Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | domenic-fleming |
View: | 219 times |
Download: | 0 times |
AUTOMATED GROUPS AND SERVICE ACCOUNTS IN ACTIVE DIRECTORY
TechDays June 2014
Presented by Andrew Hamilton and Chuck Phillips
BRIEF HISTORY OF IDM @ UNM
IBM Mainframe (1970s) First system requiring ‘Management’ of accounts via the User Number Clerk
Growth of UNIX on campus early 1990s Network Information Service or NIS (originally called Yellow Pages or YP) Need for automated account management and synchronization
CCAT “Convenient Computer Access Today” was developed (1992-1993) Automated management of MVS, CMS, VMS and UNIX accounts.
LDAP “Lightweight Directory Access Protocol” installed (1996) Simple scripts were put in place to sync LDAP and UNIX accounts.
LAMB “LDAP Access Management Bundle” Was Born (2003) CCAT was demised Real time provisioning of accounts Real time synchronization of passwords between LDAP, Unix, Oracle.
PICES Was Spawned (2007) Provided structured way to provision directories across campus.
Enterprise Active Directory adopted (2008) Campus wide committee re-designed active directory structure and standards.
AGENDAAsk questions when they arise
1. Auto Populated Groups From Banner To Active Directory• Provide secure central access to Banner sourced data.• Reduce complexity and red tape for consuming data.
2. Active Directory Service Account Management• Process to obtaining privileged access• Changes to Service Accounts that are planned.
AUTO-POPULATED AD GROUPS
Student collegeStudent majorStudent program of study
Student levelStudent yearStudent registration status
Student sectionsStudent courses
• Staff org code
• Staff org level 3
• Staff org level 2
• Person’s role at UNM
• Person’s campus
GROUPS BASED ON ROLEExample roles
GROUPS BASED ON ORGANIZATION
Org Level 1 University President
Org Level 2 EVP
Administration
Org Level 3Human
Resources
Dept #s
Org Level 3Information
Technologies
Dept #s
Org Level 3PPD
Administration
Dept #s
Org Level 2VP Health Sciences Center
Org Level 2 VP for Student
Affairs
Org Level 2
Provost
Org Level 3College of
A&S
Dept #s
Org Level 3College of Education
Dept #s
GROUPS BASED ON ORGANIZATION
GROUPS: STAFF LEVEL 3 ORGName format: banner-orglevel3-AABData source: Banner job recordSample values:
ABO Continuing Education Cont EdABP Extended University Ext Univ
ABQVP Research & Econ Development
ABR Academic Affairs Monitoring
AFBHS Library and Informatics Center
AFC School of MedicineAFD College of NursingAFE College of PharmacyAFH University HospitalAFI HSC VP ResearchAGA Gallup BranchAGB LosAlamos BranchAGC Taos BranchAGD Valencia County BranchBAA UNM Medical Group
AAA President Admin Indpnt OfficeAAB Information Technology ServicesAAC UNM West and Branch InitiativesABA Provost Administrative UnitsABB University CollegeABC School of Public AdministrationABD VP for Equity & InclusionABE VP Division of Enrollment MgmtABF UNM West (use AAC)ABG College of Fine ArtsABH College of Arts SciencesABI Anderson Schools of ManagementABJ College of EducationABK School of EngineeringABL School of Law
GROUPS BASED ON ORGANIZATION
GROUPS: STAFF LEVEL 2 ORGName format: banner-orglevel2-ADData source: Banner job recordCurrent values:
AA President ExecutiveAB Provost Academic AffairsAC VP for Student Affairs
ADExecutive VP for Administration
AE VP Institutional AdvancementAF VP Health Sciences CenterAG Provost Branch CampusesBA UNM Medical GroupX0306 *UH and Clinical ComponentsX0310 *Regents
GROUPS BASED ON DEPARTMENT NUMBER
GROUPS: STAFF ORG CODEName format: banner-org-324AData source: Banner job recordSample values:
297A Community Learning and Public Servi298A Bookstore/Athletics Partnership299A RR Bookstore West301A Aerospace Engineering301B Aerospace Engineering Admin302A Biomedical Engineering302B Biomedical Engineering Admin303A Institute for Professional Dev IPD303B Inst Professional Devl Gen Admin305A Scholarship Office Administration306A Womens Center306B Womens Center Administration306C Womens Center Public Service306C0 Womens Center Special Events306C1 Womens Center Quniquennial Fund307A UNM West Administrative Operations308A UNM West Academic Operations309A Branch Operations310A Branch Initiatives
314A Parking Transportation Services314B Parking Transportation Gen Admin314C Business and Finance314D Information Technology314E Park and Trans Operations Support314E0 Parking Operations314E1 Transportation Support315A IT CIO316A IT Deputy CIO317A IT Planning & PR/Marketing318A IT Finance319A IT Customer Service320A IT Networks321A IT Classroom Technologies322A IT Computing Platforms323A IT Security & Quality Assurance324A IT Applications325A IT Initiatives329A Institutional Research329B Institutional Research Gen Admin329C Institutional Rsrch Conferences
GROUPS BASED ON COLLEGE
GROUPS: STUDENT COLLEGE
Name format: banner-stucollege-ADData source: Banner student record, current term
Current values:AD Associate DegreeAP School of Arch. and PlanningAS College of Arts and SciencesCE Continuing Education
CPUndergrad Certificate Program
ED College of EducationEN School of EngineeringFA College of Fine ArtsGP Graduate ProgramsHS High SchoolLW School of Law
ME School of Medicine
MGAnderson Schools of Management
ND Non-Degree StatusNU College of NursingPA Provost Academic/AdminPH College of PharmacyRC Main-Research CentersUC University CollegeUL University LibrariesUN UnclassifiedUS University Studies
CLASS GROUP SECURITY
AUTO-POPULATED CLASS GROUPS Obfuscated Name of group to honor FERPA.
Group Name can be obtained by searching description of group
Name is unrelated to section data.
New groups for every semester.
• Provisioned two weeks before
Old groups destroyed when finished
• Removed two weeks after.
Built based on registration data.
GROUP CATEGORIZATION
Groups Access Management, WES use only
SysAccounts Reserved for future use
SysBannerGroups Unrestricted employee roles
SysGroups Protected data
Structured
Automated
“Securing Private Data” Fastinfo 7064 defines how to request access to view
the student data. Attach certificate to Service Request
OU Admin training Use standard Group management techniques Create group w/permissions Assign membership
Service Account Extra layer of security New/Old
REQUESTING ACCESS
fastinfo.unm.eduSearch for ‘Autopop group’
- Sign up for training!
- Learning Central
- OU admin training from WES
ACCOUNTMANAGEMENT Active Directory is becoming more integral and IDs are
becoming centrally managed.
Eventually there will no longer be a need to create or delete user accounts manually in AD.
Centralizing Identity management around a consistent standard
Central IdM
• Transparency
• More resilient
• More adaptable
• More flexible
SERVICE ACCOUNTS
WHYSERVICE (SVC)ACCOUNTS?
Secondary Account For System Administrators
Elevated privileges
Access to Services to manage sensitive data Enterprise appliances and applications. OU Administration Workstation or Server admin logins
Software Account. Software is installed to run as this account to isolate
it from system and other users. Overhead Accounts. Used to run Scripts.
System accounts
Admin accounts
ACTIVE DIRECTORY STRUCTURERetain control and flexibility
Simplify account management
• Separated into Organizational Units• Accounts (people) are populated automatically based
on Banner• Groups, Servers and Workstations managed by
Departmental “OU Administrators”.• Svc Accounts
• Should end in ‘svc’• Reside in a sub-OU called SvcAcnts
GOALS
OU Admin is responsible for maintaining them WES creates the initial OU delegation OU Admin removes them when finished
How can UNM’s Accounts Management team help?
1. Elimination of abandoned privileged accounts.
2. Adapt to UNM’s needs LAMB will sync to the SvcAcnts sub-OU.
3. Belongs to an owner that can be tracked. Privileged accounts to terminate with their owner.
4. OU Admins can delegate sensitive administration
Administrative accounts will be more structured.
Active Directory will be cleaner and more secure.
DISTRIBUTION LISTS
Email Notifications File shares reaching the quota limit Service availability Server performance
Reporting Tools OU audit and activity reporting Monthly reporting and Real Time alerts
New early warning mechanisms
SERVICE (SVC)ACCOUNTS
Management of service accounts is moving to HELP.unm.edu service requests. There will be FastInfo describing the method for
creating service accounts.
Through Help a request for a service account is requested. Needs a department sponsor. Needs a written justification. The service account will be tied to the requestor's
account.
Once created OU Administrators will Authorize the account to their services. Control and responsibility is still in the OU Admin’s hands
Delegation will be more transparent.
Audits will be easier to perform..
SERVICE (SVC)ACCOUNTS
Serviced with LAMB/netid process
Password Changes to Service Accounts can be made through netid.unm.edu just like other accounts. Previous password must be known.
Password Policy to be in sync with LDAP Account Passwords will expire in LDAP every 180 days. Password Expiration notices will go to the Identified
Owner of the Service Account.
Renewal of Service Accounts on a regular basis. Accounts will be renewed yearly to ensure need and
functionality. Service Account Owners will be put on a mailing list for
notification of service changes/notifications.
Self servicing password resets for non-OU admins.
COMMUNICATION
Over 9,000 Summer groups ready to use right this moment!
Close to 16,000 groups during Fall and Spring semesters.
Service Account management and automation
Coming later this summer
Keep an eye on standard communication paths for further announcements regarding this. I.e. [email protected], IT Alerts, IT Agents,
and other
How does this affect you?