Top
Welcome

Thank you for taking time to visit my blog. My name is Drew Olson and I hope to use this space to share ideas and generate conversation regarding identity and access management

This form does not yet contain any fields.
    Recent Postings

    Entries in self-service (2)

    Wednesday
    Apr132011

    Expired accounts: ‘Please help, I can no longer log in — what now?’ 

    DateWednesday, April 13, 2011 at 8:59AM

    System administrators and helpdesk agents will be familiar with the problem; temporary hires or external employees are assigned a user account with an expiration date. Meanwhile, their contract is renewed without the IT department being notified, so in the morning you find the users at your desk complaining about being unable to work.

    Solution 1: A link with the HRM system

    A structural solution is to link your Active Directory to the HRM system (e.g. PeopleSoft, SAP HCM, Lawson). A ‘connector’ will automatically detect contracts that are about to expire and determine exactly when an account must be blocked. Any modifications in the HRM system will also be automatically implemented by the connector in Active Directory enabling employees to continue working as usual. This connector can also operate on the basis of a phased approach. For instance, you can configure a ‘grace period’ that will allow users to log in until 2 days after their contract has expired. After this grace period, the user account will be quarantined for a period 90 days, after which it will be completely erased, including the data and mailbox.

    Solution 2: Self-service based on e-forms

    If temporary hires or external employees are not registered in the HRM system, this can be solved by having the relevant manager handle requests for user accounts. A ‘web shop’ with electronic forms (e-forms) is made available, so that the manager can request user accounts for these employees. This can be configured so that requests are carried out immediately or must first be approved by the IT department. The web shop features will also allow managers to perform management tasks for the user accounts that they have requested, such as resetting passwords and unlocking, blocking, releasing or renewing accounts. This means temporary employees will no longer have to call in the help of IT if their contract is renewed. Everything can be handled directly by their manager.

    Solution 3: Automatic reporting and notifications

    It is now possible to combine solution 3 with the solutions discussed above. UMRA by Tools4Ever makes it possible to convert the expiration date in Active Directory into a legible date with consummate ease. With solution 2, managers still run the risk of forgetting to renew contracts for temporary hires or external employees. To prevent this, it is possible to monitor accounts that are about to expire in, say, 2 weeks, on a daily basis. Notifications will automatically be sent to the account itself and to the person who requested the account. This means the organisation is always kept up-to-date with regard to the accounts that threaten to expire. This can prevent a lot of frustration.

    Want to learn more about how UMRA can streamline your identity management process, visit our website: www.tools4ever.com

     

    AuthorDrew Olson | Comment4 Comments |
    tagged , , , , , in ,
    Tuesday
    Apr052011

    Delegation to project managers: self-service management for project folders 

    DateTuesday, April 5, 2011 at 2:50PM

    The challenge:

    In mid-sized to large organizations, we often find a need to use dedicated folders for a project that project managers can manage by themselves. Among other things, project managers want to be able to add or remove members or assign or revoke reading and writing privileges. The procedure usually involves the project manager calling IT to request a folder or informing them of changes regarding authorizations and privileges. This results in a call or ticket to which a member of the IT organization must be assigned. The latter will have to perform the task and notify the project manager of the outcome.

    But a different approach is possible:

    By offering project managers self-service capabilities, they will be able to register projects themselves. Using templates, IT administrators can determine what should happen on NTFS level and in Active Directory. By creating a link with the HRM system, it will be possible, among other things, to check which Active Directory users are the actual project managers. Subsequently, these accounts are authorized to register projects using secure electronic forms (e-forms). These projects are then checked for naming and duplicate records. A project folder can be created on a file server using an intelligent mechanism. This mechanism makes it possible to define a group of file servers and to use the file server with the most available disk space, or to select a random file server from a group. This process would be even simpler with DFS, and in general less intelligence is required in pinpointing an NTFS location. After all, this is handled by DFS for the most part.

    After the project folder has been created, local and global groups can be automatically created in Active Directory on the basis of a user-defined naming convention, e.g. G-LG-NTFS-"project"-R or G-LG-NTFS-"project"-C. The local groups are subsequently linked to the global groups and assigned read and change privileges for the project folder. After completing the electronic form, the project manager will receive notification that the directory has been created, so that he or she can directly continue with the next form and add members to the project folder along with reading and/or writing privileges. In actual fact, a modification of the Active Directory groups created earlier is made in the background. For the project manager however, this is no longer relevant.

    Want to know more? Check out organizational delegation and self-service for UMRA.

    AuthorDrew Olson | Comment2 Comments | Reference3 References |
    tagged , , , in