Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
F
F
Fedor Malyshkin2012-09-24 09:43:10
System administration
Fedor Malyshkin, 2012-09-24 09:43:10

A system for accounting for applications for granting access rights for a large organization?

Good afternoon!
There is a need to automate the process of presenting rights in a number of automated systems to a large number of users.
The context is this: there is a large organization (1-2 thousand employees) that uses several dozen software products (rarely which of them can be used for authentication and representing Active Directory rights, most have their own user base with their own authentication and authorization system), we have the user support department, which, at the request of users, submits requests for changing rights in one or more systems, we have a security department that checks these requests for admissibility, and we have an administration department that executes these requests - it gets users in systems, issues / changes rights. The problem is that the security department often requests reports on who has been granted such and such rights in the system (or in general a summary report on the rights in a particular system),
The task is not to automate the issuance of rights, but to automate the accounting of such "applications" for access.
I don’t even know what this category of products is called (if there is one). 
From the approximate requirements:
the ability to work through a web client;
the possibility of generating a printed form of this "application", which would reflect all the rights issued / planned for issuance of a particular user;
a reporting system (it would be nice with the possibility of compiling your own reports), which would also reflect information on the rights granted to the resource in accordance with the completed “applications”;
versioning for "applications";
the ability to import data (users, resources for which rights are granted, and so on).
PS: I'm writing from a mobile phone with a 'smart' keyboard and I apologize for any typos.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
N
Nikolai Turnaviotov, 2012-09-24
@foxmuldercp

the easiest and fastest way is any ServiceDesk system, for example, a ticket application system that can be created from an email or web interface - RT

Report
S
Sergey, 2012-09-24
@bondbig

This is a special case of what is called "electronic document management". This is when applications and other services are not written on paper and then someone runs around collecting signatures, and electronic applications are created in advance in some ED system, with specific content and approval routes (static or dynamic). In the case of an access request, it will look like a list of available systems + a list of possible “roles” (admin, read-only, developer, operator, think of it yourself) or a set of rights. A person ticks the checkboxes, makes buttons, writes a rationale for the need, launches for approval. The first in the route will be, for example, its leader, then, depending on what he called earlier, for example, immediately the “owners” of this or that application or some other security guards there. Everyone can either reject the application (return it for revision with a comment why it was rejected) or approve and let it go further along the route. At the end of the route, either a ticket is created in the service desk “give blah blah rights to such and such a user”, which is performed by someone with their hands, or you can automate the granting of these rights (both by self-written solutions and using Identity Management software) .
You can do the same with any other requests, up to the release or purchase of equipment.

Report
L
lomac, 2012-09-25
@lomac

In the question, I identified the following 2 points for myself:

  1. Access Application Lifecycle Tool
  2. Tool for obtaining data about the available access of the user for the security department

In your request, the emphasis is on 1 point. But there are tools on the market that include the functionality of 1 and 2 points. This is a category of IdM solutions with a workflow tool where you can build the approval process as you need. The Russian market has both big heavy Western solutions (Oracle, IBM, Novell), as well as our more flexible and less heavy-weight solutions, which are gaining popularity. So from Russian solutions I can recommend the Avanpost product (http://www.leta.ru/products/avanpost.html).

Report
R
Roy, 2012-09-26
@Roy

Try to look at MS Forefront Identity Manager, the thing is quite flexible.
Video to get an idea - www.techdays.ru/videos/4510.html

Report
S
sstupin, 2013-01-15
@sstupin

there is such a system - KUB. What you need ;-)

Report
I
Ilya Maltsev, 2016-08-30
@i_maltsev

A similar problem arose a year ago, I had to write mini-IDM myself, taking Redmine as a basis. I posted the Lite version of the
plugin on github:
https://github.com/iymaltsev/access_tickets

Similar questions
V
Vyacheslav2018-04-06 18:16:24
How to make friends stupid switch and managed L2? 4Reply
I
Igor2012-07-03 11:05:52
How to merge a copy of the database from the VPS if there is little space left on the virtual partition? 6Reply
A
Andrey Fedorov2015-11-30 01:22:30
What is the best way to virtualize IT infrastructure in a small company? 1Reply
D
Daniel Newman2012-07-08 19:03:56
Causes and effects of tree memory usage in munin statistics 2Reply
I
Igor2012-07-20 16:27:41
How to make secure access from the Internet to several servers in the local network? 5Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question