Group objects in your directories tend to fall into a state of disarray without proper oversight. This problem becomes multiplied if you have multiple on-prem and cloud-based directories, making it even more  necessary to keep groups properly configured. Group attestation describes the process where an individual reviews and certifies that specific aspects of a group object’s configuration is correct and current.

Let’s begin the discussion of group attestation by level-setting what exactly needs to be attested to. There are three key areas of a group object that require frequent attestation:

  • Group Membership – Users and/or nested groups as members are validated that they represent the current set of users utilizing the group’s assigned permissions.
  • Group Permissions – Permissions assigned are validated to be only those needed for group members to accomplish their work-related tasks.
  • Group Existence – The group’s necessity to the business is validated. Groups with no current purpose should be deleted or disabled (if possible).

Think about this across the context of all of your directories existing both on-prem and in the cloud. Group attestation requires some dedicated (while not significant) time for each and every group you have within the overarching directory environment IT supports. Add it up, and this begins to sound like a lot of work.

So, who’s responsible to do the work of attestation?

The initial response from the C-suite may be that IT needs to do it. But It’s not that simple. IT isn’t always the best option; there are actually two very good answers to the question:

  • IT – Even though IT is overburdened, they are the right choice when it comes to groups providing the highest of elevated permissions. Administrator-type groups, and any groups that provide access to entire applications, platforms, virtual environments, etc., should be attested to by IT.
  • Users – IT isn’t always current on exactly how a group is being used. In many cases, a user closer to the daily usage of a group is a better choice. Details like who should be a member, and whether permissions meet (or even exceed) those needed for users to be productive may be more accurate with a user performing the attestation. To be clear, you don’t want just any user in charge of attestation; think line of business owners, a department head, etc.

There are likely far more groups in your organization than IT personnel. So, an added benefit of having a user perform the attestation is that each group can have a different user associated as its’ owner.

How Should Group Attestation Be Done?

At the end of the day, the most important thing is that the right individual within the organization frequently attests that a group is correctly configured.  With this in mind, there are a few ways to accomplish group attestation:

A Mix of Manual Work, Policy, and Process

Defining a groups owner is the first step. Then policy dictates a procedure be followed when assigning permissions to a group that involves the owner for approval.  Same goes for membership changes. While all done pretty much manually, the idea is to always keep the owner in the loop.

Use Automated Workflows

Using a Group Lifecycle Management solution simplifies this process dramatically. Membership changes done via such a solution can include the need for an approval from the owner in the workflow. Owners can be sent an automated reminder email and can attest a group’s necessity at a regular frequency. Permissions are the only aspect of attestation that can’t easily be automated. No permission data is stored as part of the group object itself; it’s normally located within one or more external applications, platforms, and systems,.

Making Group Attestation Happen

It’s a relatively simple matter, really.  Determine and assign an owner for each group. Then establish the processes by which that owner is kept abreast of any changes to the group or its use. Lastly, provide a way for the owner to quickly and easily attest to a groups configuration and necessity.

The challenge in applying this to your environment will be found in how you accomplish this.  Use of third-party solutions streamline the process, making it a simple and efficient process, but some organizations still leverage native management tools to get the job done.

In either case, the important thing is to have something in place. Some attestation is certainly better than no attestation at all. Start the process of building out how your organization can and will begin group attestation, setting some kind of required frequency. As your thinking around group attestation matures, so will your process, and use of tools to complete the work.

Evaluating Your Groups

How is your Active Directory being managed? Do you have any orphaned groups (groups without owners)? Are there groups that have outlived their purpose? Users that are members of groups that they no longer need to be in? Ongoing attestation of groups is key to answering these questions. Fully understanding your current situation is key. To help you get started, I recommend you try the free Active Directory Health Meter service from Imanami. There is no obligation and it will give you some insights as to your relative health and give you some simple suggestions based on industry best practices.  Go here to get started.