I'm trying to find ways to let non-IT users manage access to resources effectively without overwhelming them with too many options. Giving them access to Active Directory Users and Computers (ADUC) seems risky, as they could see more than they should. We've tried having them own mail-enabled security groups, allowing them to add and remove members from their distribution lists. However, many of the security groups they need access to aren't mailing lists. What alternatives do you use to give these users proper control?
2 Answers
This feels a bit contrary to the Zero Trust model. Typically, IT should manage access based on requests from managers, especially for sensitive resources.
Zero Trust isn't necessarily about preventing all self-service; it's about managing risks, which can include delegated access.
We like to delegate group membership management to those who actually own the AD groups. It's much more efficient than having IT manage every little request.
The end users who would approve requests should be the same ones managing access. Think application and data owners, not just random team members.