Web-based, Cross-platform, Delegated User Account Administration and Identity Management Enhancement White Paper
by Trevor Poapst, Director of Global Marketing, Omni Technology Solutions Inc.
- The Challenge of Managing Mixed Networks
- The Web-based, "ZERO Rights" Solution
- Ideal Complement to Novell Identity Manager
- Delegate eDirectory and Active Directory Account Administration and Management Tasks -- Securely
- Security and Regulatory Compliance
- Deployment Examples
- Top User Account Management Tasks
- Ten Questions to Determine if eControl is Right for You
- Three Cross-platform eControl Modules
- System Requirements
- More Information
The Challenge of Managing Mixed Networks
Mergers, acquisitions, security and privacy requirements -- and the potentially devastating lawsuits for non-compliance -- have increased the need for systems and processes that simplify and secure user account management in mixed networks. Many IT administrators and help desk operators are dealing with the security challenges and complexity of using multiple tools to manage thousands of users, distributed globally, across complex, mixed and multiple eDirectory, GroupWise, Active Directory and Exchange networks.
eControl removes this complexity by providing a proxy portal server that delegates which tasks junior administrators or end-users can carry out in which operating system or email system. eControl separates the ability to carry out tasks from the need to assign administrative or supervisor rights. eControl simplifies and secures user account management by allowing non-technical personnel and/or service desk staff to securely carry out delegated tasks in a restricted interface.
The complexity of using native applications to manage mixed or homogeneous networks has a negative impact on help desk and user productivity. eControl removes this complexity and reduces the challenges faced by overtasked senior IT personnel and employees. eControl delivers real-time user account management that enforces strict adherence to security policies and regulatory compliance. eControl allows organisations to respond quickly to user account change requests, protects sensitive corporate and customer data and tracks internal and external access. Click here to view eControl's extensive audit trail . The audit trail provides a complete record of all account change actions.
Regulatory and security compliance are top of mind for security managers. Many organisations struggle with the challenge of high turnover in their help desk and service desk employees. eControl removes the challenge and security risks of training new help desk staff on how to properly and securely use Console One, NWAdmin, iManager and/or Microsoft Management Console. In under 15 minutes, your service desk and non-technical staff will be trained on how to use eControl's web-based interface to manage accounts in multiple systems.
And if you are not using an automated user account provisioning solution like Novell's Identity Manager or Microsoft's Identity Integration Server, eControl's Account Create module allows you to delegate user account creation and expiration to non-technical HR staff. External auditors often find hundreds of orphaned or dormant accounts that threaten system security. eControl secures your systems and ensures that junior administrators or divisional managers do not have administrative or supervisor access to file systems, email systems and eDirectory and Active Directory systems.
The Web-based, "ZERO Rights" Cross-Platform Solution
Omni eControl 2.x is a "ZERO Rights", web-based, delegated user account administration and identity management enhancement solution for GroupWise, eDirectory, Active Directory and Exchange. eControl empowers junior administrators, help desk operators, support staff, non-technical staff and even end-users to perform common delegated account administration tasks. From the same browser, without any trustee assignments, supervisor rights or administrator permissions in GroupWise, eDirectory, Active Directory or Exchange, non-technical staff are able to carry out specific delegated account management tasks. These common tasks include resetting passwords, managing email distribution and group lists, creating new users, unlocking intruder lockout, enabling and disabling accounts, and much more -- all from a single browser.
The result -- increased security, controlled account change management, increased productivity and peace of mind.
Ideal Complement to Novell Identity Manager and Microsoft Identity Integration Server
eControl provides the ideal complement to environments that have deployed Novell Identity Manager 3 (IDM3) or Microsoft Identity Integration Server (MIIS). Novell IDM3 and MIIS automate user provisioning and account synchronization across different identity systems and databases. eControl enhances IDM and MIIS by providing a web-based, ZERO-Rights interface that allows non-technical people to carry out specific, secure, audited, delegated user account administration tasks for eDirectory, GroupWise, Active Directory and Exchange. IDM is about account synchronisation. eControl is about account management. No more supervisor trustee assignments required, no system permissions required, no more training on ConsoleOne, NWAdmin, iManager, Microsoft Management Console for junior administrators...
Delegate Active Directory and eDirectory Account Administration and Management Tasks -- Securely
With eControl, users are only able to complete those tasks they have been delegated. eControl users require NO Trustee Assignments, NO permissions, NO access to the file system, NO System Access Rights. NO access is required to Microsoft Management Console or Task Pads, ConsoleOne, NWAdmin or iManager. eControl users perform their account administration tasks across multiple and mixed operating and email systems from a secure, easy-to-use browser.
eControl's fully archivable audit trail enables administrators and auditors to keep a tight rein on data access and account change logs. Disabling orphaned and dormant accounts can be securely delegated to junior support staff or HR staff. Administrators can enforce strong password policies and reduce the risk of regulatory exposure and security liability. As a user's role changes within the organisation, eControl allows you to quickly and efficiently change his or her group memberships and task authorities. eContol improves responsiveness, increases productivity, mitigates security risks and produces more accurate user account data.
eControl alleviates the need to assign any system access rights, trustee assignments or file system rights and permissions. This allows you and your IT staff to focus on business requirements instead of security needs. And, for organisations embarking on a longer-term identity management strategy, eControl delivers a quick win and significant and immediate ROI. eControl's Help Desk, Account Create and User Self-Service modules can be installed and configured in under three hours. Research shows that just deploying password self-service functionality can save as much as $650,000 per year in a typical 10,000-user organisation. User account management consumes a significant proportion of overall IT productivity. Even a 20% efficiency gain is significant.*
* Source: "What is User Life-Cycle Managment? And Why You Should Care," META Group, June 2004, p5.
Security and Regulatory Compliance
Complete Account Change Management Audit Log and Password Change Notification are designed to enhance security and regulatory compliance of legislation such as:
- FDA 21 CFR 11
- EU Directive 2002/58/EC
Rockford Corporation uses eControl to enhance Sarbanes-Oxley (SOX) security compliance. eControl allows Rockford's Help Desk and junior administrators to carry out routine delegated user account administration and management tasks from a web browser -- with no trustee assignments in Novell GroupWise, eDirectory or the file system.
Wilfrid Laurier University
Wilfrid Laurier University's Help Desk uses eControl to delegate user administration and management tasks for their 13,500 Novell Groupwise and NetMail accounts. "Our help desk operators, users and lab administrators are thrilled with the system. I strongly recommend eControl and Omni for all universities and colleges looking to simplify their Novell GroupWise and NetMail help desk user account administration."
Arizona School District Increases ROI with Novell, EMU, and eControl
Pendergast Elementary School District chose EMU and eControl to provide bulk user management and delegated help desk user administration and management tasks to its large network. "The results were phenomenal!"
Top User Account Management Tasks
eControl is powerful and yet simple to use in homogeneous and mixed environments. On average, eControl takes three hours to install and configure in even the most complex environment. After 15 minutes of training, your non-technical staff will be able to perform the following user account management tasks for your eDirectory and/or Active Directory users.
eDirectory & GroupWise Account Management Tasks
1. Manage Account Password and Strong Password
2. Manage GroupWise Password and Strong Password
3. Enable / Disable User Accounts
4. Manage Group Memberships
5. Manage Organizational Roles
6. Set Password Restrictions
7. Release Intruder Lockout
8. Create User Identification Information
9. Manage Login Information (Login Script and Profile)
10. Manage Login Restrictions
11. Manage GroupWise Distribution Lists
12. Manage GroupWise Options (Visiblity, Expiration Date)
13. Manage NetMail Account Status
Active Directory & Exchange Account Management Tasks
1. Manage Account Password and Strong Password
2. Enable / Disable User Accounts
3. Manage Group Memberships
4. Manage Exchange Mail Groups
5. Release Intruder Lockout
6. Create User Identification Information
7. Manage Account Expiration Date
Ten Questions to Determine if eControl is Right for You?
- Is the IT or the help desk department sometimes the bottleneck in your user account change management process?
- Is your service desk unable to carry out certain account management tasks because of security restrictions?
- Does your security department require account change management audit reports for Security Regulation compliance?
- Are you running GroupWise on Windows or Exchange with eDirectory or mixed eDirectory and Active Directory environments?
- Does your help desk run multiple user management tools because you are running GroupWise or Exchange in a mixed or multiple Active Directory and eDirectory environment?
- Have department mergers or corporate acquisitions made your user account creation and management tasks cumbersome and complex?
- Tired of training your Help Desk Operators how to use a combination of ConsoleOne, iManager, NWAdmin, Microsoft Management Console or custom Task Pads to carry out user and identity management tasks?
- Concerned about the impact of Help Desk Operators or Junior Administrators hitting the delete key on the wrong object or "poking" about your network to see what they can see?
- Need to deploy User Self-Service or Password Self-Service for GroupWise or in a multiple or mixed eDirectory, GroupWise, Active Directory or Exchange environment?
- Are you being asked to manage and integrate more complex systems with fewer resources?
Three Cross-platform eControl Modules
eCONTROL Help Desk Delegated User Management
Provides web-based delegated help desk user account management tasks for Novell eDirectory/NDS, GroupWise and NetMail and/or Microsoft Active Directory and Exchange - in ANY combination! Options include allowing eCONTROL Operators to change GroupWise, eDirectory, Active Directory and Exchange passwords, create users controlled by templates, manage distribution and group lists, group memberships and much more. Complete granular control is provided through the eCONTROL ZERO Rights Proxy Platform. You control "who can do what" with NO Directory or mail system assignments required! Access rights are managed through the trusted eCONTROL service and administration interface.
eCONTROL User Self Service
Allows you to configure self-service eDirectory, GroupWise, Active Directory and/or Exchange values that can be managed by users. Includes password self-service. Users can reset and change passwords with "Forgot Your Password" option from a browser - based on challenge/response "secret answers". The User Self Service options include allowing users to Subscribe/Unsubscribe from GroupWise Distribution Lists or Exchange Group Lists. User Self Serve can be configured to allow users to update their own demographic information.
eCONTROL Account Create/Manage
Allows Help Desk Operators, junior administrators, HR personnel, or any delegated user to be able to create eDirectory, GroupWise, NetMail, Active Directory, and Exchange user accounts based on pre-defined profiles. These profiles leverage existing eDirectory templates or Active Directory accounts. The pre-configured values include all eDirectory, Active Directory, home directory and GroupWise or Exchange values. eCONTROL Account Create can be customised to allows users to sign up and self-subscribe/auto-create an eDirectory, GroupWise, NetMail, Active Directory and or Exchange account from the eCONTROL web page for subscription services. (Available in version 3.x)
eControl requires a Windows 2000 Professional, Windows XP Professional or Windows 2003 Server operating system. Windows is required because of a dependency for the GroupWise Win32 APIs and for access to Active Directory and Exchange.
eControl can access multiple and mixed operating systems and email systems at the same time because it acts as an authenticated intermediary (proxy) service to the target systems. eControl is a non-intrusive installation. eControl uses native Operating System APIs and LDAP calls to communicate with the target servers. This means that no agents need to be installed on the target servers or operating systems.
Since each customer network environment is unique, eControl is installed by an Omni engineer to ensure that the installation will match the needs of each network. For more information on the installation process, please refer to Full System Requirements and Remote Installation Requirements.
eControl acts as a proxy service and uses an eControl account which must have full supervisor and access rights to the systems that it is going to manage. When the Omni engineer installs and configures the eControl server, the following is performed:
- The eControl account login and password is configured.
- The LDAP server property mappings are confirmed.
- The target systems are identified (eDirectory, Active Directory, Exchange and GroupWise) and configured.