0 votes

Hi

Trying to figure out Adaxes.
Currently using IBM Identity Manager.
I'm not asking how it's done. It's satisfying to know - if it can be done or not :-)

All our AD user administration is conducted outside the IT department, through delegation and self-service (non-technical web forms).
System administration is still a job for the IT department.

----

We got +100 departments, each department with their own manager(s) and user administrator(s). A department = OU in Active Directory.
1) Is it possible to limit the user administration, for the given department's user administrator, to their own department, without creating a custom webpage for each department ? Except for requests to move users. In this case, the scope must show all departments to make sense.

We got +500 security groups and distribution lists to choose from. Access/removal can be requested from user administrators and from the user.
2) Is it possible to group security groups into categories ?
3) Is it possible - on the Web UI - to present them in these categories ?
4) Is it possible to show a description for each security group on the Web UI ?
This should make it easier for the user to find and select what he/she needs.

Based on local security policies, we fetch the users name from an external system. We send the persons social security number (danish format) and get the users real name in return. Both is stored in AD.
I expect it is possible to communicate with the external system through WSLD. The external system is a govermental IT system and is well documented.
5) Is it possible to put this (mandatory) process into the "Create user" job ?
6) Does Adaxes develop "adapters" / "Connectors" to external systems, based on customers specifications ?
7) Any consulants / resellers in Denmark ?

SMS PAssword reset.
8) Is it possible to configure the SMS passcode reset to a danish telecommunications provider ?

Compliance
A user may only have access to data/systems that is requested/approved by the right persons (roles).
Changes must not be done by server administrators in the IT department !
9) How is compliance enforced / ensured ?
We do not require real time enforcement. A daily check is adequately.

More self-service
We plan to make administration of file shares and functional mailboxes as a self-service.
Users with proper rights may then be able to create, edit and delete those ressources.
The technical creation of the objects is done by scripting and approval workflows.
10) Is is possible to på this feature on the web UI ?

Delegation of roles
That is, a manger can add/remove managers and user administrators for own his department ?
11) Is it possible - on the Web UI - to perform this task ?

Data distribution
Some of our users need to provision data from one system to another, based on specific rules.
It could be username, organizational information, etc. Other IDM systems engine is capable of doing this.
Currntly it's a scheduled job.
12) Can it be done with Adaxews too ?

Danish
Not all our end users speak english.
13) Is it possible to translate the Web UI to danish ?

--- Thanks in advance

by (2.6k points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Thank you for your interest in Softerra Adaxes!

  1. Is it possible to limit the user administration, for the given department's user administrator, to their own department, without creating a custom webpage for each department ? Except for requests to move users. In this case, the scope must show all departments to make sense.

Yes

  1. Is it possible to group security groups into categories ?
  2. Is it possible - on the Web UI - to present them in these categories ?
  3. Is it possible to show a description for each security group on the Web UI ?

Answer to all - Yes

I expect it is possible to communicate with the external system through WSLD. The external system is a govermental IT system and is well documented.
5) Is it possible to put this (mandatory) process into the "Create user" job ?

Probably, you meant WSDL? If so, then Yes. Adaxes allows running PowerShell scripts as a part of the user creation process, and WSDL-compliant web services can be accessed via PowerShell.

  1. Does Adaxes develop "adapters" / "Connectors" to external systems, based on customers specifications ?

Yes, we have a scripting team that can create scripts for interaction between Adaxes and external systems.

  1. Any consulants / resellers in Denmark ?

We don't have resellers in Denmark, but we have a range of consultants and resellers in Europe who work across the whole of the EU. To find reselelrs in the EU, visit the Resellers page and choose any EU country.

  1. Is it possible to configure the SMS passcode reset to a danish telecommunications provider ?

Currently, Adaxes supports Email-to-SMS and HTTP-to-SMS gateways. If your telecommunications provider has such a gateway, Adaxes can be configured to work with it.

Compliance
A user may only have access to data/systems that is requested/approved by the right persons (roles).
Changes must not be done by server administrators in the IT department !
9) How is compliance enforced / ensured ?
We do not require real time enforcement. A daily check is adequately.

We are not sure whether we understand this requirement correctly. Could you expand on it in a bit more detail or maybe provide a couple of examples?

We plan to make administration of file shares and functional mailboxes as a self-service.
Users with proper rights may then be able to create, edit and delete those ressources.
The technical creation of the objects is done by scripting and approval workflows.
10) Is is possible to på this feature on the web UI ?

Yes

That is, a manger can add/remove managers and user administrators for own his department ?
11) Is it possible - on the Web UI - to perform this task ?

You mentioned that a department means an OU in AD. How are managers and user administrators specified for a department? Are they stored in certain attributes of the OU or something else? Can you expand on this in more detail?

Some of our users need to provision data from one system to another, based on specific rules.
It could be username, organizational information, etc. Other IDM systems engine is capable of doing this.
Currntly it's a scheduled job.
12) Can it be done with Adaxews too ?

There is no built-in support for this, but if the other systems provide sufficient means for accessing their functions externally, like APIs, web services etc, then, most probably, it will be possible to configure Adaxes to send and receive data to/from those systems.

Danish
Not all our end users speak english.
13) Is it possible to translate the Web UI to danish ?

Currently, you can translate only a part of the Web interface. The most of the Web Interface language files are plain text resources that can be edited with the help of a text editor, like notepad.exe or something similar. Some resources are compiled into binaries and cannot be edited. In Q3 this year we are going to release a new version of Adaxes with a new version of the Web Interface based upon a different engine. In that version, you will be able to translate the whole of the Web Interface.

By the way, if you don't want to publish some of the data that you you want to share with us on the forum, you can also contact us using our support e-mail: support[at]adaxes.com.

0

Thank you very much for the answers.

----

Compliance
A user may only have access to data/systems that is requested/approved by the right persons (roles).
Changes must not be done by server administrators in the IT department !
9) How is compliance enforced / ensured ?
We do not require real time enforcement. A daily check is adequately.

We are not sure whether we understand this requirement correctly. Could you expand on it in a bit more detail or maybe provide a couple of examples?

Examples:
1) A server manager (in the IT department) adds an end user to a security group, through the Active Directory Users and Computers console.
This request in not requested properly by the given end users managers, user administrator and/or not approved by the security group's administrators (approvers). Compliance enforce, that the given user is removed from the security group.

2) A server manager (in the IT department) changes the email address of an end user, through the Exchange management console.
The email address is not formatted correctly and does not meet company standards.
Compliance enforce the email address to be corrected to meet company standards, or deleted.

In our current system, a compliance check is executed automatically once a day or on request from the console.

Maybe it's very/too costly to obtain enforcement, because it requires the AD/Exchange account parameters to be stored in a database, as a base for comparison ? (Maybe this compliance enforcement is what makes "real" IDM system so expensive ?)
If so - how can I ensure our manages, that their users only have access to what the formally have been given ?

----

*That is, a manger can add/remove managers and user administrators for own his department ?
11) Is it possible - on the Web UI - to perform this task ?

You mentioned that a department means an OU in AD. How are managers and user administrators specified for a department? Are they stored in certain attributes of the OU or something else? Can you expand on this in more detail?*

Well, today it is saved in the IDM system database. However, we could create two security groups for each department (managers and administrators) and put approval workflow on these.

----

Thanks in advance.

Related questions

0 votes
1 answer

Hi, We have a scenario in which our E3, windows 10/11 licenses, Exchange Online, etc are assigned by various security groups. We do however assign certain licenses, Power ... changed so that we can pick which licenses not to attempt to revoke? Thanks, Gareth

asked Feb 2, 2023 by gareth.aylward (180 points)
0 votes
1 answer

is it possible to allow a user to enroll for both options, or even only one option out of the two available? I would like to give my users the choice to use either. Some users may not want an authenticator, but other's might do.

asked Nov 6, 2019 by mashworth (80 points)
0 votes
1 answer

Morning team, I have two questions about reports I created a container for our helpdesk and adding reports there. Each time a new report was added, I need to ... country name should be Germany and company name should be MyCompany Is that possible? Thanks!

asked Aug 14 by wintec01 (1.5k points)
+1 vote
1 answer

When building a form, is there a way I can request the user to answer questions? I understand there is the adm-customattributes that aren't stored in AD, but I don' ... the reason why, rather than just seeing "What" change is being requested. Thank You!

asked Mar 1, 2023 by Edogstraus00 (490 points)
0 votes
1 answer

Is there anyway we can get an Adaxes administrator to be able to access the security the questions and answers from the “Password Self-Service Policies” portal for our users?

asked Feb 17, 2022 by JoeG (40 points)
3,549 questions
3,240 answers
8,232 comments
547,822 users