There’s a lot of buzz around XACML and momentum building to externalize authorization from applications – and we’re as excited as anyone to see these trends continue to take off. Unfortunately, externalizing authorization of the myriad applications in your infrastructure is a process that will take time. As this transition takes place, the reality is that groups are still the predominant (and a potentially very effective) method for enterprises to authorize their users.
Groups are great because they make sense: they represent how employees and resources are organized in the real world, and they’re well-supported by legacy applications while simultaneously enabling emerging best practices for authorization. At a technical level, groups easily distribute users into application-defined roles, making them a natural fit in an ecosystem increasingly populated with role-driven API-based applications. In this world, controlling the groups means controlling access. Without an agile identity infrastructure, though, building and managing groups for your access management regime is a burdensome process that often calls for compromises in either security or agility.
Each time resources are reallocated in the real world, an administrator must update the corresponding group entries with each effected user’s DN (whether adding, updating, or deleting it). That puts time-consuming grunt work onto administrators. Each update to the roles within those groups can mean a team leader needs to put more work on the desk of already-burdened IT professionals. Enterprises often end up facing lose-lose choices between tight group management that sacrifices flexibility, and looser kludges that can leave gaping security holes.
To reduce these group management headaches and make authorization more agile, we’ve built the RadiantOne federated identity service to achieve three key objectives:
- Preserve and migrate existing groups from decommissioned identity stores
When it’s time to retire older identity sources, you don’t want to scrap all the work you’ve put into setting up your existing groups. That’s why we built our Groups Migration Wizard to help you virtualize your existing groups, transferring them into the federated directory’s namespace so that they can continue to serve your applications without interruption.
- Unify user populations to create flexible groups across identity systems
When identities are scattered across silos, it becomes all but impossible to create groups with members from across the enterprise. When different divisions are stored in different forests, mobilizing cross-functional teams becomes trickier. That brings serious business consequences like slower, more disjointed deployments and less agile responses to new challenges. With RadiantOne, a global list of users in the federated directory allows for enterprise-wide group creation and management.
- Auto-generate groups and roles in real-time based on attributes
We can harness virtualization to take the grunt work off of group management your identity managers’ agenda. RadiantOne can dynamically create groups based on the attributes of your users. For example, when a new hire is given the department “Sales” in the HR directory, they will automatically become a member of the Sales group. When her title is bumped from Associate to Director, her group membership will automatically change and her role will be upgraded from User to Superuser.
With groups that represent users from across your enterprise, and group membership based on rich sets of attributes from users’ global profiles, we can leverage your existing infrastructure – and use the cutting-edge security protocols like SAML – to strengthen greatly your access management routines. Auto-generating groups and group migration ensure that adopting federated identity saves your IT workers time now and in the future, while the global view of user identities that RadiantOne provides ensures that you have the IAM flexibility to deploy new groups to meet the challenges of the future quickly and easily.
Interested in learning more about how federated identity can drive a more secure and agile access management system while simultaneously enabling SSO and delivering stellar ROI? Contact us at email@example.com.
- 21 May 2013Attributes, Predicates, and Sentences: The Building Blocks of Context
- 07 May 2013From Groups to Roles to Context: The Emergence of Attributes in Authorization
- 30 Apr 2013In Context: The Next Frontier of Your Digital Identity
- 15 Apr 2013Bringing IAM Back to Life with a Federated Identity Service: Leveraging Your Silos for Authentication and SSO