• User dri­ven iden­ti­ty management
  • Solu­ti­ons
  • About us
  • Refe­ren­ces
  • News
  • Con­ta­ct
  • English
    • German
FirstWare IDM-PortalFirstWare IDM-Portal
FirstWare IDM-PortalFirstWare IDM-Portal
User Driven
Identity Management
  • User dri­ven iden­ti­ty management
  • Solu­ti­ons
  • About us
  • Refe­ren­ces
  • News
  • Con­ta­ct
  • English
    • German

Allow Non-IT staff to edit AD data

Oct 5, 2020 (Letztes Update) | Posted by Matthias Rudolph | General |

 

Main­tain address data in Acti­ve Direc­to­ry is not an easy thing for non-IT employees. At least not with Acti­ve Direc­to­ry Users and Computers.

As a result, IT pro­fes­sio­nals must (still) main­tain the address data.

 

Index

  • 1 IT admins and mas­ter data maintenance
  • 2 Pre­pa­ra­ti­on and Con­fi­gu­ra­ti­on of FirstWare
    • 2.1 Defi­ne the Admin-Role
    • 2.2 Web Ser­ver Instal­la­ti­on of FirstWare
    • 2.3 Log in and Search Root
  • 3 Non-IT staff and Acti­ve Directory
    • 3.1 Let Non-IT staff update AD mas­ter data
    • 3.2 Chan­ge the group mem­bers­hip of a user
  • 4 Get your test licen­se now
 

IT admins and mas­ter data maintenance

IT admin take care of the mas­ter data main­ten­an­ce in many sys­tems and app­li­ca­ti­ons. And this basi­cal­ly has 2 rea­sons. On the one hand, the sys­tems need to be hand­led with care due to secu­ri­ty stan­dards. On the other hand, most of the­se app­li­ca­ti­ons and sys­tems are just not usable for non-IT per­so­nell. Other staff would need trai­ning for the usa­ge and know­ledge of the wor­d­ing used in the­se pro­grams. (and in the worst case an idea about how to use para­me­ters or how to script…)

If you want Non-IT staff to main­tain data with some pie­ce of soft­ware, the tool should

  • be clear and
  • easy to understand
  • not need any sup­port of the IT staff (or at less as possible)
  • only be acces­si­ble and edita­ble, what is pre­de­fi­ned (limi­ted access)
     

Stan­dard tools for Acti­ve Direc­to­ry do not match the­se requi­re­ments or only in a very limi­ted way.

But it still makes sen­se to think about the dele­ga­ti­on of AD admi­nis­tra­ti­on, because

  • IT spe­cia­lists should main­tain sys­tems in the first place (not the data in the databases/directories)
  • Data to be chan­ged is not owned by the IT, but by other departments
  • Time and money can be saved
     

In the next chap­ter I want to exp­lain how to enab­le Non-IT staff to edit AD data in Acti­ve Direc­to­ry without cos­ts, using First­Wa­re IDM-Portal.

 

Pre­pa­ra­ti­on and Con­fi­gu­ra­ti­on of FirstWare

First, you should cla­ri­fy what tasks the non-IT employee shall take care of. What are the attri­bu­tes to edit? Is the­re some­thing you must not do?

In the fol­lowing examp­le, we enab­le the human resour­ces depart­ment to edit AD data, crea­te user accounts and to main­tain group memberships.

First­wa­re-Free­Edi­ti­on inclu­des an Admin Role, to crea­te AD user accounts. (→ more about roles in FirstWare-FreeEdition)
The Admin Role its­elf must be defi­ned out­side the soft­ware by an Acti­ve Direc­to­ry admin.

 

Defi­ne the Admin-Role

Requi­re­ments for a well-plan­ned use of First­Wa­re-Free­Edi­ti­on are Acti­ve Direc­to­ry and a clus­te­red OU structure.

Think about the fol­lowing OU structure:

  • User accounts
  • Admin accounts
  • Ser­vice accounts

The Advan­ta­ge of an OU struc­tu­ring is that some bran­ches can be hid­den. This leads to a bet­ter over­view and secu­ri­ty, becau­se you can limit what parts of the AD are acces­si­ble for dele­ga­ti­on pur­po­ses. If you need help with this, we are hap­py to get your message.

FirstWare‑F/en/company/contact/reeEdition uses an admin or ser­vice account to wri­te data in Acti­ve Direc­to­ry.

If you pro­vi­de First­Wa­re-Free­Edi­ti­on as a web app­li­ca­ti­on, the per­son who uses the Admin Role of First­Wa­re is limi­ted by the per­mis­si­ons of the ser­vice account.

In short: An IT admin should crea­te a ser­vice account with all read and wri­te per­mis­si­ons that the non-IT cowor­ker should main­tain at maximum.

The pri­vi­le­ges of this account are the abso­lu­te maxi­mum per­mis­si­ons with which the soft­ware can work.
Other limi­ta­ti­ons in the soft­ware made by:

  • the account with which the user logs on
  • the role of the user in the soft­ware (Admin Role / User Role)
  • the num­ber of edita­ble attri­bu­tes in the software

 

Web Ser­ver Instal­la­ti­on of FirstWare

After you crea­ted a ser­vice account and che­cked the OU struc­tu­re for sui­ta­bi­li­ty, you can install FirstWare. 

Web Server Installation

Select Web ser­ver installation

FirstWare Web Server Installation Service Account

A defi­nier­te ser­vice account

At the end of the instal­la­ti­on you will get a link to access the app­li­ca­ti­on. You just need to send this link to the non-IT col­leagues, to let the access the portal.
Each employee must log in with his own AD account.
If “Enab­le Inte­gra­ted Win­dows Authen­ti­ca­ti­on” is enab­led, the non-IT staff is auto­ma­ti­cal­ly log­ged in with his/her Win­dows account.

 

Log in and Search Root

After log­ging in with the Admin Role the mas­ter data owner can start working.

Veri­fy that he/she real­ly uses the Admin Role. Other­wi­se, he/she can only edit his/her own data with the (User Role).

Screen-Benutzer-Rolle   Screen-Admin-Rolle

 (left: User Role / right: Admin Role)

Non-IT staff is not owner of the Admin Role
If the per­son that is repon­si­ble for the AD admi­nis­tra­ti­on is not using the Admin Role, you have to make him a mem­ber of the First­wa­re-Admins group.
It will be the best to crea­te a sepa­ra­te AD group for this purpose.
  • Crea­te such a group or deci­de what group you will use for this purpose
  • Run First­Wa­re with an AD admin account
  • Click the “Con­fig” tab
  • Go to “Iden­ti­ty Mana­ger Roles” an set the OU in which the First­Wa­re-Admin accounts can be found

With a  click on “Con­fig” you can set the search root / AD ent­ry point.

Staff using First­Wa­re with the Admin Role (Non-IT staff) can now edit and main­tain AD mas­ter data.

 

Non-IT staff and Acti­ve Directory

Edi­t­ing address and user data in Acti­ve Direc­to­ry is easy and intui­tiv with First­Wa­re. The­re is no trai­ning necessary.

Once set up, you enab­le Non-IT staff to edit AD data.
 

Let Non-IT staff update AD mas­ter data

A non-IT staff can easi­ly update address data. And here is how:

Examp­le:

  • User: Bri­an Wood
  • Street old: 85 Den­ham St.
  • Street new: 115 Green Ave
  1. Run First­Wa­re (type the URL or use a book­mark in your browser)
    Search for “Bri­an”
     
  2. Click Mana­ge to edit Bri­an Wood
     
  3. Click in the field (attri­bu­te) you want to chan­ge, here: Street
     
  4. Enter the new street — click save and it’s done. 

The new Non-IT admin can of cour­se edit any other AD address data as well.
If you want him/her to main­tain addi­tio­nal attri­bu­tes, that may come from a sche­ma exten­si­on, just con­ta­ct us — we’ll adjust First­Wa­re for you.

 

Chan­ge the group mem­bers­hip of a user

It is as easy to add a user to an Acti­ve Direc­to­ry group. (→ group manage­ment)

Pos­si­ble app­li­ca­ti­ons of AD groups:

  • Belon­ging to the depart­ment (more)
  • Fol­der per­mis­si­ons (more)
  • Mail dis­tri­bu­ti­on lists (more)
  • Soft­ware distribution
  • other aut­ho­riz­a­ti­ons…

Examp­le — User chan­ges departments:

  • User Bri­an Wood
  • Old Depart­ment: Logistics
  • New Depart­me­net: Planning
  • Avoid over per­mis­sio­ning! Remo­ve Logistics group membership
  1. Search user “Bri­an Wood” and click “Mana­ge” to edit
     
  2. Click the “Group Mem­bers­hip” tab, to see all groups, the user is mem­ber of
     
  3. Search the group of the new depart­ment “Plan­ning” and Drag & Drop it to the right side
     
  4. To avoid over per­mis­sio­ning: Remo­ve the user from the old depart­ment “Logistics”
     
  5. Final­ly click “Save” — done 

Enab­ling Non-IT staff to edit AD data such as depart­ment group mem­bers­hips or address data is a small part of the oppor­tu­nities that Acti­ve Direc­to­ry offers.
With groups and attri­bu­tes you can con­trol a lot of per­mis­si­ons and app­li­ca­ti­ons. If you want to know more about it, we are hap­py to get your mes­sa­ge.

Get your test licen­se now

You can test First­Wa­re IDM-Por­tal 2017 Smar­tEdi­ti­on for 30 days and see if it fits your needs. We are hap­py to pro­vi­de you with fur­ther information.

Artikel erstellt am: 12.12.2014
Tags: DelegationNon-IT staff
Share

Search

Latest Posts

  • IDM-Por­tal ProEdi­ti­on 2018.3 — Cor­rect respon­si­bi­li­ties and bet­ter overview
  • Smart Search with IDM-Por­tal ProEdition
  • First­Wa­re IDM-Por­tal ProEdi­ti­on 2018
  • First­Wa­re IDM-Por­tal Smar­tEdi­ti­on 2017.2 – Update
  • First­Wa­re IDM-Por­tal 2017.1 Smar­tEdi­ti­on – Update

Cate­go­ries

  • General
  • IDM-Portal ProEdition
  • IDM-Portal SmartEdition
  • Release

Tags

2016 2017 AD Phone Book Delegation FIPS FirstWare FirstWare IDM-Portal 2016 FreeEdition Help Desk Identity Automation IDM-Portal IDM-Portal SmartEdition IIS Launch Non-IT staff phone book RBAC Shared Tasks SmartEdition telephone numbers ToolTips Update Web Server Installation

Con­ta­ct Info

  • FirstAttribute AG
  • Am Büchele 18, 86928 Hofstetten, Germany
  • +49 89 215 442 40
  • https://www.firstattribute.com

Topics

  • AD Pho­ne book
  • AD Self Service
  • AD User Management
  • Legal Infor­ma­ti­on
  • Pri­va­cy Policy

Latest News

  • IDM-Por­tal ProEdi­ti­on 2018.3 — Cor­rect respon­si­bi­li­ties and bet­ter overview
  • Smart Search with IDM-Por­tal ProEdition
  • First­Wa­re IDM-Por­tal ProEdi­ti­on 2018
  • First­Wa­re IDM-Por­tal Smar­tEdi­ti­on 2017.2 – Update
  • First­Wa­re IDM-Por­tal 2017.1 Smar­tEdi­ti­on – Update
  • Launch of First­Wa­re IDM-Por­tal 2017 SmartEdition

© 2021 · FirstAttribute AG.

Prev Next