Post on 12-Feb-2017
IT Business Delegation Model
Global AD Delegation
March 10th. 2010 Eguibar Information Technology S.L. © 2015 1
Table of Contents
1. What is a Business Delegation Model?
2. How to build a Business Delegation Model?
3. Local Site business IT unit
4. Global business IT units
5. Enterprise business IT units
6. Big Picture
7. GPO Hierarchy
8. Timeline & Milestones
March 10th. 2010 Eguibar Information Technology S.L. © 2015 2
What is a Business Delegation Model?
March 10th. 2010 Eguibar Information Technology S.L. © 2015 3
What is a Business Delegation Model?
Is to permit each individual IT unit (commonly known as local
site) to perform all daily tasks regarding Active Directory,
without having elevated privileges.
In other words, grant the corresponding rights to local
administrators so they can manage objects within its scope or
defined site, without making him a Domain Administrator.
In resume:
� Get in the house without the master key
� Go shopping without the master card
� Go for dinner without a buffet
� Go Admin without Domain Admins
March 10th. 2010 Eguibar Information Technology S.L. © 2015 4
How to build a Business Delegation Model?
March 10th. 2010 Eguibar Information Technology S.L. © 2015 5
How to build a Business Delegation Model?
1. Identify what business needs (If business requires a centralized user
provisioning, then WHY is the local administrator creating users?)
2. Identify IT business units (each of the IT groups that, on any given
level, maintain the directory. Ej. User Provisioning, Monitoring,
Deployment, Global Architect, Human Resources, etc.)
3. Gather IT Business unit needs (what do each of these units do
against Active Directory. Ej. Join PC to domain, Create Group,
Modify GPO, etc. This can be the Santa Claus wish list).
4. Make the standard template of granted rights to each IT unit based
on the combination of the above 3 points (If you were a good IT,
Santa Claus will grant you the wish list)
March 10th. 2010 Eguibar Information Technology S.L. © 2015 6
How to build a Business Delegation Model?
March 10th. 2010 Eguibar Information Technology S.L. © 2015 7
Local Site business IT unit
March 10th. 2010 Eguibar Information Technology S.L. © 2015 8
Local Site business IT unit
Local administrator should
continue with its assigned tasks
(within the corporate standard)
on the defined unit.
� What can be created?
� Where can be created?
� Who can change it?
� How is delegated/Revoked?
� How the model is
Extended?
March 10th. 2010 Eguibar Information Technology S.L. © 2015 9
Local Site business IT unit
The unit will have a set of predefined
containers where only that kind of object
be created.
� 2 Groups will have the delegated rights
on the corresponding containers:
Site_Admins & Gal_Admins
� Site_Admins can create/delete objects
on the sub-containers (Users in the
Users OU, Laptops in the Laptops
OU…) and some Extender Rights (like
Reset Password)
� Gal_Admins can change some
attributes on the given object.
� Admin is nested (belongs to the group)
the Gal group, inheritance all its rights.
March 10th. 2010 Eguibar Information Technology S.L. © 2015 10
Local Site business IT unit
� Who defines the rights?
� The business based on
• feedback provided by the
Local Unit
• Global business
requieriments
� How the rights are defined?
� Based on proof and
justification of a requested
action
� How are the sub-containers
defined?
� Based on IT object management
organization
• Does the objects in container
require different administration
entity?
• Does the objects in container
require different policies?
• Does the objects in container
require to be hidden?
� Any justified positive answer will
open a possibility to have a new
container.
March 10th. 2010 Eguibar Information Technology S.L. © 2015 11
Global business IT units
March 10th. 2010 Eguibar Information Technology S.L. © 2015 12
Global business IT units
� Meaning any group (IT based or not) who
need to modify or change attributes within
the directory. Two good examples are
Service Desk as IT unit (All Sites Admin
member) and Human Resources as No IT
traversal unit (Global GAL Admin
member).
� On a technical level, these two groups
have no special delegation of rights. They
are getting the permissions by nesting into
the local groups, which the delegation is
done. In order to split these kind of global
roles, is only matter of creating a new
group and nest accordingly. As an example
create a HHRR Gal for America and nest it
into the America sites, and one for Europe
and nest it into the Europe sites.
March 10th. 2010 Eguibar Information Technology S.L. © 2015 13
Global business IT units
1st. Level support
� Who defines the rights?
� The business based on
• Servicerequest on AD
objects on more than one
local IT business unit
• Current local sites rights
� How the rights are defined?
� Based on requested scope
(rights are local unit based) by
nesting the corresponding
groups.
�How are areas defined?
�From grouping
perspective
• Geographycal
• Functional
• Organizational
March 10th. 2010 Eguibar Information Technology S.L. © 2015 14
Global business IT units
2nd. Level support
� Who defines the rights?
� The IT unit based on
• Maintenance tasks
• Scope of the group
• Roles
• Responsibilities
� How the rights are defined?
� Based on task and role
having semi-elevated rights
(ej. Backup Operators / Server
Operators)
Servers & Services
� No management done by
Local IT business units
� Maintained and supported
from Global and Enterprise
levels
March 10th. 2010 Eguibar Information Technology S.L. © 2015 15
Enterprise business IT units
March 10th. 2010 Eguibar Information Technology S.L. © 2015 16
Enterprise business IT units
The technical responsible
and the “Infrastructure
Administrators” of the
overall AD environment.
Any major change or AD
wide problem will be
considered as Enterprise
topic and will Enterprise
IT unit.
Enterprise group will no
use Elevated Privileged
groups (Ej. Domain
Admins) to accomplish its
tasks. Specific delegation
will be done under their
responsibility areas.
March 10th. 2010 Eguibar Information Technology S.L. © 2015 17
Big Picture
March 10th. 2010 Eguibar Information Technology S.L. © 2015 18
Big Picture
The IT Business
Delegation Model is a
combination of groups
(and nested groups) with
some assigned
permissions (silver key)
and/or extended rights
delegated (gold key).
Additionally there are
groups which have
higher security enforced
by a policy.
March 10th. 2010 Eguibar Information Technology S.L. © 2015 19
GPO Hierarchy
March 10th. 2010 Eguibar Information Technology S.L. © 2015 20
GPO Hierarchy
The way GPOs are
configured will define
the management of the
AD objects. Planning
GPOs for delegation
and standard
configuration will
result in an optimized
and secured
environment.
March 10th. 2010 Eguibar Information Technology S.L. © 2015 21
Timeline & Milestones
March 10th. 2010 Eguibar Information Technology S.L. © 2015 22
Timeline & Milestones
March 10th. 2010 Eguibar Information Technology S.L. © 2015 23
AD PAM Requirements
Identify what
business needs
Build skeleton of
delegation
Align with
standards
Interviews
Check with each
team who has
“Change” access
on AD and map it
to the
corresponding
template
matching its
duties.
Build Standards
Set the Access
Templates based
on Roles and
Responsibilities
Test
Use the TEST
environment to
•Review Technical
Delegation
•Certify Rights and
Access
•Meet Standard
Requirements
•Each Party can
Complete its daily
work
Rollout
Implement the
new model on the
current
environment and
migrate access
from current to
new secured
delegation.