Written by Randy Franklin Smith, President, Monterey Technology Group, Inc
Good access control is really a matter of well-managed groups and managing most entitlements through AD. Of course, the why and how of access control matter, too, and I’ll cover that in this solution brief. But at the end of the day, good access control comes down to avoiding the use of local groups (whether on Windows file servers, in Microsoft SQL Server, in SharePoint, or elsewhere) and instead assigning permissions to Active Directory (AD) groups. In my experience, you can’t hope to really understand, much less control, who has access to what until you can manage the bulk of your entitlements through AD.
In this paper, I’ll explain why AD groups are at the center of the access control and governance universe and then explore what it takes to manage them. I will discuss why and how to implement group ownership and attestation controls. Also, we’ll look at how much group maintenance can be automated through self-service access-request handling and policy-based rule assignments.