Delegation
Delegation is a delicate topic. Tasks related to Active Directory, Microsoft Entra ID, Exchange, and Microsoft 365, are normally not something you would delegate to general public. But the truth is, anyone, be it help desk technicians or even end users, can handle such tasks given proper tools.
Imagine a scenario where HR are creating users in AD, adding them to groups, and updating their personal details. All this in a controlled and secure fashion. So how does Adaxes fit in?
Web interface for delegation
The Web interface of Adaxes is the cornerstone that makes delegation work. It enables you to provide intuitive controls to your users, regardless of the tasks you delegate. It doesn't matter whether you delegate user account creation to HR, or allow users to add themselves to groups. They will all see an interface tailored for the specific task they need to perform, and nothing extra.
Every aspect of the Web interface is completely customizable. Forms that your delegates will handle can be incredibly detailed or vice versa, simplified to oblivion. For instance, let's look at this customized user creation form.
Looks simple enough, doesn't it? However, after such form is submitted, Adaxes can do many wonderful things. For starters, all the missing properties like the Username can be generated from a template.
To step it up a notch, you can configure business rules – automated events that will trigger after user creation and perform all the provisioning steps. Much more reliable than trusting the delegates with doing those steps manually.
In the end, a basic web form submitted by HR nets you a fully provisioned user, and you haven't even lifted a finger. Moreover, the HR doesn't need to learn about Active Directory, Microsoft Entra ID, Microsoft 365, or whatever is going on behind the curtains to handle this process.
Delegation of complex tasks
The automation engine of Adaxes lets you delegate tasks of any complexity while keeping this complexity hidden from the delegates. You've just witnessed how business rules work, but what if you want to delegate a workflow not tied to a particular event in your directory? A multi-step task that users need to perform on demand, but granting them the permissions to perform every step would be suicide. What you are looking for, are custom commands.
A custom command that deprovisions users is a great example. You can preconfigure all deprovisioning steps, and delegate the rights to execute the command only as a whole. You can even include your own PowerShell scripts in the workflow.
If there is variance in the workflow, a custom command can be configured to request input from the delegates. Again, there is a multitude of options that let you customize what input is requested and how it is handled afterwards.
When compared to granting users the rights to execute PowerShell scripts and perform every step of complex workflows, custom commands come out as a clear winner.
Permissions for delegated tasks
Notice that we haven't said anything about granting permissions until now. That's because it is a vast topic on its own. Rest assured, the role-based access model implemented in Adaxes guarantees your delegates will never have more permissions than they need to. You can read more about how permissions are granted in Adaxes in the Role-Based Security article.
Controlled delegation with approvals
Some operations are too sensitive to delegate without some sort of a failsafe. Even the most meticulous users are still humans and can make mistakes. To tackle this, Adaxes lets you add an approval step to any operation.
When a delegate performs an operation (e.g. adds a new group member), Adaxes will suspend it until approval is granted. If the request is denied, for instance, because there is a mistake, the operation will be cancelled as if nothing has happened.
So who approves these operations? Each operation can have different logic for selecting the right approver. It can be anyone you configure, really – administrators, helpdesk staff, or even the user's manager. Approving requests doesn't take much time or skill, and it's as simple as reviewing an email and clicking a button. Here's how an email with a request to create a user looks like.
Such a request can be reviewed and approved even from a mobile phone, while you are out of office. But what's more important, the ability to review delegated tasks gives you a ton of control. Your users might have the permissions to initiate operations, but in the end, you always have the final say.
Comprehensive logging
Let's face it, unpleasant situations can happen. For instance, someone might disable a user they shouldn't have, by mistake. Luckily, Adaxes tracks every action of every user, and you can immediately pinpoint who is responsible for a particular operation.
This helps you adjust your delegation practices if you find some recurring patterns of mistakes — reconfigure and optimize your workflows, and train your delegates, so such mistakes don't happen in the future.
Even though there might be an inherent risk to delegation, Adaxes does its best to nullify it. Delegation is possible in any organization, and Adaxes supplies you with the tools to make it work. Give it a try, and you'll quickly find out that your users are totally capable of managing themselves.