Thursday, December 11, 2008

Temporary Group Membership

Vendor: Microsoft Corp.

Product: Active Directory.

Feature small Description.
AD group membership allows you to map privileges to account by adding account into group. You can revoke privileges removing account from group.

Problem description.
During account life cycle many different rights are granted and revoked. In most cases it's possible to specify time period for which account needs specified privileges. In general, I think, all privileges should be granted only for the period of time and then, may be, prolonged if needed. In "Windows World" the most convenient way to grant privileges to account is to map these privileges to AD group and then add user account to that group. Unfortunately AD does not allow you to add account for a time period, i.e. after that period account automatically loose group membership.


Enhancement Description.
AD should have mechanisms for temporary group membership.
Actually, to my mind, this feature is even more important than account expiration date. Account itself is about Authentication and account's groups is about Authorization. As far as I understand Authorization, i.e. resources account can access, is more important, because if account is authenticated (user proved that she is actual account's owner) but not authorized (account is not member of any group, so doesn't have any privileges) resources are still secure.


No comments: