The Dot Net Factory Identity Management Blog

Come see us at the RSA security conference if you're in San Francisco March 1-5 - booth 2643 http://www.rsaconference.com/2010/usa/index.htm

Patrick

We are happy to announce that we have launched a YouTube channel. The YouTube channel will provide a source for instructional videos on EmpowerID features and previews of upcoming product features. Feel free to visit and provide feedback.

http://www.youtube.com/empowerid

Thank you,

Patrick Parker

Today we announced the release of a new package of workflows and reports focused primarily on Active Directory user and group management (ADUC-style tasks). There were also many new reports for SharePoint permissions reporting (i.e. who has access to what)  in addition to those for group membership change tracking, expired accounts, audit logging, and others.

A few of my favorite new features were the support for forced registration for password self-service reset, a password expiration notification workflow that allows nagging or even account inactivation, and enhancements to the deleted user and mailbox restore workflows.

Most of the workflows were based on specific customer requests and they were all created using BPM Studio which is our workflow design tool. This tool is a rapid Windows Workflow Foundation design environment that can be used by customers or anyone to create workflows just like those in the packages we announced today. We actually set a record internally where one workflow developer created 25 substantial new workflows in under two weeks.

The best part is that customers will receive the workflows and reports for the EmpowerID modules they own free of charge.

You can read the full press release here

Our resident lead guru on Microsoft Windows Workflow Foundation development is writing a book using EmpowerID as his example development environment. We will have pre-release chapters available for attendees of the Microsoft SharePoint Conference this month in Las Vegas. If you are attending, please drop by our booth to pick up your sample chapters and to see some of the innovative new functionality we have around SharePoint workflow development, using the Business Datalog Catalog as a universal data connector, and also centralized workflow-based permissions management for SharePoint.

SharePoint Conference Web Site

Microsoft recently announced that the soon to be released Exchange 2010 was moving to an entirely Role-Based Access Control model. This represents a major change from the split permissions ACL model used in previous versions and one that is sure to be welcomed by security professionals everywhere. From what I've read so far, it looks like a complete swap out of the administrative delegation model from granting ACLs for attributes on objects moving instead to controlling "Operations" which represent PowerShell commandlets that perform specific human identifiable tasks. The ACLs model was cited by the Exchange team as a leading source of support calls and a major area of frustration for administrators.

Interestingly enough, the Exchange 2010 RBAC model maps on an almost one-to-one level with EmpowerID's implementation of RBAC at the technical role or "Management Role" level. These are the roles defined per type of Resource (mailbox, user, group, web page, etc...) to provide consistency for delegation of management tasks and also for reporting who has access to what. In EmpowerID, our "Operations" are workflow shapes that can, like Exchange, be PowerShell commandlets or almost anything else: custom code, web service calls, SSH calls, etc...

We are in complete agreement with the Exchange teams assesment of the lack of viability of ACL-based permissions management and are looking forward to seeing how AD moves down this path in future releases of the Windows Server platform. Given that Windows Server 2008 R2 includes a large number of PowerShell commandlets for AD administration, using these as the basis for AD management "Operations" an RBAC management model seems like a natural next step.

 Read more about our take on Exchange's move to RBAC