Roles Engineering for Active Directory

Roles Engineering for Active Directory

Post by DF » Wed, 16 Apr 2003 04:17:47



A call for feedback: Automatic Roles Engineering for Active Directory

Short description:

We have developed a unique technology that enables reverse engineering of
the existing access rights and data stored in Active Directory into Logical
definitions of Business Roles (senior clerk, accounting manager, sales
rep..).

The resulting Business Roles will be deployed as special user-groups in
Active directory.

The technology will be useful also for modeling and even auditing of the
privileges from time to time.

The assumed benefits:

* Such Roles reduces significantly the time and effort of administrators.
Any insert change or delete in users' privileges.

will be done through the use of reusable and meaningful Roles rather than
using many privileges (this method is commonly called as Role-based Access
Control - RBAC).

* RBAC results in more secure systems - people are not left with redundant
privileges.

How will that work:

Our plans are to use a very simple by using the native data export utility
of AD.

The extracted data will than be processed in off line till full delivery of
Roles Candidates.

Once Roles Candidates are approved/or refined they are imported back to AD.

Auditing capabilities may be used for periodical compliance checks.

The system will work on any NT machine, and will be able to process
literally endless amount

of users and privileges (First solution will be limited to 1000 users).

The feedback requested:

Q: does that solution has any value for the organization?

Q: are any of you interested in contributing ideas or participate in the
testing of this concept?

Contributors and those that will participate in the test program, will be
entitled for perpetual use of the software.