Microsoft System Center Service Manager (SCSM) and Microsoft Identity Manager (MIM) delivers a scalable automated soluti
AUDIENCE – IT LEADERSHIP
READ - 15MIN
HOW TO TAKE CONTROL OF ACTIVE DIRECTORY MANAGEMENT, ENFORCE YOUR POLICIES AND KEEP IT UP TO DATE A Snapshot Plan for Execution
I T S M
P E R F O R M A N C E
•
G R O W T H
•
F L E X I B I L I T Y
•
P O T E N T I A L
SYSTEM CENTER SERVICE MANAGER + MICROSOFT IDENTITY MANAGER = A SCALABLE AUTOMATED SOLUTION
Overview: Active Directory is an Operational Burden
For almost all organisations, Active Directory is an operational burden, containing user accounts no longer in the organisation and poor controls on group membership. This results in serious exposures in governance, security and identity management. Many point solutions exist to address parts of the problem, however an overall integrated solution still eludes most. Microsoft System Center Service Manager (SCSM) and Microsoft Identity Manager (MIM) delivers a scalable automated solution to finally gain control.
The Business Problem
Active Directory (AD) underpins access management for most organisations. It contains details of: • Active staff members
• �Membership to groups used to manage access to applications
• �Service accounts used by applications for operation and access to data • Line managers and team members
• �Staff details of locations, contact details and a range of other attributes Business-as-usual demands within an organisation result in regular additions, changes and deletions from AD which in many cases is performed manually by one or more system administrators. Over time, these changes are made in different ways, changing the definition of groups and other structural elements. Policies for the management of AD are rarely documented and even more rarely understood and followed. Before too long, AD contains redundant and duplicated structural elements, password management becomes unmanaged, access to sensitive data and systems lacks control, and the system integrity is compromised.
Once the pain is real, it’s difficult for an organisation to work towards a solution; it often feels like ‘world hunger’ and the organisation finds it easier to turn it’s focus to other areas, and AD continues as is. The exposure for these organisations is real and material.
The Opportunity for Active Directory
Typically, an organisation will have a number of different systems that contain staff information. Whilst this cannot be avoided, the opportunity is to have AD act as the federated centre of truth for the user record.
The use of automation with an effective user experience via a self-service portal removes human processing ensuring faster provisioning with minimal issues.
2
Once business and IT processes are in place to stop creating issues in AD, attention can be turned to cleaning up the historical data.
A Snapshot Plan for Your Success
The following plan breaks down the common issues into manageable initiatives, each delivering meaningful business outcomes.
1. Automate User Accounts
One of the largest contributors to AD dysfunction is the human manual error in making adds, moves and changes to AD. The use of automation ensures the adherence to AD structure policy and removes errors. Governance can be incorporated to record approval details, group memberships, access and account life. This can be achieved using Microsoft Service Manager with its self-service portal and native integrations to AD via Microsoft Orchestrator and Microsoft Identity Manager. For example, the self-service portal contains a request for staff onboarding. A manager would fill out this request online and Service Manager would automatically create a Service Request containing runbook automation to automatically control and access AD to create the relevant user account, configure relevant group memberships and enable and disable at the appropriate dates. A temporary password may be set and the line manager may receive an automated email containing new staff details to provide to the staff member in their welcome pack. This business outcome delivers significant value:
• I�mproves productivity of IT staff by removing user management activities
• � Improves accuracy of AD which benefits other processes that rely on this information
2. Manage Manager Approval
Tight control of the definition of managers along with delegations is highly valuable for an automated user account system. Effective governance depends on engaging the correct staff for any approval process. There are many challenges such as determining the relevant delegate when an approving manager is unavailable. These challenges are often the reason why organisations fall short in achieving what they require. The solution here is addressed by a combination of Microsoft Identity Manager and Service Manager.
One scenario is to use MIM to synchronise identities across systems resulting, for example, an AD group that contains all the Level 1 delegation approving managers. MIM will interface to the HR system and using defined business rules, establish
SYSTEMOLOGY & SYSTEM CENTER SERVICE MANAGER + ACTIVE DIRECTORY MANAGEMENT = RESULTS the relevant managers for staff members and any other special approval processes. The HR system will also advise MIM regarding managers on leave to ensure manager delegations are taken into account. MIM will then write to AD to update user records, group membership etc. When staff access the SCSM self-service portal to request access to a sensitive application, automation within SCSM will interrogate the AD group of approving managers and request an approval for this request. This outcome delivers high value, such as:
• � Faster request approval process leads to higher customer satisfaction
• � AD becomes the federated source of truth for user accounts, which provides accurate data to other systems as required
3. Manage Access
Leverage an IT Partner.
A lack of internal resource skill or availability are often the reasons for engaging a partner. Systemology’s approach is to model an engagement that delivers high learning, ensuring that the client is able to manage the solution after the project is delivered. Systemology’s range of support options also ensures our clients are never far from help when it’s needed.
Get Some Input.
Each organisation is different so the challenges you are facing may be different to the scenarios provided above. Have a discussion with Systemology to gain input and ideas. We don’t pressure you for business; our focus is to help you make an informed decision on getting the outcomes that you really need.
Strong controls and governance on password security, privileged access and roles are critical to combat identity and intellectual property theft.
About Systemology
The solution here is again addressed by a combination of Microsoft Identity Manager and Service Manager.
Simply installing a Service Desk tool is not the answer. The actual solution is the combination of deep business and process analysis, correct tool configuration and a focus on achieving agreed business outcomes. This will ensure a transformative result.
This area is where manual work is a liability and the adoption of automated business and IT processes provide the best path to successful outcomes.
MIM may be used to manage passwords, certificates and other security artefacts required for access. SCSM delivers access request and approval processes that are controlled along with a tamper-proof audit trail. The outcomes for business are valuable and include: • Tightly � controlled system administration access that is automated with detailed audit records
• Easy � and efficient password reset for staff with controls to prevent abuse • Detailed � reports on access requests and approvals
What To Do Next
Our snapshot plan comprises of three initiatives that can be implemented without huge fanfare, interruption or cost. To ensure your organisation’s success you must also consider the following:
Consider your own IT team skills.
In many situations, in-house IT skills should be first examined; skills in automation and process design may be available and leveraged. Systemology provides specialist training with supporting consulting services to help you achieve these outcomes on your own.
Systemology is Australia’s leading expert in System Center Service Manager. Our experience with clients in a vast range of industries has confirmed that many organisations face similar issues and challenges.
SYSTEMOLOGY OFFERS A NO OBLIGATION INITIAL CONSULTATION TO DISCUSS YOUR COMPANY’S SITUATION. WE CAN THEN PROVIDE BALANCED OBJECTIVE FEEDBACK AND GUIDANCE ON HOW YOU CAN GET THE MOST FROM MICROSOFT IDENTITY MANAGER AND SERVICE MANAGER. To organise discussion with a Systemology Director simply click here >
3
