When Active Directory first came out, we were all happy just to have a few levels of administrative granularity. There were the domain admins, a few admins over servers, local admin privileges across all the workstations, and — if you were really cutting edge — perhaps some kind of custom delegation to a specific service on a specific server.
Like all aspects of IT, however, the industry has matured considerably, and we now realize there’s a need for considerably more granularity. Your helpdesk alone probably needs at least two levels of administrative ability, and if you’re delegating access to people outside of IT (think department heads, line-of-business owners, and even the occasional really savvy shadow IT user), you need several additional specific assignments of administrative permissions.
If we take a closer look at just Active Directory, the delegation wizard has left much to be desired. Sure, you can easily assign permissions, but once the assignment is made, there’s no easy way to see who was assigned what. Fundamentally, you know this just doesn’t cut it. Why? Because you recognize that there is an intrinsic need to define roles when delegating.
Having clearly defined roles allows IT to know exactly what permissions each user has. Think about the well-known term “OU Admin.” This is not an actual group within Active Directory, but everyone who’s been around Active Directory long enough has heard or used the term. It’s a somewhat clear-cut definition of the scope of someone’s permissions. (In fact, I’m surprised Microsoft hasn’t added it by now.) Roles also ensure that delegation is consistent, and help instill confidence that the directory remains secure while autonomy is achieved.
Roles-based thinking needs to be incorporated into the rest of your access delegation. For those of you with no solution to delegate common Active Directory tasks such as group changes and password resets, you should, at a minimum, consider defining the permissions needed and incorporating the delegation itself into a PowerShell script. Doing so will let you achieve permission consistency during delegation. You should also have an un-provisioning script so that you can take away the assigned permissions consistently.
In larger enterprises, the idea of improving productivity by delegating even encompasses the method by which delegations are made. Trying to manage these delegations with a script (or multiple scripts) becomes too burdensome and non-productive, simply because there are too many delegation exceptions. The scripting itself turns into extra work, and a different solution — preferably automated — becomes the best way to address the problem.
Additionally, when you consider implementing strategic initiatives like privileged account management (PAM) or identity and access management (IAM), the foundational security controls that give access to accounts (and, therefore, to resources) need to be properly defined and consistently implemented.
No matter what your organization’s need, size, or method of management may be, the delegation of access needs to be accomplished by using defined roles — for everything from daily management of Active Directory users to security-focused planned projects.