I'm looking for ways to allow non-IT users to manage access to resources in a manner that's effective but doesn't overload them with too much information. Giving them full access to Active Directory Users and Computers (ADUC) feels risky since they'll see things they're not supposed to. We've tried making them owners of mail-enabled security groups so they can easily add or remove members from their distribution lists, but that isn't the best fit for every situation.
What other strategies can be employed to delegate access management effectively?
2 Answers
We usually try to delegate group membership to the application owners—makes much more sense for those who actually know who should have access. We built a custom GUI tool that simplifies AD group management for these users.
It's actually kinda against the whole Zero Trust principle to let non-IT folks manage access themselves. Usually, IT should handle access requests coming from managers. It’s crucial to keep the process secure.
I think there’s a mix-up here! Zero trust focuses on ensuring users only have access to what they need, but RBAC deals with how that access is granted.
But if the same people managing access are also the ones approving requests to IT, it makes sense for them to handle this access, right? They’re usually in charge of specific resources, not random users.