Allow Non-IT staff to edit AD data

Main­tain address data in Acti­ve Direc­to­ry is not an easy thing for non-IT employees. At least not with Acti­ve Direc­to­ry Users and Computers.

As a result, IT pro­fes­sio­nals must (still) main­tain the address data.

IT admins and mas­ter data maintenance

IT admin take care of the mas­ter data main­ten­an­ce in many sys­tems and app­li­ca­ti­ons. And this basi­cal­ly has 2 rea­sons. On the one hand, the sys­tems need to be hand­led with care due to secu­ri­ty stan­dards. On the other hand, most of the­se app­li­ca­ti­ons and sys­tems are just not usable for non-IT per­so­nell. Other staff would need trai­ning for the usa­ge and know­ledge of the wor­d­ing used in the­se pro­grams. (and in the worst case an idea about how to use para­me­ters or how to script…)

If you want Non-IT staff to main­tain data with some pie­ce of soft­ware, the tool should

• be clear and
• easy to understand
• not need any sup­port of the IT staff (or at less as possible)
• only be acces­si­ble and edita­ble, what is pre­de­fi­ned (limi­ted access)
   

Stan­dard tools for Acti­ve Direc­to­ry do not match the­se requi­re­ments or only in a very limi­ted way.

But it still makes sen­se to think about the dele­ga­ti­on of AD admi­nis­tra­ti­on, because

• IT spe­cia­lists should main­tain sys­tems in the first place (not the data in the databases/directories)
• Data to be chan­ged is not owned by the IT, but by other departments
• Time and money can be saved
   

In the next chap­ter I want to exp­lain how to enab­le Non-IT staff to edit AD data in Acti­ve Direc­to­ry without cos­ts, using First­Wa­re IDM-Portal.

Pre­pa­ra­ti­on and Con­fi­gu­ra­ti­on of FirstWare

First, you should cla­ri­fy what tasks the non-IT employee shall take care of. What are the attri­bu­tes to edit? Is the­re some­thing you must not do?

In the fol­lowing examp­le, we enab­le the human resour­ces depart­ment to edit AD data, crea­te user accounts and to main­tain group memberships.

First­wa­re-Free­Edi­ti­on inclu­des an Admin Role, to crea­te AD user accounts. (→ more about roles in FirstWare-FreeEdition)
The Admin Role its­elf must be defi­ned out­side the soft­ware by an Acti­ve Direc­to­ry admin.

Defi­ne the Admin-Role

Requi­re­ments for a well-plan­ned use of First­Wa­re-Free­Edi­ti­on are Acti­ve Direc­to­ry and a clus­te­red OU structure.

Think about the fol­lowing OU structure:

• User accounts
• Admin accounts
• Ser­vice accounts

The Advan­ta­ge of an OU struc­tu­ring is that some bran­ches can be hid­den. This leads to a bet­ter over­view and secu­ri­ty, becau­se you can limit what parts of the AD are acces­si­ble for dele­ga­ti­on pur­po­ses. If you need help with this, we are hap­py to get your message.

FirstWare‑F/en/company/contact/reeEdition uses an admin or ser­vice account to wri­te data in Acti­ve Direc­to­ry.

If you pro­vi­de First­Wa­re-Free­Edi­ti­on as a web app­li­ca­ti­on, the per­son who uses the Admin Role of First­Wa­re is limi­ted by the per­mis­si­ons of the ser­vice account.

In short: An IT admin should crea­te a ser­vice account with all read and wri­te per­mis­si­ons that the non-IT cowor­ker should main­tain at maximum.

The pri­vi­le­ges of this account are the abso­lu­te maxi­mum per­mis­si­ons with which the soft­ware can work.
Other limi­ta­ti­ons in the soft­ware made by:

• the account with which the user logs on
• the role of the user in the soft­ware (Admin Role / User Role)
• the num­ber of edita­ble attri­bu­tes in the software

Web Ser­ver Instal­la­ti­on of FirstWare

After you crea­ted a ser­vice account and che­cked the OU struc­tu­re for sui­ta­bi­li­ty, you can install FirstWare. 

Select Web ser­ver installation

A defi­nier­te ser­vice account

At the end of the instal­la­ti­on you will get a link to access the app­li­ca­ti­on. You just need to send this link to the non-IT col­leagues, to let the access the portal.
Each employee must log in with his own AD account.
If “Enab­le Inte­gra­ted Win­dows Authen­ti­ca­ti­on” is enab­led, the non-IT staff is auto­ma­ti­cal­ly log­ged in with his/her Win­dows account.

Log in and Search Root

After log­ging in with the Admin Role the mas­ter data owner can start working.

Veri­fy that he/she real­ly uses the Admin Role. Other­wi­se, he/she can only edit his/her own data with the (User Role).

 (left: User Role / right: Admin Role)

With a  click on “Con­fig” you can set the search root / AD ent­ry point.

Staff using First­Wa­re with the Admin Role (Non-IT staff) can now edit and main­tain AD mas­ter data.

Non-IT staff and Acti­ve Directory

Edi­t­ing address and user data in Acti­ve Direc­to­ry is easy and intui­tiv with First­Wa­re. The­re is no trai­ning necessary.

Once set up, you enab­le Non-IT staff to edit AD data.
 

Let Non-IT staff update AD mas­ter data

A non-IT staff can easi­ly update address data. And here is how:

Examp­le:

• User: Bri­an Wood
• Street old: 85 Den­ham St.
• Street new: 115 Green Ave

1. Run First­Wa­re (type the URL or use a book­mark in your browser)
   Search for “Bri­an”
    
2. Click Mana­ge to edit Bri­an Wood
    
3. Click in the field (attri­bu­te) you want to chan­ge, here: Street
    
4. Enter the new street — click save and it’s done. 

The new Non-IT admin can of cour­se edit any other AD address data as well.
If you want him/her to main­tain addi­tio­nal attri­bu­tes, that may come from a sche­ma exten­si­on, just con­ta­ct us — we’ll adjust First­Wa­re for you.

Chan­ge the group mem­bers­hip of a user

It is as easy to add a user to an Acti­ve Direc­to­ry group. (→ group manage­ment)

Pos­si­ble app­li­ca­ti­ons of AD groups:

• Belon­ging to the depart­ment (more)
  
• Fol­der per­mis­si­ons (more)
• Mail dis­tri­bu­ti­on lists (more)
  
• Soft­ware distribution
• other aut­ho­riz­a­ti­ons…

Examp­le — User chan­ges departments:

• User Bri­an Wood
• Old Depart­ment: Logistics
• New Depart­me­net: Planning
• Avoid over per­mis­sio­ning! Remo­ve Logistics group membership

1. Search user “Bri­an Wood” and click “Mana­ge” to edit
    
2. Click the “Group Mem­bers­hip” tab, to see all groups, the user is mem­ber of
    
3. Search the group of the new depart­ment “Plan­ning” and Drag & Drop it to the right side
    
4. To avoid over per­mis­sio­ning: Remo­ve the user from the old depart­ment “Logistics”
    
5. Final­ly click “Save” — done 

Enab­ling Non-IT staff to edit AD data such as depart­ment group mem­bers­hips or address data is a small part of the oppor­tu­nities that Acti­ve Direc­to­ry offers.
With groups and attri­bu­tes you can con­trol a lot of per­mis­si­ons and app­li­ca­ti­ons. If you want to know more about it, we are hap­py to get your mes­sa­ge.

Get your test licen­se now

You can test First­Wa­re IDM-Por­tal 2017 Smar­tEdi­ti­on for 30 days and see if it fits your needs. We are hap­py to pro­vi­de you with fur­ther information.

Contact us