Delegated administration
Encyclopedia
Delegated administration describes the decentralization of role-based-access-control systems. Many enterprises use a centralized model of access control. For large organizations, this model scales poorly and IT
teams become burdened with menial role-change requests. These requests — often used when hire, fire, and role-change events occur in an organization — can incur high latency times or suffer from weak security practices.
One best practice for enterprise role management entails the use of LDAP
groups. Delegated administration refers to a decentralized model of role or group management. In this model, the application or process owner creates, manages and delegates the management of roles. A centralized IT team simply operates the service of directory, metadirectory, web interface for administration, and related components.
Allowing the application or business process owner to create, manage and delegate groups supports a much more scalable approach to the administration of access rights.
In a metadirectory
environment, these roles or groups could also be "pushed" or synchronized with other platforms. For example, groups can be synchronized with native operating systems such as Microsoft Windows
for use on an access control list
that protects a folder or file. With the metadirectory distributing groups, the central directory is the central repository of groups.
Some enterprise applications (e.g., PeopleSoft
) support LDAP groups inherently. These applications are capable of using LDAP to call the directory for its authorization activities.
Web-based group management tools — used for delegated administration — therefore provide the following capabilities using a directory as the group repository:
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
teams become burdened with menial role-change requests. These requests — often used when hire, fire, and role-change events occur in an organization — can incur high latency times or suffer from weak security practices.
One best practice for enterprise role management entails the use of LDAP
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
groups. Delegated administration refers to a decentralized model of role or group management. In this model, the application or process owner creates, manages and delegates the management of roles. A centralized IT team simply operates the service of directory, metadirectory, web interface for administration, and related components.
Allowing the application or business process owner to create, manage and delegate groups supports a much more scalable approach to the administration of access rights.
In a metadirectory
Metadirectory
A metadirectory system provides for the flow of data between one or more directory services and databases, in order to maintain synchronization of that data, and is an important part of identity management systems. The data being synchronized typically are collections of entries that contain user...
environment, these roles or groups could also be "pushed" or synchronized with other platforms. For example, groups can be synchronized with native operating systems such as Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
for use on an access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
that protects a folder or file. With the metadirectory distributing groups, the central directory is the central repository of groups.
Some enterprise applications (e.g., PeopleSoft
PeopleSoft
PeopleSoft, Inc. was a company that provided Human Resource Management Systems , Financial Management Solutions , Supply Chain and customer relationship management software, as well as software solutions for manufacturing, enterprise performance management, and student administration to large...
) support LDAP groups inherently. These applications are capable of using LDAP to call the directory for its authorization activities.
Web-based group management tools — used for delegated administration — therefore provide the following capabilities using a directory as the group repository:
- Decentralized management of groups (roles) and access rights by business- or process-owners
- Categorizing or segmenting users by characteristic, not by enumeration
- Grouping users for e-mail, subscription, and access control
- Reducing work process around maintenance of groups
- Reproducing groups on multiple platforms and into disparate environments