Roles Engineering for Active Directory

From: DF (finchdavid@yahoo.com)
Date: 04/14/03

  • Next message: derek / nul: "Re: NTFS file security not working" 
    From: "DF" <finchdavid@yahoo.com>
Date: Mon, 14 Apr 2003 21:17:04 +0200

    A call for feedback: Automatic Roles Engineering for Active Directory

    Short description:

    We have developed a unique technology that enables reverse engineering of
    the existing access rights and data stored in Active Directory into Logical
    definitions of Business Roles (senior clerk, accounting manager, sales
    rep..).

    The resulting Business Roles will be deployed as special user-groups in
    Active directory.

    The technology will be useful also for modeling and even auditing of the
    privileges from time to time.

    The assumed benefits:

    * Such Roles reduces significantly the time and effort of administrators.
    Any insert change or delete in users' privileges.

    will be done through the use of reusable and meaningful Roles rather than
    using many privileges (this method is commonly called as Role-based Access
    Control - RBAC).

    * RBAC results in more secure systems - people are not left with redundant
    privileges.

    How will that work:

    Our plans are to use a very simple by using the native data export utility
    of AD.

    The extracted data will than be processed in off line till full delivery of
    Roles Candidates.

    Once Roles Candidates are approved/or refined they are imported back to AD.

    Auditing capabilities may be used for periodical compliance checks.

    The system will work on any NT machine, and will be able to process
    literally endless amount

    of users and privileges (First solution will be limited to 1000 users).

    The feedback requested:

    Q: does that solution has any value for the organization?

    Q: are any of you interested in contributing ideas or participate in the
    testing of this concept?

    Contributors and those that will participate in the test program, will be
    entitled for perpetual use of the software.

  • Next message: derek / nul: "Re: NTFS file security not working"

    Relevant Pages

    • Re: ImpersonateLoggedOnUser & ShellExecute
      ... now I've made sure that the calling account has the required privileges ... option to set the needed access rights there. ... > the access rights to the process's access tokens, ... > the process that calls the API CreateProcessAsUser(), ...
      (microsoft.public.win32.programmer.networks)
    • User privilege caching in Active Directory?
      ... I have configured the privileges associatetd with these custom groups. ... When I change a user's group membership, ... I'm also talking about privileges on the Active Directory ... If there is such a caching (and I cannot force the refresh) I would ...
      (microsoft.public.windows.server.active_directory)
    • Re: Can administrator privileges be limited
      ... account and give it a *few* special rights to do certain things. ... Active Directory has greatly improved on this and made it a lot ... > If the privileges are limited, how does the admin get them back? ... > I have seen several postings that say they are using Admin but don't> have the privileges to install software or add a printer. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: My boss asked me a strange question
      ... and privileges in a sql database. ... Today, my boss asked me why don't I store the login info, groups and ... strange, because I think Active Directory is for internal network users, ... and not for external users of your web site. ...
      (microsoft.public.windows.server.active_directory)
    • Imerpsonation
      ... from the network (file servers, Active Directory) AND ... While each individual user that uses this ... without modifying privileges at OS/Active Directory level. ...
      (microsoft.public.platformsdk.security)