Top
Welcome

Thank you for taking time to visit my blog. My name is Drew Olson and I hope to use this space to share ideas and generate conversation regarding identity and access management

This form does not yet contain any fields.
    Recent Postings

    Entries in NTFS (2)

    Thursday
    Apr282011

    Tell me about this user: Reporting, Auditing, and Compliance

    DateThursday, April 28, 2011 at 5:19PM

    I haven't posted in a few weeks but after a few recent meetings, I felt it would be a good idea to start a discussion on user auditing.  Most organizations have some form of user directory or white pages where one can find another user's department, contact information and perhaps some other basic information. However, the clients I met with were struggling to display more detailed information regarding an individual's group memberships, access permissions, and folder permissions.

    This type of information may be more detailed than most user's would need to regularly see, but it can be very important for auditing, compliancy and risk management standards.  How easy is it for you to locate someone's folder permissions or even more, to see how this might have changed over time? Understanding this information will give you much better control over your IT security policy, but will also give you an upper hand when it comes to meeting regulations covered under SOX, HIPAA, etc.

    With these changes and especially in this era of increased network attack and data breaches, it is crucial for an organization to report and follow on:

    • a list of requests and changes in the total time period x.
    • an overview of the group membership (and per user).
    • an overview of NTFS permissions (and per user).
    • an overview of the accounts that have not logged more than 30 days.
    • an overview of the disabled or blocked accounts.
    • the number of requests for a particular function or for a particular department.
    • the number of outstanding requests. 
    • the average handling period

    A solution such as Tools4ever's User Management Resource Administrator (UMRA) can easily assist you in these areas. UMRA automatically records management operations and changes to accounts and permissions. This detailed data is then readily available for later audit and reporting purposes. This type of solution can also provide you export functionality; reports that can be generated in a variety of different formats. This means that companies, at any moment, have insight into the processes involved and whether that they comply with security policies and regulations governing and law.

     

    For more information, please visit: http://www.tools4ever.com/solutions/audit-compliance/

    AuthorDrew Olson | Comment4 Comments |
    tagged , , , , in ,
    Tuesday
    Apr052011

    Delegation to project managers: self-service management for project folders 

    DateTuesday, April 5, 2011 at 2:50PM

    The challenge:

    In mid-sized to large organizations, we often find a need to use dedicated folders for a project that project managers can manage by themselves. Among other things, project managers want to be able to add or remove members or assign or revoke reading and writing privileges. The procedure usually involves the project manager calling IT to request a folder or informing them of changes regarding authorizations and privileges. This results in a call or ticket to which a member of the IT organization must be assigned. The latter will have to perform the task and notify the project manager of the outcome.

    But a different approach is possible:

    By offering project managers self-service capabilities, they will be able to register projects themselves. Using templates, IT administrators can determine what should happen on NTFS level and in Active Directory. By creating a link with the HRM system, it will be possible, among other things, to check which Active Directory users are the actual project managers. Subsequently, these accounts are authorized to register projects using secure electronic forms (e-forms). These projects are then checked for naming and duplicate records. A project folder can be created on a file server using an intelligent mechanism. This mechanism makes it possible to define a group of file servers and to use the file server with the most available disk space, or to select a random file server from a group. This process would be even simpler with DFS, and in general less intelligence is required in pinpointing an NTFS location. After all, this is handled by DFS for the most part.

    After the project folder has been created, local and global groups can be automatically created in Active Directory on the basis of a user-defined naming convention, e.g. G-LG-NTFS-"project"-R or G-LG-NTFS-"project"-C. The local groups are subsequently linked to the global groups and assigned read and change privileges for the project folder. After completing the electronic form, the project manager will receive notification that the directory has been created, so that he or she can directly continue with the next form and add members to the project folder along with reading and/or writing privileges. In actual fact, a modification of the Active Directory groups created earlier is made in the background. For the project manager however, this is no longer relevant.

    Want to know more? Check out organizational delegation and self-service for UMRA.

    AuthorDrew Olson | Comment2 Comments | Reference3 References |
    tagged , , , in