FastLane Enables Role-Based AD Management

ActiveDirectory offers some powerful tools for setting permissions on computersystems, but it views the world through the eyes of a computer, not the eyes ofa manager. As e-business becomes plain-old business, it becomes increasinglycritical for computer infrastructures to reflect the business environment.

FastLane Corp.(www.fastlane.com) hopes to bridge thegap between the computer-centric world of Active Directory and the, well,business-centric world of the larger enterprise. The company's new ActiveDirectory management product, DM/ActiveRoles, provides a role-based interfacefor managing Active Directory.

DM/ActiveRoleslets administrators set permissions for users based on the roles users playwithin the organization. It creates an organizational chart that reflects an organization’smatrix, and then translates it into Active Directory settings.

Whilerole-based access control systems are nothing new, Keith Millar, productmanager at FastLane, says DM/ActiveRoles is the first to be based entirely onActive Directory. Mike Silver, an analyst at GartnerGroup Inc. (www.gartner.com) agrees, but suggests thatclaim could be short-lived as other companies may soon announce similarproducts.

Millar saysFastLane planned to adapt its earlier role-based administration tool DMAdministrator, but realized Active Directory was powerful enough to handledelegation tasks to Windows 2000 users and just needed a front end capable ofrepresenting business organization.

DMAdministrator is a useful product for NT users, Millar says, but adds, “NT 4.0had no granular delegation.” Unlike Windows 2000, administrators could onlyspecify domains for user privileges or give individual accounts specificprivileges. To implement global roles, a separate directory was necessary. WithActive Directory, permission setting is much more flexible.

Fans of DMAdministrator need not worry: Millar says the package will be supported as longas Microsoft continues to support NT 4.0 users.

“The rulesof management have changed with Active Directory,” Millar says. He believesActive Directory will change the way that network administrators manage usersand devices, eliminating access control programs and influencing collaborationenvironments online. “It is very flexible, it is the standard -- everything isbeing written to it,” he says.

Realizingthat Active Directory is powerful enough to perform the delegation duties ofearlier products, FastLane decided to use as many features of Active Directoryas possible to enable role-based administration. “We embrace the nativedelegation features in Active Directory,” Millar says.

Security isone concern FastLane considered when it decided to leverage Active Directoryfor its vision of role-based administration. “We let Active Directory propagatethe security we set,” Millar says. Security for machines, users, and groups canbe set through ActiveRoles, enabled in Active Directory, then appliedthroughout the enterprise with Active Directory’s replication features. Ifsecurity needs to be changed in reaction to an incident, ActiveRoles can speedthe implementation of new security policies. “It lets you tighten down thesecurity in AD,” Millar says.

Millar andSilver both believe administrators will find compelling reasons to implement ActiveRolesor another management product for Active Directory. “Larger organizations aregoing to realize that they need third-party tools for Active Directory,” Silversays. Silver says that Active Directory’s interface is less than intuitive andorganizations with many users will be swamped trying to keep up with users,operating units, and managing the table. A front end like ActiveRoles givesadministrators tools for managing users and ideas on how to approach creatingoperating units and permissions.

“The nativedelegation model is not intuitive,” Millar says. The model is based aroundnetwork topologies and computer related workgroups, not necessarily functionsand departments within the enterprise. “Role-based administration is modeled onthe current business model,” he says.

AlthoughFastLane is first out the gate with a role-based Active Directory front end,Silver expects other vendors to introduce analogous products soon: “All threeof them [FastLane, BindView, and NetIQ], they leapfrog each other.”