What’s a Complex Update?
Making complex updates in Active Directory is a relatively common task. In this context we’re defining a complex update is one where several changes must be made to something like a user’s account. When someone’s job title or office location changes that itself is simple to understand. Such a change might necessitate moving the user into another OU, removing them from several groups associated with their old title/location, and adding them to others. The single directory updates themselves aren’t very complex. Complexity here refers to the multiple steps one must take and the multiple permutations of possibilities there are. When a user changes job titles there are so many things that can change. What the user can access in the organization can change completely. Thus the person affecting the change must know everything about the old title and the new one to make it work.
Challenges
The idea of doing this work manually for the IT professional is not attractive. The evolution of the union of on premise and cloud systems makes the complexity worse.
This is some of the worst kind of work a technical professional can face. This ultra-repetitive and boring work can only be performed by the professional because nobody else has the expertise (nor should they be expected to). This kind of work is not very fulfilling for the individual who could be doing more interesting things. As it becomes more repetitive and less interesting the work can be more prone to errors. These updates can be devastating giving individuals access to secure materials they have no business seeing. This can create liability issues. At best, messed up access management can leave an employee unable to do their job without access to resources they need.
Scripting in something like PowerShell (for Active Directory) or other technologies is an option. Maintaining such scripts for updates, however, can be extremely painful. Scripts must be updated to handle any possible change. (What if a user with title “x” changes to title “y”? Is that different than if a user with title “a” changes to title “y”? What if they change to title “z” instead?)
Hard-coded groups and OUs must be maintained in the script among other things. Editing, thus, can become troublesome or impossible if the expert is out of the office or no longer available. Therefore even if using some scripting is a viable solution it might be more desirable to shift to a software solution that more easily allow for the mapping of business processes into directory updates that also allows for the safe delegation of bulk updates.
Complex Directory Updates Made Easy
One way to solve these problems is with effective Identity and Access Management solutions like Web Active Directory’s PeoplePlatform. Safe delegation of the ability to do these updates via a web-browser is a good solution. Details of how this is done are important when considering such a solution.
Follow this link and select our Whitepaper entitled: Complex Directory Updates Made Easy. In this paper you can read more detail about these problems and possible solutions.