Controlling access based on role and/or location with ADFS

“Access” is one of those words that sounds simple but carries such far-reaching implications that it must be carefully considered, planned for, and managed at all times.

Questions to Answer Before Granting Access With AD FS

When planning access to information resources, there are several questions you must answer every time someone requests access.

  • Who is requesting access?

Are you certain they are who they say they are? Many tools exist that can increase your certainty. Multi-factor Authentication (MFA) is the strategy most people often think of. Here, information received from the user’s device is added to that person’s ID and password to increase the difficulty of requesting access. The information, usually a multi-digit number, changes every minute, so the user must possess the device and be able to obtain the number when logging in.

  • What is this user’s role in the organization?

There’s more to who you are than just your name. Roles-Based Access Control (RBAC) determines what resources each user has the right to access, and whether they can just read, read and write, delete, create, and change conditions and contents of each resource. Users may inherit certain rights when they are assigned to specific groups that have specific rights assigned, making it far easier to manage more users faster and more easily.

  • Which device is this person using to access resources?

You may want to reduce or restrict user access to certain resources based on the fact that they are using a smartphone or a personally owned device.

  • Where are they physically located when trying to access resources?

Some organizations only allow people to access highly sensitive data when located within their own premises (and not from outside) or on their corporate network directly rather than connected via an external network.

  • When is the user attempting to access resources?

Some organizations restrict access to business-critical resources only during regular business hours.  Anyone trying to access those resources outside of those hours will be refused, and the attempt will be reported.

Why You Want So Much Control

There’s much more to manage than ever before, and so many bad actors trying to steal and/or damage your valuable data resources. Failure to implement granular control over who can access what, when, and from where is like giving everyone the master key to every door. You simply can’t afford to do that any longer. It’s no longer enough to simply protect at the main gate; you must protect at the door to every room in every building.

How This Control Is Provided

You exercise control over your resources through Active Directory, the core database developed by Microsoft to provide one place to identify all objects and their relationships to one another. To accommodate the growing number of organizations that want to be able to interoperate with other organizations and still maintain tight control, Microsoft added Active Directory Federation Services to enable entire domains to interact.

The key to success in managing Active Directory and its Federation Services is to exercise control at the most granular level possible while grouping objects as much as possible to achieve greater efficiency.

Active Directory Agility from Agile IT

This is one of the main reasons customers choose to partner with Agile IT. Our expertise and experience in managing Active Directory for organizations large and small enables us to deliver the kind of guidance you need when planning, executing, and managing your Active Directory environment. To learn more about controlling access to your resources based on role, location, and much more, contact Agile IT today!

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon

Don’t want to wait for us to get back to you?