Identity Analytics and Risk Intelligence:
Group Nesting: Do you nest groups in Active Directory? Turns out...you're not alone! Group maintenance is an ongoing struggle in any active Active Directory environment. One of the challenges with group nesting can be understanding what entitlements, or access, a user has when added to a group. Since access is typically inherited from groups higher up in the nesting, it is not always a simple task to understand inheritance. For example, you have a top-level group that grants some type of admin access to Active Directory. Let's say the group lets members create and delete users in AD. Then, over time, other groups are added as members of that top level group. There may be a handful to dozen and dozens of groups within the hierarchy. Fast forward and a user is made a member of one of the nested groups. Was the group administrator aware that adding the user to one of these nested groups means the user inherits the ability to create/delete users in Active Directory?
Identity analytics helps address these challenges. First, all access is collected and analyzed, including all nesting and inheritance. In our example various identity analytics views show you which users have the ability to add/delete AD accounts. With this latest rollout Identity Analytics now provides in depth information on group nesting. That is, when these high impact entitlements are inherited thru group nesting, Identity Analytics will show you which group in the hierarchy is the one the user is a direct member of. To accomplish this, two things were added. First, on the Rules Evaluation Details view, a new trustee type was added called 'nested'. When you see this new trustee type, its a signal that the high impact access was granted thru a nested group membership. Second, in the same view, the group (or groups) in the nesting hierarchy are called out by name. This data tells you exactly which group(s) within the nesting the user would need to be removed from if you do not want that user to have that access. It all sounds complicated but Identity Analytics breaks it down and simplifies the analysis. Note this works for other data sources that have nesting concepts, Active Directory was just the example used here.