Show Transcript
Hide Transcript
Hello, everyone. Welcome. I'm Megan Pennie with One Identity. And welcome to the Six Cool Things You Can Do with Active Roles Session. We're excited that you're here with us today. I have David Miles, Senior Product Manager for One Identity Active Roles with me today. Hello, Dave. Welcome. Thanks for being here.
Hi, everyone. Yep, hi, Megan.
Excellent. So Dave, Active Roles seems to be capable of so many things. It's like a multifaceted diamond. It's in the AD account lifecycle management pillar. And what exactly is involved in the account and user lifecycle? And what do we mean by that? Are we talking about provisioning an employee that's joined a new company, for example?
Yeah, absolutely, Megan. I mean, we're talking about everything that takes place around a user's journey from the moment they join a company to the moment they depart the company. So that will include provisioning their initial entitlements, making sure they've got an email account, an Active Directory account, Office 365 licenses, et cetera, all the way through changes as they get promoted, more responsibility to, at some point, down the road when they leave the organization, and we need to remove all of those permissions, remove all of the licenses, and delete their account. So the AD lifecycle is the whole journey from the moment they join to the moment they leave and everything that that entails.
Excellent, yes. It is so many different things. Fantastic. Well, we've picked out these six cool things, a few highlights, of easy focus areas for new Active Roles customers. So two questions-- why these ones here? And then also, how much does the proliferation and rapid adoption of Azure AD really affect what we've picked here today?
OK, well, that's a really good question. So I think let's deal with the proliferation of Azure AD first of all. So I think that has an enormous effect upon organizations today. Everybody is using Azure AD. If they're not using it intensively, they're moving in that general direction. And that means that you've now got your Active Directory to administer. You've got your Azure Active Directory to administer. Things that are becoming more complicated.
So we're looking for ways that we can simplify those management tasks that AD and Azure AD administrators have every day. So that kind of simplification of complex environments, the ability to be able to manage the permissions, the security, reducing the risk, as well as just simply automating as many of the day-to-day tasks that are possible to automate that are very, very common in an environment like this that most organizations face. So I think the two things are closely related. The proliferation of Azure AD is closely related to the things that we've chosen here around simplification of general day-to-day management.
Excellent, OK. Well, thank you. So let's dig in here. So simplifying the management of complex environments-- in a recent chat with a company, we learned that they had a bunch of Office 365 licenses assigned to and tied up with folks that had left the company. They had not been freed up and returned to the usable pool. Does Active Roles help with anything to do with that situation?
It actually does, yeah. I think-- if you think of the life of an administrator, there's lots of pressures coming in from all different directions. The focus is always on getting new people started and making them productive for the business. So very often, that means that things where an organization has people leaving because there's no pressing need from somebody wanting to do something for those users who are leaving the business, things like freeing up expensive resource and assets like Office 365 licenses often gets left or forgotten or, at the very best, deferred.
So Active Roles can do that for us. So when somebody leaves an organization, along with cleaning up all of the permissions that they have, the group memberships that they have, you can control and manage things like expensive licenses like Office 365, returning them to a license pool so that they can be reused. So yeah, it absolutely does help with that.
Excellent. Great, well, let's move on to our next cool thing. So managing permissions-- when it comes to admin passwords, typically it's not just one or two people at an organization who have the admin password. Commonly, it's more like 101 people at a company. So how does Active Roles help us get our arms around this situation?
Yeah, and this is where we start to get in Active Roles sort of overlaps with the privileged account management area a little bit. It's really, really important to get a good control over how many people have administrative rights. And Active Roles gives us very, very powerful and flexible tools to manage permissions.
We can delegate permissions on a very finely granular basis. So for example, maybe there's a remote satellite office, and you want to be able to delegate the management of that print queue in that satellite office to somebody that's physically located there. Well, you can do that without giving them administrative rights to everything. You can just give them permissions to manage the print queue. So this ability to be able to fragment, parcel up, and apportion permissions to users that need them, but nothing more, is a core function of Active Roles.
And it gives the ability to be able to manage those permissions on a repeatable basis. So if you've got a new user, and you want user Dave, and you like user Megan, that becomes very, very easy. All of these things are very, very difficult to do with the native tools in Active Directory. And Active Roles makes them very, very simple, very repeatable, and allows us to track and monitor exactly who has what and who has done what through the entire lifecycle of the user, from the moment they join to the moment they leave.
Excellent. We mentioned privileged security for AD. And I agree. Now, this is our next cool thing. This increase in the individual accountability with that least privileged access and zero trust giving the just-in-time access only to the right people at the right time. In our privileged account management portfolio, we have a product called Safeguard for password vaulting. And you know what, Dave, on first glance, it looks like Active Roles helps with those privileged accounts, too. And we have-- we know that Safeguard adds more capability with those privileged accounts. So how do the two products work together, and what more do they provide when we have that synergy between the two?
Yeah, and this is a really cool story between the two products. And I love it when you have two products that work together, and the value that you get is bigger than the sum of the individual parts. So with Safeguard, we're managing a privileged account, and we're being able to issue that account to somebody that needs that to perform some task, but only when they need it. So all the rest of the time, it's locked in its password vault, and it's inaccessible.
Now, Active Roles, on the other hand, if you combine the two, when that password is released to a user that needs it, Active Roles can take the steps necessary to create the permissions on that account. So prior to the account being issued, there are no standing or static privileges, no rights associated with it. So Safeguard can call Active Roles through a REST interface. And Active Roles can then instantiate the permissions, give the rights to that account, but only just in time for the user to use them.
And when that user is finished and done, Safeguard will get the account back in, remove the password, and make it safe, put it back in the vault, but also call Active Roles and ask Active Roles to remove, take away, wipe out, all of the permissions so there are no standing privileges on that account. And therefore, if somebody did get access to the account, there's nothing they can do with it. So it just minimizes-- completely minimizes the risks associated with that account. So it's an excellent synergy between the two products.
That is really cool and super necessary. So glad we have that synergy that really just brings so much power to that solution. Great. So in any organization, particularly of recent, we have a lot of change. So it's happening all the time. It's just constant. Has Active Roles helped with managing that change?
Well, Active Roles has got some fantastic tools. I mean, one of them is workflow and the ability to be able to automate things. And the way I look at workflow in Active Roles, I kind of like to use the analogy of back in the early '80s, when spreadsheets were brand new, computers were-- personal computers were pretty new. And you remember 5-and-1/4-inch floppies. It's a long time ago.
But spreadsheets, you could put them all in there. You could change some numbers at the top of the model. And then everything would ripple through and adjust automatically. And that was a really cool, powerful feature.
And workflows in Active Roles are kind of like that. So imagine that you, as a user, have a department that you work in or a job title that's associated with you. That's an attribute in Active Directory. Now imagine that that attribute changes from one value to another. So maybe my job title is salesperson to financial administrator. Active Roles can spot those changes in an attribute, and it can make all sorts of changes that ripple through based upon those attribute changes.
So those permissions can be things like access to applications. It can remove access to some applications that are no longer relevant and grant access to more applications that now are relevant. And those changes take place fully automatically, with no human intervention whatsoever. So gone is the requirement for an administrator to have to go in and take them away or assign new ones.
Also, back to the point about the Office 365 license, that sort of thing, either removal of that license or issuing that license, can be automated in exactly the same way. So Active Roles is really, really powerful around this. And many of these features come straight out of the box. But we also have scripting, so if there's something that doesn't come out of the box, you have very, very flexible control to write for the VBScript or PowerShell around these workflows and make it do pretty much anything you need. It's an extremely powerful automation feature within the product.
Excellent, excellent. So here I see a workflow. How easy is this to modify? Is this a drag-and-drop capability, Dave?
Yeah, it is. I mean, you can see it's a graphical representation. And when you're constructing workflows, you simply drag actions from a left-hand pane into the workflows structure and flow. It's very, very easy. And with a matter of probably about 30 to 40 minutes, you can be writing, creating workflows. It makes it super simple. So yeah, it's super easy and doesn't require lots of administration to get going.
That's great, Dave. Thanks. So automating AD tasks, our next cool thing-- most admins focus on getting users up and running quickly. But many administrators are busy, and they may delay or neglect the deprovisioning. So how does Active Roles help to remedy this, Dave?
Well, it uses some of the tools we've discussed already this morning, things like the workflow and the ability for Active Roles to spot changes in Active Directory and Active Directory attributes. And things-- the provisioning of users and the deprovisioning of users and the reprovisioning of users, so joiners, movers, leavers, the standard kind of operation that you get within an organization-- almost all of those tasks can be automated within Active Roles.
And that's particularly important for the point that you raised, Megan, which is that because of the workload on AD administrators, the focus is always on people who are joining or moving within the organization, and less so on the people that are leaving. And that's for obvious reasons. But leavers represent extra risk to an organization because they can maybe have malintent or maybe even just if they're left lying around as dormant accounts, they represent surface attack-- a potential surface attack for somebody with nefarious intent. So automating all of these things within Active Roles helps to ensure that the overall risk is reduced, and security is enhanced. So it's a very important part of Active Roles, the ability to automate these things.
Excellent, excellent. Next, we want to think about that automating the tasks with AD. AD imposes a structure on the data that the business uses. And many times, that structure doesn't always lend itself to the way the business needs to operate. So Dave, how can Active Roles adjust to accommodate the business need and not just that AD hierarchy?
Yeah, I mean, this is getting into another great point. Active Directory is a directory structure that is imposed on the organization. And objects are placed in containers that typically are designed, usually around geographical location. But whatever the selection, however you construct your Active Directory environment, the structure is fairly rigid. And there's often a compromise between making a logical structure and one that the business needs to be able to use.
So Active Roles provides a number of tools around how we manage groups that give you flexibility. So for example, one of those would be managed units, which allow us to create effectively containers that can span a different aspect than the imposed Active Directory structure. So a good example here might be, you might have multiple geolocations, North America, Europe, and Asia. And within each, there may be a sales department, which means that if you want to reference everybody in sales, you've got to do that three times, North America, Europe, and Asia.
Active Roles gives you the ability to create a managed unit that says, I want to create a virtual container, a managed unit called sales. And that would represent the sales in North America, sales in Europe, and sales in Asia. And you can then assign permissions or communicate with the members of that group as a single entity. And that sort of ability to slice and dice the Directory and business requirement needs is powerful.
But we also have things like dynamic groups, groups that can be populated based upon queries so that the membership can change in a dynamic way. If somebody moves within the organization, or their roles change, their physical building that they work from changes, those can all affect group membership. So the tools that Active Roles provides around group management, again, make the AD administrator's life extremely simple.
Excellent. Yes, that agility and ability to accommodate is a really cool feature with the dynamic groups and managed units. Thanks for discussing that. Well, so it's pretty clear to me that data consistency really helps to automate those rules of Active Roles. What else is there, Dave, with data consistency that's important for Active Roles?
Well, it's actually really crucial because if we're going to use some of the attributes in Active Directory to key off-- so whether that be department name or a job title or a building name-- you want to be able to say that if a building name changes from building 123 to building 456, then that triggers some change. If the names vary, then it's very hard to use that for automation. So data consistency is really important, and Active Roles provides a very flexible set of tools around policy to determine what values can be held in certain attributes within the directory.
So as well as things like forcing values to be typed in. So many AD attributes can be free typed, which means they can be left blank. Active Roles will provide the ability to be able to say, you must put something in this field. It can even provide, for example, a drop-down and say, you can pick from one of these five or six or whatever values. That means that it's a specific value, and you can key off it if the data changes. So all of these things help you with data consistency, including things like formatting, maybe phone numbers, to a consistent and uniform format. All of these things are extremely useful in the way that we ensure data integrity.
Furthermore, you may be deploying Active Roles to an existing directory. You can go back and use it to look for non-compliant fields so that you can then take steps to remediate any values that were entered before Active Roles was deployed. So there's lots of ways that Active Roles can help you build that data consistency and clean the data as you go forward. And often, this is important as part of a precursor to moving to Azure AD as well, so lots and lots of tools that help with data consistency.
Excellent that consistency is critical, particularly as we discussed that move to Azure. Fantastic. Super cool, thank you. So it seems like Active Roles has so many different ways that it can help a business, and we haven't even touched on all of them.
Well, let's recap here of these six cool things that we've got. We can simplify the management of complex environments. As you said, we've got that single point of administration, that single pane of glass that helps with this. We can manage permissions with the ability to have fine-grained delegation and also that privileged security for AD, zero trust and least-privileged access.
And then, as you mentioned, creating those workflows, very powerful ability to have those workflows with specific scripting to customize them. And that really helps us manage that ongoing change for an organization. And then automating AD tasks with group management-- we had a great chat about the managed units and dynamic groups. That's a really powerful capability. And then lastly, the ensuring data consistency, which is a really critical and cool part with those powerful policy controls. Dave, did we get all of that right?
You did. You spot-on nailed it. And obviously, these are just the six cool things we could fit in this session. There are many, many more cool things. I wish we had time to talk about all the others.
Excellent. Well, thanks so much for being here, everyone. We appreciate your time. Enjoy the rest of the sessions.
Thank you.
