I'm currently handling user requests for access to shared folders on our servers through a ticketing system. The process involves looking up the project manager for approval, creating or managing AD groups for the users, and then responding once the approval and setup are done. With around 3000 users in my region, this has become a rather tedious task. Is there any way to automate part of this process, particularly using ServiceNow or any scripting solutions?
5 Answers
If it only takes you 2-5 minutes per request, maybe consider standardizing some of your permission groups. Yes, you can automate some aspects, but remember, human approval is still necessary, so complete automation may not save you a lot of time. We use tools like Adaxes which streamline the process with approval workflows, but you'll still need to manage permissions effectively. Wouldn't this be more suited for a helpdesk role as long as the basic permission groups are established?
You could make this a lot easier with ServiceNow if you have an Integration Hub subscription and use the Active Directory integration. It comes with pre-built actions like 'add user to group' and 'create group'. You can set up a ServiceNow flow that automatically adds users to the right groups after an approval is granted. Just a note, though—handling NTFS permissions directly requires custom actions since there's no built-in option for that. Those custom actions use Powershell under the hood.
Another route is to use Python or Powershell scripts for automating these tasks. You can create an application that follows a check-based system for executing AD requests, using SMTP for notifications or even an Azure tenant app if that fits your needs. Most of these AD tasks are straightforward and definitely automatable with Powershell.
Have you thought about making the project managers responsible for the onboarding process? If they or their trusted staff can get approval directly for access requests, it could ease your workload significantly. Alternatively, you could implement a system where managers approve requests before they reach IT, which might streamline things even more.
You might want to check out IdentityIQ Sailpoint if your company is looking for a more robust solution. It offers a self-service portal where users can request group creations and access. This could save you a lot of hassle by empowering users to manage their own access requests in a controlled manner. Just a heads up, I worked in support there, not as a system admin.
Exactly, if a request involves a manager in the approval loop, it can speed things up. It's all about reducing the back-and-forth between users and IT.