Finding a balance between having control over sensitive operations in Active Directory and not spending too much valuable time on them is very hard. High level authorities can’t afford to perform all simple and time-consuming operations themselves. But at the same time they need to retain full control over them.
Is there a way out of this problem? Yes. With Adaxes there is a solution. It allows to add an approval step to practically any operation performed in Active Directory, Exchange, Office 365, etc. This means that the actual execution of various tasks can be delegated to lower level authorities without sacrificing the control.
How It Works
Let’s have a look at how approval-based workflow can be useful in a real world.
Take a company that has a typical structure. Obviously, it does have an IT department, where Tim is working as an admin.
User Creation Process
Among other duties Tim is responsible for user accounts creation, maintenance and deprovisioning. Fortunately, his managers are wise enough to understand that making a highly skilled admin to perform such routine tasks is equivalent throwing his salary away. That is why they make a right decision and get Adaxes.
With Adaxes Tim can delegate all user creation procedures to the HR department. Previously there was a risk that there would be a mistake and, for example, some users would be created in a wrong OU or several accounts for the same user would be created by accident, etc. But now Tim can be calm about that.
All he needs to do is to create an approval step that would be triggered before user creation. Once somebody from the HR department enters all the personal data of a new employee and clicks the Create button, the operation will be suspended and an email notification with an approval request will be sent to Tim.
After checking that everything is alright, Tim will grant his permission. Only then the user account will be created. If there is something wrong with the new user, Tim can deny the operation. This approach allows him to spend significantly less time on the tedious user creation process but still retain full control over it.
Group Membership Management
Another area where Tim’s managers would like him to spend less of his extremely valuable time is managing users’ group membership for things like printer access, shared folders, etc.
Previously, if users required access to any of the company resources, they needed to email the IT department to request it. Admins then had to check if this user really needs these access rights, sometimes ask their managers, etc.
It’s easy to spot that this was really far from being efficient.
But with Adaxes admins can be excluded from this chain and at the same time still have full control over the process. Users can be enabled to add themselves to groups but only after an approval is granted. For example, it can be requested either from the users’ managers or from group owners.
The great thing is that there are no specific technical skills required from the managers, so no extra training or whatsoever is needed. All they need to do is get an email, check if a particular user really needs new access rights, proceed to the Web UI and either approve or deny the operation. As simple as that!
Managers don’t even need to know that groups (or even Active Directory itself) exists. For them it will be a simple question of either allowing access to some resources or not. No further complications.
To enable all that, Tim creates a rule in Adaxes that would be triggered before a user is added to a group. The operation will then be suspended until an approval is granted.
Adaxes allows Tim to be very flexible when defining the approvers list. He can either choose a specific manager for each case or go for one of the predefined options: manager of the requestor, owner of the requestor’s OU, owner of the target group or owner of the target group’s OU. In that case the approvers list will be formed depending on the actual operation.
If Tim wants to create a more complicated list of approvers that will include, e.g. assistants of managers, or a list that would change depending on certain conditions, he can use his own custom scripts to extend the out-of-the-box functionality of Adaxes.
For some security sensitive operations he can add multi-level approval. This means that after the first permission is granted, e.g. by a manager of the requestor, Tim can add another approval step, putting, e.g. a higher level manager or members of IT staff in the approvers list. Thus the operation won’t proceed unless approved at all levels.
Of course, there might be a situation when a certain approver becomes unavailable, so the operation that are waiting for his permission get stopped. Naturally, nobody wants delays like that, so such situations have to be solved somehow. Luckily, Adaxes has got Tim covered in that case. Being an admin, he can always access all approval requests in the environment from the Adaxes Administration Console and approve/deny/cancel any of them if it is needed.
Controlling Automated Tasks
Approval mechanism of Adaxes allows Tim to delegate more operations to users whilst retaining full control over them. But what about tasks that have nothing to do with users? What about automated operations performed either regularly or triggered by certain events?
For example, Tim has got an AD cleanup process that runs periodically and deprovisions stale user accounts, deletes inactive computers, empty groups, etc. To make sure that nothing goes wrong, he can add an approval step to any of the operations that are performed automatically (e.g. automatically deprovisioning inactive users). Again, this would mean that the only thing he needs to do, is to check requests that are sent to him by email and approve/deny. This takes significantly less time than doing all the same by hand.
Implementing Approval-Based Workflow can significantly increase overall efficiency as it allows to delegate more responsibilities to lower level authorities without any compromises in security. Such approach can reduce the load on more skilled and high valued employees but at the same time keep them in charge of everything.
This leads to a generally healthier environment and gives businesses an opportunity to better allocate their resources and focus on the things that really matter.