eControl for Mixed Networks Web-based, “ZERO Rights” Delegated User Account Management, Account Creation and User Self-service Aldo Zanoni B.Ed., B.A. CEO, Managing Director Omni Technology Solutions Tel:

Download Report

Transcript eControl for Mixed Networks Web-based, “ZERO Rights” Delegated User Account Management, Account Creation and User Self-service Aldo Zanoni B.Ed., B.A. CEO, Managing Director Omni Technology Solutions Tel:

eControl for Mixed Networks
Web-based, “ZERO Rights” Delegated User
Account Management, Account Creation and
User Self-service
Aldo Zanoni B.Ed., B.A.
CEO, Managing Director
Omni Technology Solutions
Tel: +1 780-423-4200
[email protected]
GWAVACon presentation
October 18, 2008
Session Overview
2
1
What is eControl? What Pain Does it Relieve?
2
Where does eControl fit?
3
Why Companies Need / Buy eControl
4
Three eControl Modules
5
Future of eControl
6
EMU – Bulk User Management Utility
7
Questions and Answers – Prize Draws
© Novell Inc. All rights reserved
What is eControl?
eControl is a web-based, “ZERO-Rights” delegated,
enterprise user account management, provisioning tool
and user self-service for users of Novell eDirectory,
GroupWise and NetMail; Microsoft Active Directory and
Exchange systems and Lotus Notes* and OpenLDAP*.
eControl delivers an immediate return on investment.
It enables an enterprise to efficiently and inexpensively
implement secure user account management and
provisioning services across multiple and mixed
network operating systems and e-mail systems.
*Version 3
3
© Novell Inc. All rights reserved
eControl for Mixed Networks
4
© Novell Inc. All rights reserved
eControl for Mixed Networks
eControl relieves the pain caused by needing to use
multiple applications to manage mixed and multiple
Novell eDirectory, Microsoft Active Directory, Novell
NetMail, Novell GroupWise and Microsoft Exchange
systems.
eControl replaces iManager, ConsoleOne, NWadmin,
Microsoft Management Console, Taskpads for help desk
operators, junior administrators and delegated staff.
5
© Novell Inc. All rights reserved
Where Does eControl Fit?
As a pre-curser to IDM deployments
To fill gaps caused by exceptions to standard IDM managed
processes.
As a perfect fit for companies that are too small or don’t have the
need or resources to implement a full IDM solution.
Where there is an overlap between eControl and IDM, eControl
can be used as a complementary “exception gap filler” to resolve
the 10% problems that cause 90% of the challenges in IDM
deployments.
eControl’s three-hour, non-intrusive deployment, brings immediate
pain relief for:
1. Secure, delegated user account management
2. Wizard-based user account creation
3. User self-service options
6
© Novell Inc. All rights reserved
Sample eControl Clients
US Government Department (2003) – 1,000 eDirectory and GroupWise
accounts. Will expand to include 3,500 AD and Exchange accounts. IDM in
planning. Our second customer.
Major Global Retailer (2006) – 70,000 accounts in IDM vault, 3,500
GroupWise and eDirectory accounts in production tree. Best-known customer.
Global Marketing Group (2004) – Started with 7,500 eDirectory and
GroupWise accounts. Migrated from GroupWise to Lotus Notes last year. Now
uses eControl to manage 30,000 accounts.
US State Government (2006) – 7,000 eDirectory and GroupWise accounts.
First step in their strategy to consolidate 20 different GroupWise systems into a
data centre.
Manufacturing Corporation (2002) – 5,000 eDirectory and GroupWise
accounts. Expanded to a third production shift without adding any help desk
staff.
Small Mortgage Company (2005) – 150 eDirectory and Exchange accounts.
Smallest customer.
7
© Novell Inc. All rights reserved
Recent eControl Clients
National Grocery Retailer Chain in Chile – Initial
deployment of 2,500 Active Directory and Exchange 2007
(Total of 15,000 accounts).
County Government in California – 5,400 eDirectory and
GroupWise accounts, 200 Active Directory and Exchange
accounts. 5 separate eDirectory Trees share a single
GroupWise system.
County Government in Michigan – 1,800 eDirectory, Active
Directory and GroupWise accounts. Adding IDM in
September.
US State Department of Correction - 2,500 accounts
eDirectory and GroupWise
US Federal Government Department – 3,500 accounts for
eDirectory, GroupWise and Active Directory
8
© Novell Inc. All rights reserved
Published eControl Success Stories
City of Greater Sudbury – 1,150 eDirectory and GroupWise
accounts. Looking at IDM in the future. Success story on our
web site.
Contact: [email protected]
Wilfrid Laurier University – 17,000 eDirectory, NetMail and
GroupWise accounts. Success story on our web site.
Contact: Andrzej Gadomski, [email protected]
http://www.omni-ts.com/success.html
9
© Novell Inc. All rights reserved
What IDM Customers Tell Us
A fully integrated Identity Management solution is the Holy
Grail of most companies. However, we know there are many
companies, big and small that struggle with the “big” step
processes involved in achieving a fully automated identity
management and account provisioning solution.
For certain companies, achieving the IDM holy grail is more
difficult and time consuming than expected.
In many cases, IDM implementations are similar to SAP in
that the implementation involves an all encompassing,
process-driven, multi-department, all impacting solution.
This difficulty is not caused by the technology. It is caused by
the systemic complexity created by the multitude of access
roles and rules that need to be defined to automatically
manage access rights across mutliple systems as processes
change.
10
© Novell Inc. All rights reserved
Why Companies Buy eControl
eControl delivers an immediate solution to provide webbased, “ZERO-Rights” user account access
administration and provisioning. It allows the IT
manager and the security administrator to determine
who can carry out what user account management
tasks against which accounts.
eControl allows the CIO and IT department to focus on
contributing to the company’s high-value business
processes rather than having to be concerned with the
administration of user access rights across multiple
systems and related security issues.
11
© Novell Inc. All rights reserved
Why Companies Buy eControl
eControl appeals to different and levels of decision
makers because of intersecting and complementary
objectives:
12
–
CIOs look to improve the efficiency of IT staff allocation and
allow highly-trained, scarce resources to focus on delivering
business value through IT integration initiatives.
–
CFOs look to implement cost containment strategies.
–
CSOs look to to satisfy legislative or internal user account
management and data access security requirements.
–
Business unit managers and service desk managers look to
increase user productivity and time effective user
management change.
© Novell Inc. All rights reserved
Why Help Desk Departments Buy eControl
Cross-platform, multi-system, controlled and restricted
interface to delegate standard account management tasks
to Help Desk Operators and non-technical staff.
Help Desk Module allows managers or HR to be responsible
or account enabling/disabling without any associated
security risks
Delivers real-time user account management changes with
full audit trail.
Significant time and cost savings in training non-technical
staff how to use eControl. It takes 15 minutes to train a new
Help Desk staff member!
13
© Novell Inc. All rights reserved
Why Security Administrators buy eControl
They are responsible to ensure internal and external
information and security compliance requirements are
satisfied
eControl allows the removal of all trustee assignments,
system rights, permissions and related user account
access rights from the native operating systems
By completely removing trustee assignments and
permissions from user account eControl allows Security
Administrators to have 100% control over the security
failure points on the system
eControl provides a complete audit log of all
transactions - for everything from password changes to
adding or removing a user from a group
14
© Novell Inc. All rights reserved
Why CFOs Buy eControl
15
–
eControl delivers cost avoidance. eControl allows a
company to not have to increase the number of IT staff
to carry out user management tasks.
–
eControl delivers significant cost reduction by
making it simple for non-technical (less expensive)
clerical staff to be assigned user account provisioning
and administration tasks
–
User self-service significantly decreases costs
related to the number of password change and
demographic change requests that would otherwise
need to flow through a help desk environment
© Novell Inc. All rights reserved
Why Companies Buy eControl
Account Create wizards allow non-technical HR
people to create accounts
Account Create ensure unique account and email
ID across multiple systems
User Self-service turns GroupWise into an internal
list server by allowing users to subscribe to and
unsubscribe from GroupWise distribution lists
Password self-service supports GroupWise
Provides access to all eDirectory attributes including
extended Schema values
XML format allows for complete customisation of
fields and values exposed to users
16
© Novell Inc. All rights reserved
Why Companies Buy eControl
eControl enhances compliance with HIPAA, Sarbanes-Oxley
and other security and privacy legislation through increased
security and controls in the following areas:
17
–
Authentication and Authorization: All system rights are removed from all accounts
and replaced with explicit task assignments based on group membership.
–
Configuration and Change Management: Only those users who have been
authorized to carry out user configuration and changes are able to do so. All changes
made by administrators in the eControl administration and configuration application are
tracked and can be made available for audit. A record of all administration changes that
are made is maintained so the state of eControl at any previous time can be
determined.
–
Segregation of Duties: eControl can be configured to ensure that no single person has
rights to carry out access management and be responsible for auditing, initiating or
approving incompatible activities in those systems.
–
Documentation and Reporting: eControl's audit log and tracking strategies provide
support for appropriate reporting on each participant's role and acitivites in the user
management and account provisioning process. eControl keeps track of who did what,
when. (See Sample Log.) Future enhancements to eControl will allow for non-technical
resources and auditors to run web-based, ZERO-Rights audit reports to support
Sarbanes-Oxley and other reporting requirements.
© Novell Inc. All rights reserved
Sample Account Change Audit Log
Date; Numeric Action Id; Action Description; Status; Source; Login Account; Parameter(s);;; Module
2/2/2006 9:50:19 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin5,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:52:42 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:52:50 AM;1011;Group Membership Viewed;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;
LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 9:53:00 AM;1051;Directory Password Changed;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;
LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 9:53:01 AM;1052;Email Password Changed;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;
LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 9:53:24 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin2,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:53:35 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:56:24 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 10:19:54 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;HelpDesk
2/2/2006 10:20:01 AM;1021;GW Distribution List Membership Viewed;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=Stephane,o=DEV;
LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;HelpDesk
18
© Novell Inc. All rights reserved
eControl for Mixed Networks
Web-based Modules:
OpenLDAP
LDAP
Edirectory
and NetMai:
LDAP and
native APIs
Lotus Notes:
Notes APIs
Active
Directory and
Exchange:
LDAP and
native APIs
19
© Novell Inc. All rights reserved
GroupWise:
Win32 APIs
“ZERO-Rights” Modules
•
•
•
•
•
Help Desk User Management (HD) – Provides Help Desk
Operators with the ability to carry out the “TOP TEN” user
administration tasks – in a web browser. NO rights required!
Account Create / Manager (AC) – Allows HDOs to create
users based on eControl profiles and Account Create
templates
User Self-Service / Self-Administration (USS) – Allows you
to set which user fields can be updated or modified by a user
in the web interface
Contact Lookup (CL)* – Allows users to retrieve configured
information from eDirectory (phone numbers, etc.)
Sarbanes-Oxley Reporting (SOX)* – Allows “ZERO Rights”
web-based access to security and audit reports by nontechnical staff
*Version 3
20
© Novell Inc. All rights reserved
HD User Account Management Tasks
eDirectory and GroupWise
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
21
Manage Account Password and Strong Password
Manage GroupWise Password & Strong Password
Enable / Disable User Accounts
Manage Group Memberships
Manage Organizational Roles
Set Password Restrictions
Release Intruder Lockout
Create User Identification Information
Manage Login Information (Login Script and Profile)
Manage Login Restrictions
Manage GroupWise Distribution Lists
Manage GroupWise Options (Visibility, Expiration Date)
Manage NetMail Account Status
© Novell Inc. All rights reserved
HD User Account Management Tasks
Active Directory and Exchange
1.
2.
3.
4.
5.
6.
7.
22
Manage Account Password and Strong Password
Enable / Disable User Accounts
Manage Group Memberships
Manage Exchange Mail Groups
Release Intruder Lockout
Create User Identification Information
Manage Account Expiration Date
© Novell Inc. All rights reserved
Account Create Module Tasks
Provision accounts based on eControl Account Create
wizard linked to eDirectory / Active Directory profiles (e.g.,
home directory, group memberships, email account and all
other account information
Customizable user-required fields (e.g., first name, last
name, middle initial, phone number, department, mobile
number, etc.)
Creates user name based on specified naming
convention and requires name to be unique across all
configured systems
23
© Novell Inc. All rights reserved
User Self-Service Module Tasks
Subscribe / Unsubscribe from email distribution lists
and groups
Select challenge-response phrases and provide
answers to enable web-based, “forgot my password”
management
Update eDirectory fields, including extended schema
values, that have been enabled by the Administrator
(e.g., mobile number, pager, etc.)
24
© Novell Inc. All rights reserved
Hardware / Software Requirements
•
•
•
•
•
•
•
•
•
•
•
25
Windows 2000 with IIS 5 or 6
Windows 2003 if GroupWise support not required
Security certificate for SSL
Microsoft Message Queuing (MSMQ)
Novell Client 4.9*
Novell GroupWise 5.x, 6.x or 7 Client*
MSSQL, MSDE or Schema Extension to provide
“forgot my password” self-service
MSSQL or MSDE for audit trail archiving
Novell NetWare*, OES*, SUSE Linux*, Windows
NDS Version 8.5 or any version of eDirectory
Any version of Active Directory
© Novell Inc. All rights reserved
* Target system specific
Is eControl Right for You?
26
•
Is your Help Desk or IT department often the bottleneck in your user
account management and provisioning process?
•
Do your Help Desk operators have more rights than they should
on your network because they need to carry out certain account
management tasks?
•
Does your account management and provisioning process comply
with internal or SOX regulatory security, privacy and audit report
requirements?
•
Are you running GroupWise on Windows or Exchange with
eDirectory and/or multiple eDirectory and Active Directory
environments?
•
Does your Help Desk need to run multiple user account
management tools?
© Novell Inc. All rights reserved
Is eControl Right for You?
•
•
•
•
•
27
Have department mergers or corporate acquisitions made your
user account creation and management tasks cumbersome and
complex?
Are costs increasing and productivity decreasing due to the training
required for Service Desk Operators to use a combination of
ConsoleOne, NWAdmin, iManager, Microsoft Management
Console or custom Task Pads?
Terrified about the consequences of a Help Desk Operator or junior
administrator hitting the delete key on the wrong object or accessing
information they shouldn’t?
Need to deploy user password self-service or user self-service for
GroupWise in a multiple or mixed eDirectory, GroupWise, Active
Directory or Exchange environment?
Are you being asked to manage and integrate more
complex systems with fewer resources?
© Novell Inc. All rights reserved
Question and Answers
Aldo Zanoni
B.Ed., B.A.
CEO, Managing Director
Omni Technology Solutions
Tel: +1 780-423-4200
[email protected]
Appendix - Screenshots
Help Desk Operator Tasks
System Configuration
Active Directory Group Membership
System Configuration
eDirectory Group Membership
Search Context Configuration
eDirectory Restricted Tasks
Account Create Configuration
eDirectory All Tasks
Add Group to a Task
Change eDirectory Password
Configure Forgot Pwd Questions
Manage GroupWise Distribution List
Set eDirectory Password Restrictions
Set Active Directory Identification
Set eDirectory Identification
Account Create
29
© Novell Inc. All rights reserved
* Target system specific
Active Directory Group Membership
30
© Novell Inc. All rights reserved
eDirectory Group Membership
31
© Novell Inc. All rights reserved
eDirectory Restricted Tasks
32
© Novell Inc. All rights reserved
eDirectory All Tasks
33
© Novell Inc. All rights reserved
Change eDirectory Password
34
© Novell Inc. All rights reserved
Manage GroupWise Distribution Lists
35
© Novell Inc. All rights reserved
eDirectory Password Restrictions
36
© Novell Inc. All rights reserved
Active Directory Identification
37
© Novell Inc. All rights reserved
eDirectory Identification
38
© Novell Inc. All rights reserved
eDirectory User Self-Administration
39
© Novell Inc. All rights reserved
Account Create
40
© Novell Inc. All rights reserved
Administration – System Configuration
41
© Novell Inc. All rights reserved
Search Context Configuration
42
© Novell Inc. All rights reserved
Account Create Configuration
43
© Novell Inc. All rights reserved
Add Group to Task
44
© Novell Inc. All rights reserved
Forgot Password
45
© Novell Inc. All rights reserved
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell,
Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks
within the scope of their assignments. No part of this work may be practiced, performed, copied,
distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without
the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could
subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market
a product. Novell, Inc., makes no representations or warranties with respect to the contents of this
document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes
to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All
Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the
United States and other countries. All third-party trademarks are the property of their respective owners.