Ask Slashdot: New Employee System Access Tracking? 87
New submitter mushero writes: We are a fast-growing IT services company with dozens of systems, SaaS tools, dev tools and systems, and more that a new employee might need access to. We struggle to track this, both in terms of what systems a given set of roles will need and then has it been done, as different people manage various systems. And of course the reverse when an employee leaves. Every on-boarding or HR system we've looked at has zero support for this; they are great at getting tax info, your home address, etc. but not for getting you a computer nor access to a myriad of systems. I know in a perfect world it'd all be single-sign-on, but not realistic yet and we have many, many SaaS service that will never integrate. So what have you used for this, how do you track new employee access across dozens of systems, hundreds of employees, new hires every day, etc.?
In Theory - Thor (Score:1)
There are a number of products build exactly for this....
IBM Has Tivoli Access Manager. It is as good as you expect a Enterprise IBM product to be :/ - ie not great....
Oracle has a product called Thor (now Oracle Identity Manager) which is built for this exact thing. Unfortunately it IS oracle, and all the shitty price and UI you expect from such a thing.
There is CA Identity Manager if you really hate yourself (It IS CA, and has all the fun and joy a CA product can give).
In short? There IS stuff build for t
Re: (Score:1)
You missed at least a couple. Fox Technologies has a product called Boks for this, Oracle LDAP (formerly SunOne) is very good and has all of the API capabilities of any LDAP solution. If you wanted a different *NIX auth back end you could run P-GINA on your WIndows hosts and hae them auth elsewhere.
The reason these solutions are "meh" is nromally related to the huge disparitity in HR solutions and their implementations. Pluggine in to inventory systems creates more unique challenges.
Re: (Score:3)
Oh, it CAN be done. You just have to have somebody on staff who is an expert at RADIUS, LDAP, AD-AUTH, Kerberos, OAuth and probably a dozen other protocols that deal with authentication and authorization. Oh, and then a proper security audit because if you do it in house, are you sure that you can't drive a MAC truck through it?
Having done the ROI estimate on such a project, we couldn't do it. And this was for a company that had at least standardized on products that use RADIUS and LDAP for all things th
Re: (Score:2)
I for one have seen men and women working in IT with said skills. Besides, why would you even be using an authentication protocol your own staff has no clue about? That's just calling for trouble.
Also, the ROI estimates I've usually seen decision makers rely on are one dimensional plain simple characterizations that hardly reflect the real world we live in. It's an insanely complex task getting it right and all that money could be used in actually getting things done.
Sure, I've seen quite a few people with those skills. They don't work for me, and they probably don't work for the OP. If authentication is not in your line of business for your company, why are you making an internal product to do it? Oh, and it's a lot easier to implement a protocol like LDAP or RADIUS in an existing application than to build one from scratch. Knowing about 3DES TLS sockets is important, but let the professionals write the implementation.
If it was easy to do, the list would include hundreds of products -- many of them open source. That should give you a clue.
Building and open-sourcing custom solutions tailored for your personal needs is pointless. We're not talking about some universal it-does-everything solution, but a solution that will be tailored in-house to fit *your* unique combination of services and software. Nobody else would have the same needs as you.
Sure. Your business is a special snowflake for everything you do. I get it. No other business has ever tackled doing authentication management before ever -- and none of them have ever integrated with one of the common SaaS products before. It's a good thing you are spending multiple man-years building an internal product rather than focusing on stuff you can sell, implement, consult on, or you know, make money on. Spending 1 FTE year building something that can be bought off the shelf for $50,000 is
Re: (Score:2)
Standardize on LDAP and use AD to authenticate against. I know, Microsoft is the devil, but their LDAP stuff on AD is pretty secure and well documented. And quite frankly, their LDAP is best / easiest to deal with.
Parent +1 (Score:2)
Re: (Score:2)
[Disclaimer: I am an Oracle employee but am not part of any customer-facing LoB]
OIM - Oracle Identity Management is a large-business solution. The UI is horrendous but it's one of the few Oracle products where that doesn't bother me, simply because you rarely access it.
No idea about their pricing, though. Keep in mind that even it won't be an all-in-all solution, there's always going to be the odd environment with its own account management which can't be linked to OIM unless you're willing to spend obscene
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
HP has a number of products as well.
Competency (Score:1)
Re: (Score:3)
Onelogin (Score:2)
Our company uses OneLogin with a set of custom scripts to sync everything with AD and our internal systems. Works pretty well.
Re: (Score:2)
OneLogin is the authority, changes are pushed to AD which is just there to manage Windows credentials. All the web apps (which is pretty much all of our apps) authenticate off of OneLogin. You set your password through a custom portal that syncs up everything.
In small scale.. (Score:2)
One excel per employee.
HR fills sheet which contains tick boxes for existing systems and sends filled form to IT.
IT opens accounts for that user per selection.
HR didn't file the form? No accounts.
HR missed certain box? Speak with manager and request access using normal request policies.
Re: (Score:2)
Shit idea.
Great for onboarding, sucks for when employee X leaves the company (automated inactivation of accounts). Horrible for security (automatic password expiration push). Horrible for rehires or people changing departments. Et Caetera.
Re: (Score:2)
Gives nice ticked boxes which indicate each system where accounts need to be closed.
Passwords should expire automatically every 30-60 days regardless the user is leaving or not.
Rehires or department change? Just refill the form on another sheet to match the new position.
Re: (Score:2)
Re: (Score:2)
User leaves, nobody fills form because that's how human beings are, accounts remain active forever.
Passwords should expire every 90 days, but it's one thing when you have one SSO password which expires every 90 days or 30 different passwords which expire every 90 days each. Having to reset and remember 30 passwords, one every 3 days on average, is mind-numbing.
Rehires are tricky. Some companies have a data retention / e-mail address retention policy. it's impossible to enforce it with spreadsheets.
Before lo
Re: (Score:2)
SSO (Score:2)
Made for exactly this : PORTADI (Score:2)
It's not a HR system but is a enterprise IAM plus it works great for small teams ( of 3 even )
https://www.portadi.com
More than happy to be a reference
Regards
John Jones
Tools (Score:1)
As much as I hate to mention the "O" word ... (Score:2)
Re: (Score:2)
If you're gonna spend a million dollars or whatever you can probably do it with Tivoli, maybe even without customization but probably not. IBM loves customization.
Re: (Score:2)
NetIQ Identity Manager would have been much cheaper. I've done both and it's not even close.
Re: (Score:2)
Re: (Score:3)
We're an University of 30,000 students and 5,000 staff and we're getting rid of OIM because it cant do anything properly. After 3 years and literally millions of dollars it still cant communicate with Exchange, not only are we still employing the same number of people to do account provisioning (approx 14,000 new accounts per year) we're also empl
Lastpass? (Score:3)
Can you use something simple like the group version of Lastpass / setup their accounts and manage their passwords / revoke access?
LDAP? (Score:4, Interesting)
Just use a centralized solution that is configured to give access and authorization to assets, they exist, it's called LDAP and you can plug whatever the hell information you want in them, even the HR-only information (such as tax records etc). You then just need to make sure your roles are defined within your organization and HR knows about which roles to give to a person.
If you're talking about giving people root/wheel access to certain boxes even when LDAP is broken, then you can still use LDAP as a source to feed into eg. an ansible/puppet script (or whatever configuration management system you decide to use) that runs every few minutes/hours/days and inserts/revokes access for those sysadmins.
Re: (Score:2)
Nice idea but not enough in the real world. There are lots of thing that don't work with LDAP and there are other things that need manual provisioning.
Re: (Score:2)
That's where the managed script comes in. LDAP works with most things that have access controls and is designed for just that purpose.
Re: (Score:3)
In all seriousness, you're correct. I've found in the real world you're using a combination of Active Directory (or some other LDAP) along with web based applications, and maybe even some compiled applications running locally. Some are behind the firewall, some aren't. You really need something that can support SAML along with form-filling that will also sync with AD to really cover the whole gamut. And even then some of it will be a ma
Re: (Score:2)
Cloud Solution it (Score:1)
Internet 2 Grouper (Score:1)
Lots of ways (Score:1)
Re: Lots of ways (Score:1)
Re: (Score:3)
"Set up like" is a horrible model. It leads to over provisioning of access and poor governance.
Re: (Score:2)
Where the hell are my karma points when I need them?
+2 to you LDAPMAN.
I work at a large company that has acquired (and not fully integrated) other companies over the years. To say that it's a complete mess when it comes to identity management is an understatement.
Sailpoint? (Score:2)
Look into http://sailpoint.com/ [sailpoint.com]
Re: (Score:2)
Re: (Score:2)
UCS (Univention Corporate Server) (Score:1)
Not my area of expertise but ... (Score:2)
What I've seen is that most companies are windows based and use active directory to centralize the vast majority of their permission management system. Almost every professional system out there then integrates into it via some LDAP mechanism, and it's usually relatively easy to switch in house apps over as well.
There's two other cases I've seen that aren't related explicitly to a person:
- required local accounts
- service accounts
There's always a lot of cases where you need a
Is it April Fool's day? (Score:2)
>> We are a fast-growing IT services company with dozens of systems...We struggle to track this
Funniest thing I read all day. Thanks for the laugh!
FoxPass (Score:1)
Re: (Score:1)
I Built It (Score:1)
As part of a very long term project I built exactly what the article says doesn't exist - a way to track onboarding and offboarding in a single system. One reason why it was a long term project is that it took that long for the systems and departments to catch up and buy into central tracking.
My system passed every internal, external, and federal audit. It is still running five years after I left the company. I was hired back as a consultant to integrate the parent data when the company was purchased bec
Need tracking, not central Auth (Score:1)
Original Poster here - yes, these are all good suggestions and we should add more LDAP (we have large multi-thousand host LDAP systems now), but a lot, if not most of these systems we need, especially various SaaS tools, don't support this well, if at all. So a full SSO system is a real challenge - we are looking at AD integration next year to handle the ones that can.
But I don't really need this today - what I need is to TRACK all the system access, in part just to know what systems Johnny in Ops Engineer
New thing called Linux (Score:1)
InBold Business Platform (Score:1)