Effective LDAP Group Management

Effective LDAP group management is an important part of access management. LDAP directory technologies including Microsoft’s Active Directory play a pivotal role in ensuring that individuals in an organization have appropriate access to resources. Propriety means access to no more and no less than an individual needs. Good group management drives good access management. This article discusses considerations around group management in LDAP directory technologies including Active Directory.

Group Management when Provisioning New Users

The first opportunity to give users appropriate access is when they are first provisioned into a directory.  Manually creating users using operating system tools leaves room for human error.  Using custom scripts can work as long as the author of the scripts is around and each time there is a change to group structure in one part of the organization it gets maintained in the script.

A better solution might be to have an editable set of business rules where certain factors defined by administrators (like a user’s job title and/or location for example) drive newly provisioned users group membership.  Such solutions are easy to maintain as they don’t require the scripting expert to be around to make adjustments.  One such solution is Web Active Directory’s PeoplePlatform.  In this platform easy to configure business rules allow administrators to define business rules that keep the provisioning process efficient and secure.

Group Management when Updating or Deprovisioning Existing Users

With the reality of modern corporate life being what it is, people are often on the move within organizations.  Changing jobs, changing locations, changing other aspects of one’s working status happens quite commonly now.  IT then takes care that everybody’s access is updated appropriately.  This can be a large burden.  The mis-management of this condition is called permission creep.  When users change jobs or status often they are given access to the new stuff they need (because they or their new manager demands it) but don’t cleanly lose access to what they no longer require.  This can lead to them having access to applications and files that they shouldn’t.

A good identity management solution simplifies changes for administrators or other authorized departments like HR.  A less error prone change (i.e. changing a job title in a drop down) can trigger the same business rules described above to remove the user from their old groups and add them to their new ones.  This helps eliminate permission creep.

Deprovisioning users who have left an organization presents the same challenges.  Administrators or other authorized departments should have a straightforward way to find and deprovision users.  A process that might require many steps then can be simplified to a straightforward change in a web interface.

PeoplePlatform with configurable business rules and friendly end-user intefaces helps to eliminate permission creep by both tightening up and simplifying group management for user updates and deprovisoning.

Here are more features to consider in an Identity and Access Management Solution around group management:

Delegation of Group Management

A good identity management solution allows you to delegate editing of group membership where it makes sense.  Managers of business units or other groups in an organization can help take the burden off of a few individuals in IT by managing their own groups.

Workflow and Approval Processes

With delegation comes responsibility.  Workflow and approval processes minimize the time IT has to spend without taking them out of the loop.  A good solution allows for a workflow and approval process around group membership.


In the case of security anomalies, auditing can push information to IT in real time.  For example, groups in Active Directory such as “domain admins” could have a type of alarm set if anything about them changes.  This helps IT to police attacks from intruders from the outside as well as from the inside of an organization.

Web Active Directory’s PeoplePlatform contains these features and many others.  To learn more about the PeoplePlatform solution, contact an account manager today.

Comments are closed.

Sign in
Forgot password?
Sign up

(*) Required fields

I agree with OptimaSales Terms & Privacy Policy