This white paper explores the challenges of practicing Data Access Governance (DAG) in the world of unstructured, or human-generated data. Specifically, we look at how the control of access to unstructured data is distributed between Active Directory and the data repository where the data is stored (e.g. a file system). The problem with this is that traditional DAG solutions, such as Identity Access Management or Governance products, do not natively have the insight necessary to adequately manage access to resources that contain unstructured data. Furthermore, even if IAM solutions did have insight into Active Directory and file systems, it is often the case that the convoluted structure of Active Directory groups prevents the IAM product from being able to accurately remove or provision access to a specific resource.
To address this problem, we discuss the benefits of implementing resource-based Active Directory groups as part of an organization’s desired access model. The use of specific groups in Active Directory to provision access to a specific resource on the file system allows IAM products to easily provision or deprovision access to a resource simply by adding or removing users from a security group in Active Directory. To learn about Microsoft’s recommendations for Active Directory group structure, please visit our blog post on the matter