Provisioning and Attestation for SharePoint thru ActiveRoles

By Bob Bobel


Since I mentioned our work on SharePoint in may (see I’ve had a lot of request for more details. We have come a long way in the development cycle and so I wanted to share some details about our plans for a public beta that will happen in about one month’s time.


Soon we will provide a new component of Quick Connect for Base Systems named Quick Connect for Base Systems: SharePoint Integration. This integration pack will install into the ActiveRoles Server console directly rather than appearing as a traditional connector in Quick Connect so as to simplify deployment.


SharePoint Provisioning: The primary purpose of the beta will be to provide automated provisioning and maybe more importantly automated Deprovisioning of user access to specific SharePoint sites. This is accomplished through the existing ActiveRoles Server provisioning and Deprovisioning policies so you control access in the exact same way you do other Microsoft applications even if you have not used or followed Microsoft best practices by using AD groups to control SharePoint access.


SharePoint Attestation: For customers who own ActiveRoles Server and ActiveRoles Self-Service manager, this new addition will allow you to extend access certification reviews (a.k.a. Attestation) to your SharePoint Site owners through the easy-to-use self-service interface. The goal of attestation it to have the owner of the site’s data periodically review the individuals that have been granted access. The owner of the data is the logical choice for this type of review because he/she is typically the person who understands the business reasons why a particular user was granted access the data. Period certification reviews also provide a great way to determine which groups in AD are being properly managed – meaning if a group owner fails to perform the review their group is added to a list of suspect groups. If you want to understand more about Attestation, see my recent posts


SharePoint Access Remediation: (Warning-teaser) In the next major release of ActiveRoles Server we will include a new set of optional policies that can be used to what essentially amounts to the ability to disable a group that is granting security access. We also link this new capability to our Attestation Policy so that when the resource owner fails to perform a required attestation review within a given review timeframe access can be withheld in a non-destructive way. This is of course optional and the disablement of the group can be reversed with a single click so that if a group is super critical it can be brought back almost instantly.