Active Directory comes with an interface: ADUC. It is very useful for admins and only admins. We have had customers admit to us in the past that they have allowed ordinary end users access to ADUC; this changed quickly once they got a good web based Active Directory self service solution like GroupID Self Service.
But something that we do run across quite often is the do it yourselfer, a team with development experience that rightfully realizes you can build a web interface to AD without too much trouble. If you are of this mind, please check my previously published Common pitfalls in Active Directory self service.
There is one common pitfall in particular that I want to write about: making sure that there are roles in self service. Users should not be able to do everything that the help desk can do. And the help desk should not be able to do everything that an admin can do. It is essential that you have the ability to apply these roles to each and every attribute for every object within AD. This is pretty obvious.
But there is also another level of granularity in these roles…managers and group owners. Sometimes you might want a user’s manager to be able to make changes on their direct or indirect reports. You also should have the ability for a group owner (or owners) to manage groups’ attributes.
Not only should you be considering this field level security (view, edit, etc) but also workflow. There should be a method for approving/denying changes to these attributes. Allow an end user to change their phone number but require their manager to approve it. Allow a manager to change their direct report’s title but require the help desk to approve it. This configuration needs to be modifiable to your business policy to a very granular level.
GroupID Self Service has been in a constant state of improvement and innovation since it was first released in 1999. Schedule a demonstration to see just how evolved and configurable it is. For your users AND your admins!
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.