• Compare
• Company
  • Leadership
  • Careers
  • Partners
  • Press Room
  • Events
• Solutions
• Products
  • Password Manager
  • User Manager
  • Group Manager
  • Exchange Manager
  • SharePoint Manager
  • Connectors
  • Dot Net Workflow

Active Directory Tools Replacement

Replacing Active Directory Users and Computers (ADUC)

With the creation of the EmpowerID Identity Management platform, The Dot Net Factory took a fresh approach to the problem of Active Directory provisioning, self-service and administration. Organizations have three significant challenges to overcome with shortcomings in the use of ADUC: the security vulnerability posed by the need for highly privileged accounts to perform routine user and computer administration; the inability to simplify and limit delegated management to only what is appropriate to a specific user's business role; and the automation of highly detailed processes that are both time-consuming and subject to error.

Our goal was to comprehensively address the challenge of creating, managing, and retiring users and groups while providing delegated user access that is specific to an organization's structure and business methods, rather than to impose the limited application-specific roles and the sparse configuration options typical of third party AD administration tools. EmpowerID also extends the control of Users and Groups for their entire lifecycle to systems beyond Active Directory to include: AD/AM, LDAP, Exchange, SharePoint, as well as standard and custom applications. Not only does EmpowerID provide the management tasks of an ADUC replacement but it can also couple any number of those actions into visually designed workflows of almost limitless actions so that detailed provisioning, deprovisioning and modification scenarios can be executed that incorporate any sequence of approvals, as well as detailed activity tracking to meet compliance and audit needs.

Assessing The Challenge

Many applications offer pieces of the ADUC replacement and Identity Management puzzle but fall short in providing a complete enterprise solution:

• Active Directory administration tools: tools focused on replacing ADUC typically manage only AD and occasionally AD Lightweight Directory Services (LDS), but little else - they do not eliminate the number of tools required to manage an enterprise's applications and systems nor do they offer a single security and audit framework that can extend to systems other than Active Directory. Typically ADUC replacement tools mimic the ACL permissions model found in Active Directory. The ACL model is inherently limited in scope to Windows systems and is being phased out of Microsoft's enterprise server products in favor of a more flexible and supportable RBAC model.
• Synchronization tools: synchronization tools monitor connected directories and sync changes to user accounts between systems based upon rules. A sync tool does not function as a unified administration console for all user accounts and other objects in connected directories and is not a replacement for these directories' native administration tools.
• Group Management tools: typical group management tools manage groups as an isolated task without any link to a broader enterprise or business aware policy engine. Groups are managed as LDAP objects without the ability to automate membership based on a person's business role within the organization. The most critical limitation to these tools is the inability to link or report on the access being granted to resources, applications and permissions by the groups being managed.
• Tools offering approvals and automated processes: these are commonly limited to either simple approval routing functionality wherein the workflows do not perform the actual directory management tasks and are not aware of enterprise security access policies, or are limited to large platform programming tools based on a complex machine-to-machine messaging model without the "out of the box" workflow shapes needed to assemble workflows easily. Many of these lack support for Active Directory or the management of other Microsoft platforms.

The Solution

After considering all the demands that would be made of a fully adaptable and robust ADUC replacement, the Dot Net Factory developed EmpowerID, an enterprise Identity Management application, and the secure workflow automation platform on which it runs, Dot Net Workflow. Together they offer the scalability and the breadth of functionality that is absent in other solutions.

EmpowerID and the Dot Net Workflow platform leapfrog past the limitations of legacy tools and applications by leveraging the power of Microsoft's .NET framework, including: Windows Workflow Foundation, Windows Presentation Foundation, Silverlight, Windows Communication Foundation and SQL Server. As a solution integrated on a single platform, EmpowerID is designed for organizations that need a secure and powerful role-based ADUC replacement, while offering them the additional flexibility of being able to extend its robust Identity Management capabilities beyond an AD-only focus.

Key architectural components were required to deliver a robust solution that organizations would not outgrow. They include: an RBAC metadirectory that extends the definition of traditional metadirectory technology to support the replacement of native administration tools; enterprise Role-Based Access Control that can enforce a single RBAC management model across all of an organization's disparate systems; embedded enforcement of delegation policies with Rights-Based Approval Routing (RBAR); a platform design where "the workflow is the application" which adapts easily to organizations' specific business processes; and finally, a visual designer that allows a simpler and faster method for assembling identity management, administration and workflow processes.

RBAC Metadirectory

As an RBAC metadirectory and entitlement management policy repository, the Dot Net Workflow metadirectory stores information gathered during the inventory of managed systems, including: the resources that exist, the rights assignments for these resources as assigned in the managed systems, and the definitions of these rights (or roles) used by that system. This was a key requirement to support the goal of native administration tools replacement. In addition to storing this managed system RBAC information, the metadirectory stores Dot Net Workflow RBAC information, such as the definition of Dot Net Workflow roles, role assignments for managed system resources, business location structures for delegation, dynamic RBAC policies for provisioning or de-provisioning resources, and all other RBAC policies and settings. Based on native system permissions and RBAC policies, the Dot Net Workflow always knows who has access to specific resources.

Enterprise Role-Based Access Control

Another key requirement was to overcome the security and audit limitations of managing each enterprise system separately using their own proprietary access methods, management tools, and security models.

Keeping up with compliance and audit requirements for the multitude of diverse enterprise directories and applications used by today's organization is a difficult challenge that requires a centralized solution able to unify visibility, audit control, and enforcement over all enterprise systems within a single security model. The Dot Net Workflow RBAC model provides this solution. It specifically addresses ADUC's most significant shortcoming in effectively and securely managing Active Directory: the delegation of a wide range of tasks including self-service to technical and business users without requiring domain admin privileges, or even the granting of any native permissions to users. Whereas typical AD Management tools require directed delegation of management operations based on a user's need to perform work, EmpowerID is able to determine and restrict the scope of the work that users can do based on their business role. The fixed technical roles found in traditional tools cannot adequately substitute for the adaptive control made possible by EmpowerID's Role Based Access Control (RBAC). EmpowerID can generate and modify any number of highly granular and flexible business roles based on what the enterprise itself defines as important for determining resource access: job title, physical location, cost center or any other combination of hierarchies, and it can automatically modify the roles' privileges as conditions or a user's status changes.

Rights-Based Approval Routing (RBAR)

The greatest security challenge for workflow automation is the disconnect that occurs between the security sensitive actions executed in a workflow and the actual security delegation policies that determine who may perform these actions and against which specific objects they may perform them, as defined by the security system of record. The Dot Net Workflow platform closes this gap through the transparent enforcement of delegation policies through the inherent security of the workflow architecture, without requiring any specific modifications to accommodate the security. In fact, designing a secure workflow does not require knowledge of the security mechanism by the workflow's designer. This permits accelerated secure workflow and application design that has not been possible with workflow products until now.

The Dot Net Workflow platform's default workflow approval routing mechanism, called Rights-Based Approval Routing (RBAR), routes requests based upon delegation of protected actions, called operations. Operations are workflow shapes that represent protected code actions that can be delegated using role assignments. These special operation workflow shapes contain a miniature authorization and approval workflow inside of them, called the operation approval base. This hidden (embedded) workflow is shared by all operations of the same type and provides a real-time authorization check that determines whether a person attempting to execute an action against a resource has a role that allows them to do so. If the current person does not have the required rights, the mini workflow handles any approval routing, creation of task tracking dashboard entries, and email notifications.

RBAR unifies workflow and RBAC security to enforce real-time evaluation and routing of who can approve what based on the actual rights delegated to the current person at that time for the affected resource. Approvals route to approvers with the necessary privileges to perform the intended operation.

Workflow Platform

One key area where ADUC tools have been lacking is flexibility. Extending default functionality and user interface screens has meant complex and error prone scripting that did not fit within an organization's security and delegation framework. Moving to a workflow model for process design supports the need of organizations to be agile and to have the ability to support new business processes as they arise and to modify and improve them over time. With EmpowerID, the workflow is truly the application -- all of the Identity Management functionality was designed using the Dot Net Workflow platform. EmpowerID ships with hundreds of out of the box workflows and user interfaces that can be used "as is" without requiring further modification.

Visual Workflow Design

Whenever customization or new process development is needed, all of EmpowerID's workflows can be modified with its visual designer, Workflow Studio, and new workflows can be created with it as well. The workflows and the workflow shapes that ship with EmpowerID are created in Workflow Studio, which provides wizards and designers to create the workflows, workflow shapes and user interfaces. Workflow Studio is an integrated business process development environment that establishes a new standard for workflow and application design by bringing together in one platform all of the following: a visual process designer, a team-based development environment, a sophisticated and embedded RBAC security model, a rich set of communication services, federation, a robust metadirectory, PowerShell services, and a code free user interface designer.

Summary

EmpowerID is an ideal solution for replacing ADUC because of its ability to: consolidate platform user and resource management across a diverse range of directories and platforms, improve security, reduce the demand on IT resources, increase the accuracy of information, and improve responsiveness to end-user requests for access. It creates a rapid return on investment through the secure delegation of activities, the automation of business processes, and improved productivity. EmpowerID's impact is not limited to just Active Directory, as a full-fledged workflow-based Identity Management platform it reaches across a wide variety of enterprise directories, platforms and actions to easily accommodate the secure automation needs of growing organizations.