Active Directory update: User self-service security concerns
Our company allows us to update our own Active Directory user data via an intranet preferences page. Are there identity management issues with allowing users to update AD themselves? What should the best practice be for updating AD data?
While I'm all about self-service, when it comes to an Active Directory update, user changes
should be carefully planned and monitored. After all, AD isn't just the Global Access List (GAL) for exchange: Active Directory
is an enterprise access repository. This means that while it has public information, it also grants/denies access to a multitude of applications. In addition, a directory is only as good as the data it stores, so you should have controls over what users input as information. Telephone numbers should have a set value (usually area code), titles should be HR-style titles (I remember one engineer who made his title, "Emperor of the Universe" from a self-service interface), and other user data should follow similar controls.
From an identity management perspective, if Active Directory is being used for access and as the repository-of-record for user data for applications, the inconsistencies mentioned above can greatly affect how applications function. Incomplete, unacceptable and just plain wrong information may cause an application using that data to malfunction, or worse, grant invalid access rights (whether denying authorized users or allowing unauthorized users).
The best practices are simple: Treat Active Directory as an enterprise repository. That means architect and plan what fields will be managed by end users, and put in place the controls needed for consistent/valid data (whether the control is an Active Directory control, a process or even training for the end users).
Having users maintain their own information can be great for administrative cost savings, but if left uncontrolled, can cause more expenditures than what it saves.
This was first published in May 2010