Creation of Access Control Policy and Management of Accounts, Groups and Devices in AD for ČÚZK
Český úřad zeměměřický a katastrální
For our customer ČÚZK we have created a new Policy for access control and management of accounts, groups and devices in Active Directory. ČÚZK is preparing for the future implementation of IdM and is currently actively working on improving existing processes to make the transition to IdM as easy and painless as possible for the department.
The obvious candidate for IdM control is Active Directory, so the demand was directed in that direction.
The requirements were very complex, in particular the rules and procedures for AD administration approval, the division of accounts according to different types including their description, the definition of naming conventions, mandatory attributes, unique identifiers and procedures for approval and placement of accounts in the AD hierarchy.
Due to the very challenging environment of the resort, the work was divided into three phases:
In this phase, several analytical meetings were held with key process and infrastructure owners in the department to examine in detail the current state of AD management, including its structure, account creation and requirements implementation.
In this phase, an entirely new AD Policy was developed in collaboration with key stakeholders, based on the current state of AD governance in the resort, with processes adapted for future IdM deployments. The policy proposed a new process for requests and approvals, a new way of creating and owning accounts, including the necessary parameters. At the same time, the areas of AD management that need to be changed and adapted to future requirements were defined under the so-called transitional provisions.
Due to the complexity of the structure of the Department, which is reflected in the management of the different parts of AD, the new policy was submitted to stakeholders for comments under the supervision of the future owners of the new AD policy. At this stage, individual comments were addressed and incorporated and consultation was undertaken to ensure that the proposed changes were consistent with legislative requirements.
The result of the project is an AD Management Policy that is compliant with cyber security requirements, brings simplification to the AD management process and will be easily implemented into a future IdM solution.