Connecting Active Directory was the most complex project so far during the IdM deployment at Raiffeisenbank. The connection itself is done using a standard connector from the manufacturer (CA Technologies), but many things had to be adapted to the customer’s needs. The first task was to define how to actually convert all the account properties in Active Directory to role assignment in IdM (RBAC – Role-Based Access Control), so that the already implemented processes, such as role requests, could also be used meaningfully for Active Directory. As a result, the following role types have been defined for Active Directory:

• basic roles – define the basic account type, specify the transfer of attributes from the user in IdM to the account in Active Directory (e.g. first name, last name, e-mail, department, etc.) and further define the account settings (e.g. Smart Card login, account validity, remote login, etc.)
• group roles – define which groups in Active Directory the user is assigned to
• container roles – determine in which container (OU) the account is created

By assigning roles of these types (a user can have more than one group role), the Active Directory account is already fully specified.

Other modifications that have been made to IdM for Active Directory purposes include:

• Generate a user name for Active Directory (with sequence numbers)
• Calculation of default container according to account type and different DB dials
• Automatic account transfers in Active Directory when changing workplace, etc.
• New type of approval worfkflow for role assignment – approval by shared directory sponsor
• Calling a script to create a home directory and set its permissions
• Support for multiple Active Directory accounts for a single user in IdM

The most important task at the end of the project was to reconcile the existing state of the accounts in Active Directory with the role assignments in IdM so that the information matched. For this purpose, various reports and simulations were programmed on the IdM side to show this level of matching, as well as tasks that can bulk clean up the status of accounts in Active Directory according to role assignments in IdM. The project also included the delivery of a new task in IdM to bulk assign roles to users based on CSV input data. The customer then worked primarily with these provided tools to incrementally debug the IdM role assignments and Active Directory account status so that users would not lose necessary permissions when the system was deployed.

As a result of the project, the Active Directory accounts, their containers and assigned groups were permanently kept in order and the accounts were automatically managed according to the information from the HR system.