eControl for Mixed Networks Web-based, “ZERO Rights” Delegated User Account Management, Account Creation and User Self-service Aldo Zanoni B.Ed., B.A. CEO, Managing Director Omni Technology Solutions Tel:
Download ReportTranscript eControl for Mixed Networks Web-based, “ZERO Rights” Delegated User Account Management, Account Creation and User Self-service Aldo Zanoni B.Ed., B.A. CEO, Managing Director Omni Technology Solutions Tel:
eControl for Mixed Networks Web-based, “ZERO Rights” Delegated User Account Management, Account Creation and User Self-service Aldo Zanoni B.Ed., B.A. CEO, Managing Director Omni Technology Solutions Tel: +1 780-423-4200 [email protected] GWAVACon presentation October 18, 2008 Session Overview 2 1 What is eControl? What Pain Does it Relieve? 2 Where does eControl fit? 3 Why Companies Need / Buy eControl 4 Three eControl Modules 5 Future of eControl 6 EMU – Bulk User Management Utility 7 Questions and Answers – Prize Draws © Novell Inc. All rights reserved What is eControl? eControl is a web-based, “ZERO-Rights” delegated, enterprise user account management, provisioning tool and user self-service for users of Novell eDirectory, GroupWise and NetMail; Microsoft Active Directory and Exchange systems and Lotus Notes* and OpenLDAP*. eControl delivers an immediate return on investment. It enables an enterprise to efficiently and inexpensively implement secure user account management and provisioning services across multiple and mixed network operating systems and e-mail systems. *Version 3 3 © Novell Inc. All rights reserved eControl for Mixed Networks 4 © Novell Inc. All rights reserved eControl for Mixed Networks eControl relieves the pain caused by needing to use multiple applications to manage mixed and multiple Novell eDirectory, Microsoft Active Directory, Novell NetMail, Novell GroupWise and Microsoft Exchange systems. eControl replaces iManager, ConsoleOne, NWadmin, Microsoft Management Console, Taskpads for help desk operators, junior administrators and delegated staff. 5 © Novell Inc. All rights reserved Where Does eControl Fit? As a pre-curser to IDM deployments To fill gaps caused by exceptions to standard IDM managed processes. As a perfect fit for companies that are too small or don’t have the need or resources to implement a full IDM solution. Where there is an overlap between eControl and IDM, eControl can be used as a complementary “exception gap filler” to resolve the 10% problems that cause 90% of the challenges in IDM deployments. eControl’s three-hour, non-intrusive deployment, brings immediate pain relief for: 1. Secure, delegated user account management 2. Wizard-based user account creation 3. User self-service options 6 © Novell Inc. All rights reserved Sample eControl Clients US Government Department (2003) – 1,000 eDirectory and GroupWise accounts. Will expand to include 3,500 AD and Exchange accounts. IDM in planning. Our second customer. Major Global Retailer (2006) – 70,000 accounts in IDM vault, 3,500 GroupWise and eDirectory accounts in production tree. Best-known customer. Global Marketing Group (2004) – Started with 7,500 eDirectory and GroupWise accounts. Migrated from GroupWise to Lotus Notes last year. Now uses eControl to manage 30,000 accounts. US State Government (2006) – 7,000 eDirectory and GroupWise accounts. First step in their strategy to consolidate 20 different GroupWise systems into a data centre. Manufacturing Corporation (2002) – 5,000 eDirectory and GroupWise accounts. Expanded to a third production shift without adding any help desk staff. Small Mortgage Company (2005) – 150 eDirectory and Exchange accounts. Smallest customer. 7 © Novell Inc. All rights reserved Recent eControl Clients National Grocery Retailer Chain in Chile – Initial deployment of 2,500 Active Directory and Exchange 2007 (Total of 15,000 accounts). County Government in California – 5,400 eDirectory and GroupWise accounts, 200 Active Directory and Exchange accounts. 5 separate eDirectory Trees share a single GroupWise system. County Government in Michigan – 1,800 eDirectory, Active Directory and GroupWise accounts. Adding IDM in September. US State Department of Correction - 2,500 accounts eDirectory and GroupWise US Federal Government Department – 3,500 accounts for eDirectory, GroupWise and Active Directory 8 © Novell Inc. All rights reserved Published eControl Success Stories City of Greater Sudbury – 1,150 eDirectory and GroupWise accounts. Looking at IDM in the future. Success story on our web site. Contact: [email protected] Wilfrid Laurier University – 17,000 eDirectory, NetMail and GroupWise accounts. Success story on our web site. Contact: Andrzej Gadomski, [email protected] http://www.omni-ts.com/success.html 9 © Novell Inc. All rights reserved What IDM Customers Tell Us A fully integrated Identity Management solution is the Holy Grail of most companies. However, we know there are many companies, big and small that struggle with the “big” step processes involved in achieving a fully automated identity management and account provisioning solution. For certain companies, achieving the IDM holy grail is more difficult and time consuming than expected. In many cases, IDM implementations are similar to SAP in that the implementation involves an all encompassing, process-driven, multi-department, all impacting solution. This difficulty is not caused by the technology. It is caused by the systemic complexity created by the multitude of access roles and rules that need to be defined to automatically manage access rights across mutliple systems as processes change. 10 © Novell Inc. All rights reserved Why Companies Buy eControl eControl delivers an immediate solution to provide webbased, “ZERO-Rights” user account access administration and provisioning. It allows the IT manager and the security administrator to determine who can carry out what user account management tasks against which accounts. eControl allows the CIO and IT department to focus on contributing to the company’s high-value business processes rather than having to be concerned with the administration of user access rights across multiple systems and related security issues. 11 © Novell Inc. All rights reserved Why Companies Buy eControl eControl appeals to different and levels of decision makers because of intersecting and complementary objectives: 12 – CIOs look to improve the efficiency of IT staff allocation and allow highly-trained, scarce resources to focus on delivering business value through IT integration initiatives. – CFOs look to implement cost containment strategies. – CSOs look to to satisfy legislative or internal user account management and data access security requirements. – Business unit managers and service desk managers look to increase user productivity and time effective user management change. © Novell Inc. All rights reserved Why Help Desk Departments Buy eControl Cross-platform, multi-system, controlled and restricted interface to delegate standard account management tasks to Help Desk Operators and non-technical staff. Help Desk Module allows managers or HR to be responsible or account enabling/disabling without any associated security risks Delivers real-time user account management changes with full audit trail. Significant time and cost savings in training non-technical staff how to use eControl. It takes 15 minutes to train a new Help Desk staff member! 13 © Novell Inc. All rights reserved Why Security Administrators buy eControl They are responsible to ensure internal and external information and security compliance requirements are satisfied eControl allows the removal of all trustee assignments, system rights, permissions and related user account access rights from the native operating systems By completely removing trustee assignments and permissions from user account eControl allows Security Administrators to have 100% control over the security failure points on the system eControl provides a complete audit log of all transactions - for everything from password changes to adding or removing a user from a group 14 © Novell Inc. All rights reserved Why CFOs Buy eControl 15 – eControl delivers cost avoidance. eControl allows a company to not have to increase the number of IT staff to carry out user management tasks. – eControl delivers significant cost reduction by making it simple for non-technical (less expensive) clerical staff to be assigned user account provisioning and administration tasks – User self-service significantly decreases costs related to the number of password change and demographic change requests that would otherwise need to flow through a help desk environment © Novell Inc. All rights reserved Why Companies Buy eControl Account Create wizards allow non-technical HR people to create accounts Account Create ensure unique account and email ID across multiple systems User Self-service turns GroupWise into an internal list server by allowing users to subscribe to and unsubscribe from GroupWise distribution lists Password self-service supports GroupWise Provides access to all eDirectory attributes including extended Schema values XML format allows for complete customisation of fields and values exposed to users 16 © Novell Inc. All rights reserved Why Companies Buy eControl eControl enhances compliance with HIPAA, Sarbanes-Oxley and other security and privacy legislation through increased security and controls in the following areas: 17 – Authentication and Authorization: All system rights are removed from all accounts and replaced with explicit task assignments based on group membership. – Configuration and Change Management: Only those users who have been authorized to carry out user configuration and changes are able to do so. All changes made by administrators in the eControl administration and configuration application are tracked and can be made available for audit. A record of all administration changes that are made is maintained so the state of eControl at any previous time can be determined. – Segregation of Duties: eControl can be configured to ensure that no single person has rights to carry out access management and be responsible for auditing, initiating or approving incompatible activities in those systems. – Documentation and Reporting: eControl's audit log and tracking strategies provide support for appropriate reporting on each participant's role and acitivites in the user management and account provisioning process. eControl keeps track of who did what, when. (See Sample Log.) Future enhancements to eControl will allow for non-technical resources and auditors to run web-based, ZERO-Rights audit reports to support Sarbanes-Oxley and other reporting requirements. © Novell Inc. All rights reserved Sample Account Change Audit Log Date; Numeric Action Id; Action Description; Status; Source; Login Account; Parameter(s);;; Module 2/2/2006 9:50:19 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin5,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 9:52:42 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 9:52:50 AM;1011;Group Membership Viewed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME; LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk 2/2/2006 9:53:00 AM;1051;Directory Password Changed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME; LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk 2/2/2006 9:53:01 AM;1052;Email Password Changed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME; LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk 2/2/2006 9:53:24 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin2,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 9:53:35 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 9:56:24 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk 2/2/2006 10:19:54 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;HelpDesk 2/2/2006 10:20:01 AM;1021;GW Distribution List Membership Viewed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;HelpDesk 18 © Novell Inc. All rights reserved eControl for Mixed Networks Web-based Modules: OpenLDAP LDAP Edirectory and NetMai: LDAP and native APIs Lotus Notes: Notes APIs Active Directory and Exchange: LDAP and native APIs 19 © Novell Inc. All rights reserved GroupWise: Win32 APIs “ZERO-Rights” Modules • • • • • Help Desk User Management (HD) – Provides Help Desk Operators with the ability to carry out the “TOP TEN” user administration tasks – in a web browser. NO rights required! Account Create / Manager (AC) – Allows HDOs to create users based on eControl profiles and Account Create templates User Self-Service / Self-Administration (USS) – Allows you to set which user fields can be updated or modified by a user in the web interface Contact Lookup (CL)* – Allows users to retrieve configured information from eDirectory (phone numbers, etc.) Sarbanes-Oxley Reporting (SOX)* – Allows “ZERO Rights” web-based access to security and audit reports by nontechnical staff *Version 3 20 © Novell Inc. All rights reserved HD User Account Management Tasks eDirectory and GroupWise 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 21 Manage Account Password and Strong Password Manage GroupWise Password & Strong Password Enable / Disable User Accounts Manage Group Memberships Manage Organizational Roles Set Password Restrictions Release Intruder Lockout Create User Identification Information Manage Login Information (Login Script and Profile) Manage Login Restrictions Manage GroupWise Distribution Lists Manage GroupWise Options (Visibility, Expiration Date) Manage NetMail Account Status © Novell Inc. All rights reserved HD User Account Management Tasks Active Directory and Exchange 1. 2. 3. 4. 5. 6. 7. 22 Manage Account Password and Strong Password Enable / Disable User Accounts Manage Group Memberships Manage Exchange Mail Groups Release Intruder Lockout Create User Identification Information Manage Account Expiration Date © Novell Inc. All rights reserved Account Create Module Tasks Provision accounts based on eControl Account Create wizard linked to eDirectory / Active Directory profiles (e.g., home directory, group memberships, email account and all other account information Customizable user-required fields (e.g., first name, last name, middle initial, phone number, department, mobile number, etc.) Creates user name based on specified naming convention and requires name to be unique across all configured systems 23 © Novell Inc. All rights reserved User Self-Service Module Tasks Subscribe / Unsubscribe from email distribution lists and groups Select challenge-response phrases and provide answers to enable web-based, “forgot my password” management Update eDirectory fields, including extended schema values, that have been enabled by the Administrator (e.g., mobile number, pager, etc.) 24 © Novell Inc. All rights reserved Hardware / Software Requirements • • • • • • • • • • • 25 Windows 2000 with IIS 5 or 6 Windows 2003 if GroupWise support not required Security certificate for SSL Microsoft Message Queuing (MSMQ) Novell Client 4.9* Novell GroupWise 5.x, 6.x or 7 Client* MSSQL, MSDE or Schema Extension to provide “forgot my password” self-service MSSQL or MSDE for audit trail archiving Novell NetWare*, OES*, SUSE Linux*, Windows NDS Version 8.5 or any version of eDirectory Any version of Active Directory © Novell Inc. All rights reserved * Target system specific Is eControl Right for You? 26 • Is your Help Desk or IT department often the bottleneck in your user account management and provisioning process? • Do your Help Desk operators have more rights than they should on your network because they need to carry out certain account management tasks? • Does your account management and provisioning process comply with internal or SOX regulatory security, privacy and audit report requirements? • Are you running GroupWise on Windows or Exchange with eDirectory and/or multiple eDirectory and Active Directory environments? • Does your Help Desk need to run multiple user account management tools? © Novell Inc. All rights reserved Is eControl Right for You? • • • • • 27 Have department mergers or corporate acquisitions made your user account creation and management tasks cumbersome and complex? Are costs increasing and productivity decreasing due to the training required for Service Desk Operators to use a combination of ConsoleOne, NWAdmin, iManager, Microsoft Management Console or custom Task Pads? Terrified about the consequences of a Help Desk Operator or junior administrator hitting the delete key on the wrong object or accessing information they shouldn’t? Need to deploy user password self-service or user self-service for GroupWise in a multiple or mixed eDirectory, GroupWise, Active Directory or Exchange environment? Are you being asked to manage and integrate more complex systems with fewer resources? © Novell Inc. All rights reserved Question and Answers Aldo Zanoni B.Ed., B.A. CEO, Managing Director Omni Technology Solutions Tel: +1 780-423-4200 [email protected] Appendix - Screenshots Help Desk Operator Tasks System Configuration Active Directory Group Membership System Configuration eDirectory Group Membership Search Context Configuration eDirectory Restricted Tasks Account Create Configuration eDirectory All Tasks Add Group to a Task Change eDirectory Password Configure Forgot Pwd Questions Manage GroupWise Distribution List Set eDirectory Password Restrictions Set Active Directory Identification Set eDirectory Identification Account Create 29 © Novell Inc. All rights reserved * Target system specific Active Directory Group Membership 30 © Novell Inc. All rights reserved eDirectory Group Membership 31 © Novell Inc. All rights reserved eDirectory Restricted Tasks 32 © Novell Inc. All rights reserved eDirectory All Tasks 33 © Novell Inc. All rights reserved Change eDirectory Password 34 © Novell Inc. All rights reserved Manage GroupWise Distribution Lists 35 © Novell Inc. All rights reserved eDirectory Password Restrictions 36 © Novell Inc. All rights reserved Active Directory Identification 37 © Novell Inc. All rights reserved eDirectory Identification 38 © Novell Inc. All rights reserved eDirectory User Self-Administration 39 © Novell Inc. All rights reserved Account Create 40 © Novell Inc. All rights reserved Administration – System Configuration 41 © Novell Inc. All rights reserved Search Context Configuration 42 © Novell Inc. All rights reserved Account Create Configuration 43 © Novell Inc. All rights reserved Add Group to Task 44 © Novell Inc. All rights reserved Forgot Password 45 © Novell Inc. All rights reserved Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.