Central User Management
What makes this innovative?
A central user management concept reduces complexity, improves clarity, and enhances security. The support for multiple logical environments adheres to modern development concepts. The overall solution eases the maintainability of IT infrastructures and saves on cost and other resources.
Maintaining user authorization thoughout complex IT systems requires huge efforts
A central user management concept reduces complexity, improves clarity, and enhances security
The average technical landscape of a modern enterprise consists of a collection of various interdependent systems; furthermore, the entire architecture is duplicated across multiple logical environments. Ensuring that each user has the necessary access for every system, which might differ from one logical environment to the next, all the while complying with the principle of least privilege, is a challenging task that every company faces. Having to maintain each set of users and accesses independently across systems not only requires a great deal of synchronization effort, but also slows down on- and off-boarding of employees significantly.
Our solution is a central user management design comprising of an active directory, a multi-layered authorization concept, and a template-based role assignment solution which makes it easier to design and propagate authorization of users and roles to each corresponding logical environment.
At the heart of the solution is the multi-layered authorization concept consisting of component roles, i.e. a set of singular grants for a particular system, and platform roles, i.e. an abstraction layer of aggregated component roles symbolizing specific business or technical functions. A user is assigned multiple platform roles, thereby inheriting the required component roles. Since the components of the technical architecture should stay consistent across different logical environments, we employ a template to model the semi-fixed structure of the overall system, whilst allowing us to modify the dynamic authorization requirements. The template is then synchronized with active directory to create and modify the necessary roles within.
The active directory is used as the single source for user authentication and authorization. All necessary systems are linked and connected to it; this eliminates the need to manage a set of local users on each system and greatly reduces the overall complexity. Every change to a user (creation, modification, deletion) is carried out in a centralized location and automatically propagated to every system.
The core concept behind central user management can be applied to any environment. The flexible authorization concept can be easily adapted to add or remove parts to and from the system. It also ensures a smooth on- and offboarding of employees as well as an easier access maintenance across different environments and systems.
FRAMEWORK & TOOLS
Ab Initio, Active Directory, LDAP, Linux, Bash