Check and regularly validate group memberships for ISO compliance
Check group memberships in an audit-proof manner: This was precisely the challenge facing our Swiss customer from the transport and rail industry, an ISO-certified company. Annual recertification of group memberships was mandatory, but the tools available to date were not sufficient for this purpose.
Together with our team, we developed a recertification service that helps companies validate group memberships efficiently and ensure compliance.
Index
The challenge: excessive permissions
The customer’s challenge was clear: the Active Directory groups were growing continuously. More and more employees were becoming members, while only a few were leaving the groups – for example, trainees who were registered in various groups. This resulted in security-relevant excessive permissions that could become problematic during audits.
In addition, the annual review and documentation of group memberships had to be carried out efficiently and in an audit-proof manner. The previous, self-developed system was no longer able to meet these requirements, especially since the employee responsible had left the company. Complete traceability via log files was also required to ensure ISO compliance.
📩 The customer approached us with the request to
- provide a service that automates these checks,
- documents them in an audit-proof manner, and
- can be flexibly adapted to the company’s requirements.
Our solution: A service for annual recertification
To ensure ISO-compliant testing, we developed our own service based on .NET. It works as follows:
- The service registers on a server and regularly reads the group memberships.
- During the audit, the current status is compared with the original composition of the group.
- All members are automatically set to approval status.
- The respective group manager then has 28 days to confirm or remove the memberships.
- If no confirmation is received, the member is consistently removed from the group.
The test cycle can also be flexibly adjusted via a small configuration file, for example from annually to semi-annually.
Benefits of the recertification service
👍 Individual configurability
A key feature of the recertification service is its high degree of flexibility in configuration. Different groups can be assigned their own test cycles. For example, administration groups can be recertified every six months and normal groups annually. The distinction is made quite simply on the basis of defined naming conventions, such as the prefix “ADM…”. In this way, companies can simultaneously define different check intervals for different group types and also control exactly which groups are included in the checks.
👍 Notification features
In addition, particular emphasis was placed on the notification functions. When an audit begins, group owners receive an email with a direct link to the automation interface, where group members can conveniently confirm or decline—either individually or collectively in a single step.
Two reminder emails ensure that no review is overlooked: the second is also sent to the supervisor of the person responsible. After the review period has expired, a final results report is also sent. This makes the annual recertification process for group owners not only efficient, but also particularly user-friendly.
The Automation Service in the IDM-Portal provides a user-friendly interface for checking group memberships.
Project challenges and special features
There were several technical and organizational challenges involved in implementing the recertification service to check group memberships:
- The service had to communicate reliably with the existing Active Directory and our automation service without disrupting existing processes.
- All changes to group memberships had to be logged completely so that ISO compliance could be verified at any time.
- The audit cycle should not be rigid, but should be adaptable to different company requirements (e.g., annual or semi-annual audits).
An important step was a “proof of concept” and a gradual introduction: First, feasibility was tested with a small PowerShell script before the dedicated service was fully developed and put into production.
Administrators and IT managers were involved at an early stage to set up the service in a practical manner and ensure acceptance by all parties involved.
These measures ensured that the service is not only functional, but also reliable and easy to maintain in productive operation.
✅ The service is now productive and successfully in use by the customer.
Result
Thanks to automation, the annual recertification of group memberships is now secure, traceable, and audit-proof. The company saves time, reduces excessive permissions, and reliably meets the requirements of its ISO certification.
More about FirstWare IDM-Portal
The FirstWare IDM-Portal by FirstAttribute is an integrated Identity and Access Management (IAM) solution that enables automated management of users and their permissions – whether on-premises or in the cloud.
This portal integrates all aspects of identity and access management and provides centralized access to identity and directory services.
