There are few years that I listen always the usual complains about the big mess caused by an uncorrect use of Active Directory groups in order to reflect own organization and manage access permissions to the resources.
It has been long time since I have been listening always to the usual complains about the big mess caused by the attempt to reflect and manage own organization using Active Directory groups.
Often Active Directory is used to centralize all the information about authentication and access to the services/resources of a certain network domain.
Problem always arises when the number of such resources becomes so that high that groups are not an handful mean any more. Provisioning, deprovisioning and [business] roles management easily become expensive (in terms of effort and time) and risky (in terms of access permissions) operations.
Unfortunately, problems coming from this typical scenario often impact both on the productivity, causing avoidable delays, and on the transparency, in terms of access permissions granted to the users, thus making auditing activities difficult and sometimes impossible to accomplish.
Finally, this BIG MESS becomes easily a not negligible cost to be budgeted ...
Probably someone doesn't know that the solution to the BIG MESS exist yet!
Simply by putting in place a good Identity Manager all your problems will disappear.
Syncope IdM is an open source (Apache 2.0 license) identity manager, well integrated with Active Directory (AD) through a Java implementation of the AD DirSync protocol. This implementation is provided by Active Directory connector available among ConnId bundles .
The solution that I want to suggest using Syncope IdM is not invasive: it is completely agentless.
Robustness, flexibility, reliability, feasibility and affordability are the major five advantages of adopting a Syncope solution.
To put in place this solution only few steps are needed. By registering an Active Directory (AD) resource, giving a mapping for profile attributes between Syncope and AD and assigning AD groups to specific business roles, you should have all needed to implement your personal solution including:
Do not hesitate, check it out and try to solve your big mess.