560 likes | 719 Views
eControl 2.x for Mixed Networks Web-based, “ZERO-Rights” User Account Management, Identity Administration and User Provisioning and EMU for eDirectory and GroupWise Bulk User Management. Aldo Zanoni B.Ed, B.A., MCNI, MCNE, MCP CEO, Managing Director Omni Technology Solutions Inc.
E N D
eControl 2.x for Mixed Networks Web-based, “ZERO-Rights” User Account Management, Identity Administration and User ProvisioningandEMU for eDirectory and GroupWiseBulk User Management Aldo Zanoni B.Ed, B.A., MCNI, MCNE, MCP CEO, Managing Director Omni Technology Solutions Inc. firstname.lastname@example.org
Agenda Welcome and Introduction 1 What is eControl? What Pain Does it Relieve? 2 Is eControl Right for You? 10 Key Questions 3 Why Companies Need / Buy eControl 4 eControl Modules 5 Future of eControl 6 EMU – Bulk User Management 7 Questions and Answers 8 Appendix: Screenshots 9
What is eControl? eControl is a web-based, “ZERO-Rights” enterprise user account management and provisioning tool for users of Novell eDirectory, GroupWise and NetMail; and Microsoft Active Directory and Exchange systems. eControl delivers an immediate return on investment by enabling an enterprise to efficiently, securely and inexpensively implement user account management and provisioning services across multiple and mixed network operating systems and e-mail systems.
eControl relieves the pain caused by using multiple applications to manage mixed and multiple Novell eDirectory, Microsoft Active Directory, Novell NetMail, Novell GroupWise and Microsoft Exchange systems.
Who are the Identity Management Players? The many large and small players include: • IBM (Tivoli Identity Manager and Access Manager) • CA (Entrust) • Novell (Identity Manager 3) • Microsoft (Identity Integration Server) • Oracle (Identity Management) • HP, RSA, SUN … • Avatier • BMC Software • M-Tech
Where does eControl Fit? eControl can be deployed as part of a comprehensive identity management strategy that includes different components of: • Directory synchronization • Federated identity management • Meta directory • User Self-service • Single sign-on • Biometric and other user authentication
Is eControl Right for You? • Is your Help Desk or IT department often the bottleneck in your user account management and provisioning process? • Do your Help Desk operators have more rights than they should on your network because they need to carry out certain account management tasks? • Does your account management and provisioning process comply with internal or SOX regulatory security, privacy and audit report requirements? • Are you running GroupWise on Windows or Exchange with eDirectory and/or multiple eDirectory and Active Directory environments? • Does your Help Desk need to run multiple user account management tools?
Is eControl Right for You? • Have department mergers or corporate acquisitions made your user account creation and management tasks cumbersome and complex? • Are costs increasing and productivity decreasing due to the time required to train new Help Desk Operators how to use a combination of ConsoleOne, NWAdmin, iManager, Microsoft Management Console or custom Task Pads? • Terrified about the consequences of a Help Desk Operator or junior administrator hitting the delete key on the wrong object or accessing information outside their realm of account management responsibility? • Need to deploy user password self-service or user self-service for GroupWise or in a multiple or mixed eDirectory, GroupWise, Active Directory or Exchange environment? • Are you being asked to manage and integrate more complex systems with fewer resources?
Why Companies Buy eControl eControl is a non-invasive solution that delivers very specific and easily deployed user account management and access control pain relief. Companies are finding that achieving the “Holy Grail” of fully automated identity management and account provisioning services is much more complex and time consuming than expected. This difficulty is caused by the systemic complexity created by the multitude of access roles and rules that need to be defined in multiple operating systems in order to automatically manage access rights as employees change positions or move in and out of the company.
Why Companies Buy eControl With eControl, we started with what we knew best – Novell eDirectory and GroupWise – and allowed our customers’ needs to shape the evolution of eControl’s features, modules and additional operating system support. eControl brings a large piece of the identity and user access management puzzle to the table. In many cases, it is the only piece that a company requires.
Why Companies Buy eControl eControl delivers web-based, “ZERO-Rights” user account access administration and provisioning. It allows the IT manager and the security administrator to determine who can carry out what user account management tasks against which accounts. eControl allows the CIO and IT department to focus on contributing to the company’s high-value business processes rather than having to be concerned with the administration of user access rights across multiple systems and related security issues.
Why Companies Buy eControl eControl appeals to different business units and levels of decision making and budget authority because of intersecting and complementary objectives: • CIOs look to improve the efficiency of IT staff allocation and allow highly-trained, scarce resources to focus on delivering business value through IT integration initiatives. • Business unit managers look to increase user productivity and time effective user management change. • CFOs look to implement cost containment strategies. • CSOs are required to satisfy legislative or internal user account management and data access security requirements.
Why Companies Need eControl Help desk managers need eControl because it: • Delivers immediacy of response and increased efficiency dealing with user change and account modification requests • Delivers a common, intuitive user interface to manage users across multiple and mixed operating systems • Provides granular control over who can carry out what user account administration tasks • Requires approximately 15 minutes to train new help desk operators or junior administrators • Takes THREE hours to completely install, configure and integrate
Why Companies Need eControl Business unit managers need eControl because it: • Allows user account administration to be decentralized to department managers when appropriate thereby delivering department-based administration and more timely account change management • Delivers granular control to those people within the department who should be able to control application processes • Provides increased productivity by delivering timely access to user account change requests
Why Companies Need eControl CSOs or security administrators need eControl because: • They are responsible to ensure internal and external information and security compliance requirements are satisfied • eControl allows the removal of all trustee assignments, system rights, permissions and related user account access rights from the native operating systems • In most environments, there is a certain measure of “trust” that exists. Completely removing trustee assignments and permissions from user account managers precludes the need for this “trust” to exist. eControl allows the CSO to have 100% control over the security failure points on the system • It provides a complete audit log of all transactions that occur in eControl for everything from password changes to adding or removing a user from a group
Why Companies Need eControl CFOs or budget administrators need eControl because: • As an enterprise grows, eControl allows the enterprise not to have to increase the number of people who need to be hired to carry out user management tasks (cost avoidance) • eControl delivers significant cost reduction by making it simple for non-technical (less expensive) clerical staff to be assigned user account provisioning and administration tasks • User self-service significantly decreases costs related to the number of password change and demographic change requests that would otherwise need to flow through a help desk environment
Why Companies Need eControl Human resource managers needs eControl because: • It puts account provisioning and deprovisioning back into the hands of HR staff without any associated security risks • Who other than a senior HR staff member should be involved in disabling the accounts of users in a department that is being investigated? • eControl can remove account enabling and disabling responsibility from the IT department and return it to HR
Why Companies Need eControl eControl enhances compliance with HIPAA, Sarbanes-Oxley and other security and privacy legislation through increased security and controls in the following areas: • Authentication and Authorization: All system rights are removed from all accounts and replaced with explicit task assignments based on group membership. • Configuration and Change Management: Only those users who have been authorized to carry out user configuration and changes are able to do so. All changes made by administrators in the eControl administration and configuration application are tracked and can be made available for audit. A record of all administration changes that are made is maintained so the state of eControl at any previous time can be determined. • Segregation of Duties: eControl can be configured to ensure that no single person has rights to carry out access management and be responsible for auditing, initiating or approving incompatible activities in those systems. • Documentation and Reporting: eControl's audit log and tracking strategies provide support for appropriate reporting on each participant's role and acitivites in the user management and account provisioning process. eControl keeps track of who did what, when. (See Sample Log.) Future enhancements to eControl will allow for non-technical resources and auditors to run web-based, ZERO-Rights audit reports to support Sarbanes-Oxley and other reporting requirements.
Sample Account Change Log File Date; Numeric Action Id; Action Description; Status; Source; Login Account; Parameter(s);;; Module 2/2/2006 9:50:19 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin5,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 9:52:42 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 9:52:50 AM;1011;Group Membership Viewed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME; LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk 2/2/2006 9:53:00 AM;1051;Directory Password Changed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME; LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk 2/2/2006 9:53:01 AM;1052;Email Password Changed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME; LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk 2/2/2006 9:53:24 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin2,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 9:53:35 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 9:56:24 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 10:19:54 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;HelpDesk 2/2/2006 10:20:01 AM;1021;GW Distribution List Membership Viewed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;HelpDesk 2/2/2006 10:20:11 AM;1022;GW Distribution List Membership Added;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;29D3B710-04E6-0000-9040-1F00DA008A00 2DB3B060-04E6-0000-9040-1F00DA008A00 30187B60-04E6-0000-9040-1F00DA008A00 328B9E40-04E6-0000-9040-1F00DA008A00 349A8110-04E6-0000-9040-1F00DA008A00;HelpDesk 2/2/2006 10:20:12 AM;1021;GW Distribution List Membership Viewed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;HelpDesk 2/2/2006 10:20:31 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 1:06:28 PM;10;Authentication Attempt;False;10.10.2.7; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;Global 2/2/2006 1:06:35 PM;10;Authentication Attempt;True;10.10.2.7; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;HelpDesk
eControl History EMU HDU eControl Windows application for bulk user import and management for eDirectory and GroupWise Requires full rights Requires Novell Client and GroupWise Client No customization options Windows-based user account management for eDirectory and GroupWise Requires full rights Requires Novell Client and GroupWise Client Customizable interface to restrict user account management tasks Web-baseduser account management for mixed eDirectory, GroupWise, Active Directory and Exchange systems “ZERO Rights” No Client required Full customization, multiple modules and cross-platform support
eControl – HD, USS, AC, CL, SOX 1 5 2 3 4 Web-based Modules: Browser Proxy Service eDirectory: LDAP and native APIs NetMail: LDAP Active Directory and Exchange: LDAP and native APIs GroupWise:Win32 APIs
“ZERO-Rights” Modules • Help Desk User Management (HD) – Provides Help Desk Operators with the ability to carry out the “TOP TEN” user administration tasks – in a web browser. NO rights required! • User Self-Service / Self-Administration (USS) – Allows you to set which user fields can be updated or modified by a user in the web interface • Account Create / Manager (AC) – Allows HDOs to create users based on eControl profiles and Account Create templates • Contact Lookup (CL)* – Allows users to retrieve configured information from eDirectory (phone numbers, etc.) • Sarbanes-Oxley Reporting (SOX)* – Allows “ZERO Rights” web-based access to security and audit reports by non-technical staff*Version 3
Help Desk User Management Module Controlled and restricted interface for Help Desk Operators and junior administrators Allows for delegation of standard tier-one Help Desk operations to non-technical personnel without jeopardizing system security Real-time user account management changes Benefit from significant time and cost savings in training non-technical staff how to use eControl. 15 minutes to train a new Help Desk staff member!
HD User Account Management Tasks eDirectory and GroupWise • Manage Account Password and Strong Password • Manage GroupWise Password and Strong Password • Enable / Disable User Accounts • Manage Group Memberships • Manage Organizational Roles • Set Password Restrictions • Release Intruder Lockout • Create User Identification Information • Manage Login Information (Login Script and Profile) • Manage Login Restrictions • Manage GroupWise Distribution Lists • Manage GroupWise Options (Visibility, Expiration Date) • Manage NetMail Account Status Active Directory and Exchange • Manage Account Password and Strong Password • Enable / Disable User Accounts • Manage Group Memberships • Manage Exchange Mail Groups • Release Intruder Lockout • Create User Identification Information • Manage Account Expiration Date
Account Create Module Tasks Provision accounts based on eControl Account Create wizard linked to eDirectory / Active Directory profiles (e.g., home directory, group memberships, email account and all other account information Customizable user-required fields (e.g., first name, last name, middle initial, phone number, department, mobile number, etc.) Creates user name based on specified naming convention and requires name to be unique across all configured systems
User Self-Service Module Tasks Subscribe / Unsubscribe from email distribution lists and groups Select challenge-response phrases and provide answers to enable web-based, “forgot my password” management Update eDirectory fields, including extended schema values, that have been enabled by the Administrator (e.g., mobile number, pager, etc.)
Hardware / Software Requirements • Windows 2000 or 2003 with IIS 5 or 6 • Security certificate for SSL • Microsoft Message Queuing (MSMQ) • Novell NetWare Client 4.9* • Novell GroupWise 5.x or 6.x Client* • MSSQL or Schema Extension to provide “forgot my password” self-service • MSSQL for audit trail archiving • Novell NetWare*, OES*, SUSE Linux*, Windows • NDS Version 8.5 or any version of eDirectory • Any version of Active Directory * Target system specific
The Future of eControl CURRENT SUPPORT • Novell eDirectory • Novell GroupWise • Novell NetMail • Microsoft Active Directory • Microsoft Exchange • Microsoft NT Domains • Lotus Notes • Open LDAP • SQL/MySQL • Custom Applications (Ricoh) FUTURE INTEGRATION
eControl Demonstration visit www.omni-ts.com for more information about eControl
Trends that will Drive the Future of eControl eControl’s support for additional operating systems and features will be driven by our customers’ and partners’ needs. The trends we see are: • Consolidation to larger data centers • Move to open source and open standards software model • Increased use of heterogenous systems that provide line of business specific applications that will require IDM and access control integration • Increasing acquisitions and consolidations that bring together systems that need to peacefully co-exist and/or be properly managed during the transition period • Increased need to provide real-time user provisioning, account enabling and account change management • Decentralization of user account management to those people who need to manage their own resources (personnel and application access) • Increased regulatory and internal security compliance requirements
Use EMU to: • Improve your Return on Investment in large Novell® networks • Better manage large Netware, NDS/eDirectory®, NetMail® and/or GroupWise® Networks • Create, manage, import or modify tens, hundreds and thousands of accounts • Manage more accounts with fewer resources, in less time, with less stress • Update tens, hundreds or thousands of telephone numbers (or other standard or extended schema values) with a few clicks of a mouse
EMU Features • Move user home directories to other volumes - keep Trustee Assignments, File Ownership and Disk Restriction information • Check for duplicate user names in specific containers (or the entire tree) before creating user IDs • Enhanced ability to modify users based on the contents of a text file • Bulk modify user properties based on Group Membership • Add and delete Group Membership at the same time • Bulk modify GroupWise visibility • Bulk modify GroupWise and NDS passwords • Create GroupWise users for existing NDS users schema values) with a few clicks of a mouse • Identify/select/modify/delete accounts based on last login time, number of days since last login time, never logged in, not used in X days, etc.
EMU Demonstration Simply the easiest, quickest and most efficient way to distribute bulk user management of eDirectory and GroupWise account information.
Question and Answers visit www.omni-ts.com for more information about eControl and EMU
Appendix - Screenshots System Configuration Help Desk Operator Tasks • Active Directory Group Membership • eDirectory Group Membership • eDirectory Restricted Tasks • eDirectory All Tasks • Change eDirectory Password • Manage GroupWise Distribution List • Set eDirectory Password Restrictions • Set Active Directory Identification • Set eDirectory Identification • Account Create • System Configuration • Search Context Configuration • Account Create Configuration • Add Group to a Task • Configure Forgot Password Questions.