 years. Active Directory role-based access control provided by our long-term partner Adaxes allows you to greatly reduce complexity and cost of security administration whilst significantly freeing up your experienced IT team to carry out the more strategically important functions of their roles.