IT Business Delegation Model

IT Business Delegation Model

Global AD Delegation

March 10th. 2010 Eguibar Information Technology S.L. © 2015 1

Table of Contents

1. What is a Business Delegation Model?

2. How to build a Business Delegation Model?

3. Local Site business IT unit

4. Global business IT units

5. Enterprise business IT units

6. Big Picture

7. GPO Hierarchy

8. Timeline & Milestones


What is a Business Delegation Model?


What is a Business Delegation Model?

Is to permit each individual IT unit (commonly known as local

site) to perform all daily tasks regarding Active Directory,

without having elevated privileges.

In other words, grant the corresponding rights to local

administrators so they can manage objects within its scope or

defined site, without making him a Domain Administrator.

In resume:

� Get in the house without the master key

� Go shopping without the master card

� Go for dinner without a buffet

� Go Admin without Domain Admins


How to build a Business Delegation Model?



1. Identify what business needs (If business requires a centralized user

provisioning, then WHY is the local administrator creating users?)

2. Identify IT business units (each of the IT groups that, on any given

level, maintain the directory. Ej. User Provisioning, Monitoring,

Deployment, Global Architect, Human Resources, etc.)

3. Gather IT Business unit needs (what do each of these units do

against Active Directory. Ej. Join PC to domain, Create Group,

Modify GPO, etc. This can be the Santa Claus wish list).

4. Make the standard template of granted rights to each IT unit based

on the combination of the above 3 points (If you were a good IT,

Santa Claus will grant you the wish list)


Local Site business IT unit



Local administrator should

continue with its assigned tasks

(within the corporate standard)

on the defined unit.

� What can be created?

� Where can be created?

� Who can change it?

� How is delegated/Revoked?

� How the model is

Extended?



The unit will have a set of predefined

containers where only that kind of object

be created.

� 2 Groups will have the delegated rights

on the corresponding containers:

Site_Admins & Gal_Admins

� Site_Admins can create/delete objects

on the sub-containers (Users in the

Users OU, Laptops in the Laptops

OU…) and some Extender Rights (like

Reset Password)

� Gal_Admins can change some

attributes on the given object.

� Admin is nested (belongs to the group)

the Gal group, inheritance all its rights.



� Who defines the rights?

� The business based on

• feedback provided by the

Local Unit

• Global business

requieriments

� How the rights are defined?

� Based on proof and

justification of a requested

action

� How are the sub-containers

defined?

� Based on IT object management

organization

• Does the objects in container

require different administration

entity?


require different policies?


require to be hidden?

� Any justified positive answer will

open a possibility to have a new

container.


Global business IT units



� Meaning any group (IT based or not) who

need to modify or change attributes within

the directory. Two good examples are

Service Desk as IT unit (All Sites Admin

member) and Human Resources as No IT

traversal unit (Global GAL Admin

member).

� On a technical level, these two groups

have no special delegation of rights. They

are getting the permissions by nesting into

the local groups, which the delegation is

done. In order to split these kind of global

roles, is only matter of creating a new

group and nest accordingly. As an example

create a HHRR Gal for America and nest it

into the America sites, and one for Europe

and nest it into the Europe sites.



1st. Level support


� The business based on

• Servicerequest on AD

objects on more than one

local IT business unit

• Current local sites rights


� Based on requested scope

(rights are local unit based) by

nesting the corresponding

groups.

�How are areas defined?

�From grouping

perspective

• Geographycal

• Functional

• Organizational



2nd. Level support


� The IT unit based on

• Maintenance tasks

• Scope of the group

• Roles

• Responsibilities


� Based on task and role

having semi-elevated rights

(ej. Backup Operators / Server

Operators)

Servers & Services

� No management done by

Local IT business units

� Maintained and supported

from Global and Enterprise

levels


Enterprise business IT units


Enterprise business IT units

The technical responsible

and the “Infrastructure

Administrators” of the

overall AD environment.

Any major change or AD

wide problem will be

considered as Enterprise

topic and will Enterprise

IT unit.

Enterprise group will no

use Elevated Privileged

groups (Ej. Domain

Admins) to accomplish its

tasks. Specific delegation

will be done under their

responsibility areas.


Big Picture


Big Picture

The IT Business

Delegation Model is a

combination of groups

(and nested groups) with

some assigned

permissions (silver key)

and/or extended rights

delegated (gold key).

Additionally there are

groups which have

higher security enforced

by a policy.


GPO Hierarchy


GPO Hierarchy

The way GPOs are

configured will define

the management of the

AD objects. Planning

GPOs for delegation

and standard

configuration will

result in an optimized

and secured

environment.


Timeline & Milestones


Timeline & Milestones


AD PAM Requirements

Identify what

business needs

Build skeleton of

delegation

Align with

standards

Interviews

Check with each

team who has

“Change” access

on AD and map it

to the

corresponding

template

matching its

duties.

Build Standards

Set the Access

Templates based

on Roles and

Responsibilities

Test

Use the TEST

environment to

•Review Technical

Delegation

•Certify Rights and

Access

•Meet Standard

Requirements

•Each Party can

Complete its daily

work

Rollout

Implement the

new model on the

current

environment and

migrate access

from current to

new secured

delegation.

IT Business Delegation Model

Documents

Transcript of IT Business Delegation Model