New Feature Highlights for PowerBroker Identity Services 8.5.5
Host Access Control Groups Provide a Single Location for Administration
When using PowerBroker Identity Services
AD Bridge, not all admins that control the creation and management of users have access to Group Policy or the Group Policy Management Console to control access rights (i.e. who can log on to which servers). This often leads to segmented administration where one admin or group is responsible for creating users and groups, but a different admin or group has to set-up and maintain ACLs via Group Policy. Administration can be more time-consuming when user administration and access control are managed in two different interfaces.
PowerBroker Identity Services version 8.5.5 has introduced a new feature called Host Access Control Groups which allows access control to be defined by adding users and/or groups of users, along with computer accounts, to an appropriately named AD Group that is matched by any of the defined Access Control Templates for a given PowerBroker Identity Services Cell. This allows the Active Directory administrator that creates and manages users and groups to also control what systems those users can logon to. This new capability provides a single location for user, group and access control administration, thereby simplifying management.
Example use case
In a database environment, access control is required on a set of hosts running database applications that include the following:
- Group of database server hosts DatabaseServers: dbsrv1, dbsrv2, dbsrv3
- Group of database client hosts DatabaseClients: dbcli1, dbcli2, dbcli3
- Group of database administrator accounts: DatabaseAdmins: dbadm1, dbadm2, dbadm3
- Group of database application user accounts: DatabaseUsers: dbusr1, dbusr2, dbusr3
Database administrators can access all database hosts—create a DatabaseAdmins-ACL group that includes the following groups as members: DatabaseServers, DatabaseClients and DatabaseAdmins.
Database users can access only database client hosts—create a DatabaseUsers-ACL group that includes the following groups as members: DatabaseClients and DatabaseUsers
Assigning groups in the Active Directory Users and Computers GUI is as simple as identifying PowerBroker Identity Services ACL type groups by name or using wildcards in the ACG template section for any given Cell.