Applies To:
GroupID 11
Modules:
- GroupID Group Management
- GroupID User Management
- Management Shell
Business Statement:
Managing directory groups and using them to control access to resources is a critical job for IT administrators. Groups help manage mailing lists and enumerate permissions to resources. For these very reasons, groups should never be out of order and changes to group memberships must be tracked.
In light of this, GroupID offers some best practices that enable organizations to control changes to group memberships.
GroupID Best Practices:
Turns out, GroupID is equipped with a host of features that allow IT administrators to keep a sharp eye on any changes that may occur in group membership. Controls can be applied at multiple levels, enabling administrators to view tentative membership changes before committing them.
The following best practices act as preemptive and reactive measures to guard group membership:
Configure the Out of Bounds settings for an identity store.
These settings enable you to specify the maximum number of members a group can have. You can also set up a group membership update threshold, that compares the existing member count to the new member count in order to detect unusual and large changes to group membership. In the event of a threshold violation, GroupID notifies the group owner or administrator via email, who can approve or deny the change. Click here for more.Define a workflow that is triggered when a user makes a change to the query of a Smart Group or Dynasty.
In GroupID, the Query Designer enables you to define membership update queries for Smart Groups and Dynasties. As a proactive measure, create a workflow for an identity store, that routes an approval request to an authorized approver when a user makes a change to this query in the Query Designer. The request must be approved for changes to take effect. Click here for more.For a GroupID portal, use the Visibility and Access controls to restrict user roles from viewing and updating Smart Group and Dynasty queries.
Individual fields in a Self-Service portal are subject to the following controls:- Visibility level: determines the security roles who can view a field in the portal.
- Access level: determines the security roles that can update the value of a field using the portal.
You can hide the Smart Group query and Dynasty query fields or render them as read-only in the portal for all except an authoritative user role. Click here for more.
Allow selective security roles to access GroupID Management Shell.
For a security role, you can choose to allow or deny access to a GroupID client, such as Management Shell. Make sure only selective security roles have access to it for creating and updating groups.Restrict access to the GroupID server.
To ensure that only authorized users log on to the GroupID server, create a group with permissions on the GroupID server and limit its membership to those users.
These practices make use of workflows, access controls, and alerts to offer foolproof security for your groups, which in turn secure your organization.
References:
- GroupID Online Help topic: Workflows
- GroupID Online Help topic: Query Designer dialog box
- GroupID Online Help topic: Group Membership Settings
- GroupID Online Help topic: Customize Object Properties