The power of workflow

Active Directory | June 8, 2017 | 2 min read

If you are like me, you have wondered why workflow is important and something that you need to investigate. What I have learned is that workflow is a key security mechanism that’s vital to the overall security, controls, and maintenance of any computer environment. Without workflow, settings can change without notice, and the change can remain in place without the knowledge of the security and administrative teams.

Workflow is not just a “chain of command” solution. Rather, it is a way to inform and include administrators and security professionals in the configurations that occur that could expose the network and data to a would-be attacker.

Traditional workflow includes many roles for which many people in the organization can be included. The traditional roles include:

  • Requester
  • Reviewer
  • Approver
  • Executor

You can see how ADManager Plus visually shows which roles are engaged in Figure 1.

Figure 1. ADManager Plus workflow.

For security purposes, it is essential that there is, at a minimum, a requester and executor. The goal here is that users, technicians, administrators, and others can request that a setting be made, but someone else is going to review and execute the action. This will do a few things for you with regard to security:

  1. Because more than one person is involved, there is a built in “double check” for the configuration.
  2. Because a configuration is being requested, it only makes sense that it isn’t current, which gives the whole process a built-in “least privilege” approach.
  3. Workflow is always tracked, so reports can be run showing when the settings were made.
  4. Usually the executor is an administrator or technician, so there is someone in the process that is informed (and involved) in the changes that occur.

Workflow can be especially helpful for the following use cases:

Privileged group membership modification
User account creation
Group creation
User account deprovisioning
Deleting computer accounts
Modifying email settings
Changing key user account properties
…and more

A final consideration for workflow is communication. Email notifications when requests are made and when the configurations are executed (notifying the requester) are vital for efficiency. For example, if a user needs to be placed in a group to access a resource, the request can be made quickly. However, if the requester is not promptly notified that the configuration is made, the requester will not know they need to log off and back on to receive the membership in the group to access the resource. Figure 2 illustrates the options for notifications in ADManager Plus.

Figure 2. Notification rules in ADManager Plus.

ADManager Plus contains a robust, secure, and efficient workflow solution incorporating all of the key factors that you need to create a successful workflow. If you want to see how workflow can be implemented simply in your Active Directory environment, you can download ADManager Plus free here.