Making Entitlements in AD Understandable to the BusinessRob de JongProgram ManagerMicrosoft Corporation

SIA314

Agenda

• Overview• Security Groups and Roles• Experiences

• Role Mining• Attestation • Self Service

• Managing Security Groups with BHOLD

Introduction

• Rob de Jong• Program Manager in the Active Directory team for

BHOLD• Previously worked for more than 10 years as a Lead

Architect with BHOLD Company• Did more than 25 implementations of Access

Control software products with Medium and Large customers

Problem

• Security Groups are the representation of Entitlements, and they’re out of control• Explosion of SGs – token bloat – why are users in so

many groups?• Lack of control over group lifecycle – when can a group

be deleted? Who owns it? What resources rely upon it?• People call up helpdesk to ask Admins to put them into

groups – but helpdesk doesn’t know if they should be in the group or not

Context• FIM and BHOLD

• History of FIM • Add a user to a security group• With a workflow• With an approval process• Or automatically (dynamic groups)

• What’s added in R2 – historical reporting• See which user got a new group membership and who approved

• What’s added with BHOLD • Automatic assignments based on user attributes• Requests and approvals for multiple groups rolled up in one

Role• Attestation process• Role Mining

About Roles

Roles – new in FIM2010 R2• What is a Role?

• A way to categorize User relationships to Groups• Allows for automated provisioning through policies

• Better experiences to Groups• Collect multiple Groups to Roles • Associate Roles with OUs (projects, departments) • Associate Roles with User Attributes (job titles, locations,

managers)• Can give meaningful names to Roles

• Can track relationship between SGs

How do Roles work?• Roles have members

• Users that are automatically linked through Orgunit memberships or attribute values

• Manually linked through Self Service Requests• Directly linked by the Administrator

• Roles have content• Active Directory groups, modeled as Permissions• Access rights in other applications, modeled as Permissions• Other Roles

• Roles can be inherited throughout the Orgunit structure• When a User gets a Role, the contents of the Role are linked to the

User• This triggers provisioning instructions through FIM2010 into the

target applications

Recap Roles• Roles group Access Rights – AD Groups, other

apps• Roles are created…

• Automatically, based on HR data• Manually

• Roles are linked to Users…• Automatically, based on HR data• Manually, through…

• Self Service Request and Approval• Direct link in BHOLD Portal

• Roles trigger provisioning to targets – AD, other apps

Automatic Provisioning Experience

Automatic Provisioning

• New Employee data coming from HR flows into BHOLD through FIM2010

• BHOLD automatically links the new employee to Roles based on HR information – Department, Job Title,…

• BHOLD calculates group memberships based on roles

• Group memberships are provisioned into AD through FIM2010

• Changes in Employee data automatically trigger recalculation of group memberships in BHOLD

MVSource HR Active

Directory

CS

CSCS

FIM Sync Svc

BHOLD Components

and data flow

FIM Components

and data flow

HR

MA

BHOLD

MAMA

MV Extn

Automatic Provisioning Dataflow

Employees, OU’s,

Accounts & Groups

Group Membership

s

AD

MA

RBAC

Groups and Accounts

Employees and HR OU’s

Group Membership

s

Recap Automatic Provisioning

• Takes care of Day 0 provisioning, based on HR data• Updates user access rights when HR data changes• Fully automated, no interaction needed• Will typically take care of 40% – 60% of your

provisioning needs

Role Definition and Mining Experience

Role Definition

• Where do roles come from? • Automatic Roles

• Created for each Organizational Unit• Created for each Attribute you configure• Created for each user

• Manual Roles• Can be freely created• Can be assigned manually or used for Self Service

Role Mining

• How can statistics help to create role content?• What you need to make for role mining ?• How to get that data?• What are the minimum Roles requirements to drive

auto provisioning?

Role Types• Membership Roles

• Inherited by the Users in the Organizational Unit• Inherited through the Organizational Unit tree

• Attribute Roles• Configured for each attribute you want to drive an attribute role• Linked to users with a matching attribute value

• Optional Roles• Created to group access rights that are optional within an

Organizational Unit• Linked/unlinked through Self Service

• Personal Roles• Created to group access rights that do not fit in any other Role Type• Each user has their own Personal Role

Role Mining Statistics

• Will link Permissions to Roles, based on largest common denominator

• Parameters can be set using the Role Generator wizard• Examples:

• If more than 95% of the Users in a Job Title share the same Permission, then link the Permission to the Role

• If all Users in a department share the same Permission, then link the Permission to the Role

• If more than 30% of the Users in a department share a permission, then create an Optional Role for this permission

• Role Model can be analyzed, modified or Role Mining can be repeated with other parameters

• Role Model can be created off-line and imported in BHOLD

Role Mining Dataflow

Active

DirectoryBHOLD

Model Generator

HR

System

Excel or .CSV

files

Excel or .CSV

files

AD Accounts,

Groups and Group

Memberships

Employee, Manager

and Orgunit Info

Membership Roles

Attribute Roles

Optional Roles

Personal Roles

Role Minin

g

Recap Role Mining

• Roles are used to assign Permissions to Users• Permissions can be Security Groups or access rights

in other applications• Different Role Types can be used• Most Roles are maintained automatically• Most Roles are linked automatically to users• Role content can be generated from existing access

rights

Attestation Experience

Attestation

at·test  (-tst)v. at·test·ed, at·test·ing, at·tests• v.tr.1. To affirm to be correct, true, or genuine: The date of the painting was

attested by the appraiser.

• A periodic process to review existing access rights of employees by their Steward – typically the line manager• Create an Attestation Campaign• Have managers fill out Attestation forms• Collect information, monitor progress, handle exceptions, remove

denied access rights

Attestation experience

• What do you need before you can start?• Identify stewards – typically from HR• Upload existing Group Memberships

• Who does what?• Administrator: Define a Campaign• Attestation module: Send out Attestation Requests• Stewards: Fill out the Attestation Forms• Attestation module: Send out Reminders• Administrator: Monitor Progress• Attestation module: Automatic correction in target

How the Attestation data flow works

MV

Object set

Source HR Active

Directory

CS

CSCS

Users,

OU’s

Accounts,

Prov.

FIM Sync Svc

BHOLD Components

and responsible data flowFIM Components

and data flow

MA

BHOLD

MAMA

MV

Extn

MA

BHOLD

Attestation

Website

Email Server

BHOLD

Attestation

ServiceWhich

Employee is in which

department?Who is

managing?

Which Users are in which

AD Groups?

Can you please go to

the Attestation

Website and fill out the

form?

Employee data flows

into MV

User Group membershi

ps flows into MV

User, Groups and Employee data flows

into BHOLD

A new Campaign is created

Emails are sent

to Stewards

Steward fills out the form

Corrections are sent to BHOLD

Corrections are de-

provisioned in AD

Recap Attestation

• Attestation ensures that users only have those Groups they should have

• Puts the control back in the hands of the Line Manager

• Role based approach allows for delegation of Attestation tasks

• Automatic removal of unwanted access rights enforces the results of Attestation

• Monitoring tools allow you to follow the progress of the Attestation process

Self Service experience

Self Service experience• What it does

• Request user role change• By a Line Manager• By an Employee

• Gets an Approval• By a Line Manager• By a Role owner• By a Security Officer

• User gets put in multiple SGs

BHOLD Self-Service

• Allow• a user to request or revoke a role for himself• a user to delegate a role to another person• a manager to request or revoke a role for users he is responsible

for• approval workflow integration with FIM2010

• Integrated in FIM2010 portal • Approval workflow uses FIM Workflows

Self Service Data Flow

MVActive

Directory

CS

CS

FIM Sync Svc

BHOLD

MV Extn

BHOLD

Self Service

Manager makes a Request

FIM Portal

Request becomes a Workflow

FIM2010 sends out Approval messages

Manager opens

Self ServicePortal

“Can this User get

this Role?”

“Yes, he can!”

Role Owner approves request

Available Roles and Employees

Request is Approved

Role is assigned to

User

Groups are linked to

Accounts in AD

AD

MA

BHOLD

MA

Groups are linked to Accounts

What can this

Manager Request?

Recap Self Service

• Allows end user or manager to request for adding or removing of a Role

• Allows for temporary Role assignments• Has an Approval process

• Line Manager• Role Owner• Security Offices

• Is automatically provisioned after approval

Managing Security Groups with BHOLD

Managing Security Groups with BHOLD• Identify owners of existing Groups• Categorize sensitivity• Manage lifecycle for groups

• Who gets to create groups?• Make sure they register:

• Who owns the group?• What is the purpose of the group?• What is the request and approval process?

• Enforce group membership from your administration• Let FIM20 be authoritative for group memberships• Only assign groups memberships through BHOLD/FIM2010

Scope your efforts• Don’t do high business impact groups

• Probably already some process in place• Probably a complex process with high visibility and

high risks• Don’t worry about the “I don’t care groups”:

• groups with no members or groups that do not give access to any resources

• Focus on medium importance groups:• Large volume• Many resources• Many group members• High ROI

Steps to regain control over Groups - 11. Get your data

• Which groups are there?• Which members do they have?• Which resources do they access?

2. Clean up your data• Get rid of ghost accounts – accounts that do not link to an

employee• Get rid of ghost groups – groups that do not have members or

give no access to resources

3. Filter out High Business Impact groups• Access to sensitive data• Access by “sensitive” employees

4. Upload into a basic role model

Steps to regain control over Groups - 2

5. Run Attestation to clean up your memberships6. Start managing

• Maintain Group memberships by:• Using Auto Provisioning (60%)• Using Self Service (30%)• Using Manual assignment (10%)

• Do regular Attestation campaigns to maintain control

Making AD Entitlements Understandable for the business• Generate a Role Model that is easy to understand

for the business• Populate the Role Model using Model Generator• Maintain the Role Model using Attestation• Use Automatic Provisioning for the majority of AD

entitlements• Use Self Service to allow the business to take

responsibility• Use Personal Roles to manage exceptions

How to learn more

• Download Microsoft BHOLD Suite from MSDN: https://msdn.microsoft.com/us-eng/subscriptions/securedownloads/#FileId=49036

• Available to all FIM 2010 R2 customers (based on FIM Software Assurance and CALs)

SIA, WSV, and VIR Track Resources

Talk to our Experts at the TLC

#TE(sessioncode)

DOWNLOAD Windows Server 2012 Release Candidate

microsoft.com/windowsserverHands-On Labs

DOWNLOAD Windows Azure

Windowsazure.com/teched

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

Please Complete an Evaluation Your feedback is important!

Multipleways to Evaluate Sessions

Scan the Tagto evaluate thissession now on myTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.