With the Identity Governance landscape evolving quickly, one can never be too prudent about choosing the access management policy model for their organization. Based on their users, applications and resources, organizations choose between Role based access control (RBAC), Attribute based access control (ABAC) or a hybrid of both.
ADManager Plus provides the following capabilities to manage and regulate users' access that help your organization standardize access policies,
Rule based access to security groups through user provisioning templates
Folder access management
Solution 1: RBAC or ABAC, ADManager Plus' user creation templates have got your back.
ADManager Plus' user provisioning templates help you to define conditions that pre-populate necessary attributes to ease user creation and ensure standardization of access policies. The following steps will guide to create a template that will add users, at the time of creation, to different security groups based on the predefined conditions provided.
1. Navigate to Management > User Management > User template> User Creation template.
2. Click the Create New Template button on the top right corner of the page.
3. Enter a suitable name and description for the template.
4. Select the Domain in which this template will be used.
5. Click User creation rules button for setting up rules to auto-fill desired attributes if the specified conditions are satisfied. In the Creation Rules section, add rules based on your organization's access policy model.
Role based access control (RBAC) - If you want to implement RBAC policies, you can create rules based on the roles in your organization. For example, if you want the 'MemberOf' attribute value to be populated based on the title, then you can add a condition as 'If 'title' equals 'Manager', set 'MemberOf' to 'Managers'. You can assign appropriate privileges to the 'Managers' group.
Attribute based access control (ABAC) - When you implement ABAC policies, you assign access based on attributes. For example, if you want to assign permission based on office location and department, you can add the conditions as 'If 'Office' equals 'Texas' AND if 'Department' equals 'HR', set set 'MemberOf' to 'TexasHR'. You can assign appropriate privileges to the 'TexasHR' group.
6. Click on Enable drag n drop button to customize the template by just dragging and dropping the required fields from the Field tray to the appropriate tab of the template and vice versa.
7. If you wish to configure the fields in the template with the attributes of an existing user account, click the Copy user attributes button. To enter the values for all the necessary fields manually, continue with the rest of the steps.
8. If needed, you can create new field groups and place the related fields in them.
9. In the General tab, enter the necessary attribute values for the users to be created.
10. Similarly, click on Account, Contact, Exchange, Terminal, and Remote Mailbox tabs, and customize the desired settings.
11. To configure custom attributes, click on Custom Attributes tab.
12. Click Save Template.
Watch this space next week to know how to set up an organization-wide approval process for Identity Management operations.