One of the "value added" services that the Microsys group believes will make our Active Directory popular is the creation and maintaince of AD security groups from authoritative sources.
The need for auto maintained Groups
In the Novell NDS environment, there were a lot of potentials for collaboration that never got implemented. It was possible to share identity management information across groups even early on, but the practice never became popular at scale.
One reason was the relative difficulty of locating authoritative information. Each College or group might identify their faculty using different naming conventions or locations. Some groups kept their data up to date, while others continued to "publish" long obolete data in NDS as they moved on to other projects.
Creating and maintaining the end-user accounts for everyone on campus is a valuable Microsys service. We hope that creating and maintaining meaningful identity information will be similarly useful to the campus.
Auto Groups
In addition to maintaining end user accounts in the ou=Unity Users container in UNITY.AD, we're going to create groups under ou=Groups programatically. You can depend on these groups to be available and up to date.
Uses for Auto Groups
Auto groups can be used to simplify management, particularly when combined with Active Directory's "nested groups" ability.
As a simple example, rather than try to hand maintain a group of student assistants who you wish to be able to remotely manage your workstations, you can assign that right to a group, and add the Remedy workgroup that your student assistants use to track their help calls. From this point forward, you just need to add and remove students to the Remedy application and they will automatically be granted (and later revoked, when their Remedy account is deactivated) the rights they need.
Available Auto Groups
For the pilot, we have a single source of automatic groups established, Remedy.
In the future, more groups for which we can identify authoritative sources and programatically update will be added and announced. We hope to leverate the same data sources used by WolfWare, assuming that privacy and security needs can be met.
.The groupnames in the following table are links to more detailed information.
| Group | Souce | Frequency |
|---|---|---|
| Remedy | Remedy Workgroups, used by support groups on campus. Data is read directly from the Remedy server. | Updated Daily |
Remedy
The Remedy workgroups are read each morning at 1:34 am. The results of each day's run are available via the Microsys RSS feeds and the list of groups available is at http://microsys.unity.ncsu.edu/status/Remedy-Autogroups.html.
Groups are named as in Remedy, with a suffix of "_Remedy" For example, the MICROSYS workgroup in Remedy has an auto group name of MICROSYS_Remedy, the ITECS_VCL workgroup ITECS_VCL_Remedy, and so forth.
There is a Remedy-ALL workgroup that contains all the Remedy workgroups as members. You can use this group where ever you'd like to specify the set of all Remedy users.
The "Managed By" tab for each group is set to the "Manager" attribute of the Remedy Workgroup.
You cannot add or remove members in the UNITY.AD Active Directory, that is done in the Remedy Application.
Sysnews
Unity Forums
Microsys Blog
Documentation