[unisog] Soft Tools for Managing AD Accounts: PeopleSoft Integration?

Jon E. Mitchiner jon.mitchiner at gallaudet.edu
Thu Sep 6 13:08:21 GMT 2007 

Martin,

The process at Gallaudet for account creation and termination is 
exclusively tied into Peoplesoft.  For Faculty and Staff, if the user is 
to get an account, they need to be activated into Peoplesoft.  Our web 
based application which we developed in house about 5 years ago pulls a 
list of active employees in Peoplesoft and then compares it with Active 
Directory. 

Account termination is another thing and I've never been comfortable 
having it automated.  I'd hate to come in one morning and find one of 
the top administrator's account has been deleted.  Even worse, if all 
accounts were deleted because of a bug.  We would probably keep this as 
a manual process where someone has to approve any account deletion.  In 
reality, we don't delete accounts and instead disable them for about 30 
days.  If no one complains then the account is deleted.

Essentially, what we have done, is shift the burden for account creation 
to Human Resources.  If someone claims that they already submitted the 
paperwork then I tell them to talk to the Human Resources department.  
When Human Resources stops paying someone and takes them off the active 
pay status, then they are considered no longer an employee.

We do permit department heads to contact us directly to let us know if 
we need to terminate or disable an account at a moment's notice without 
having to go through human resources.

Jon

Jon E. Mitchiner
ITS Director
(202) 651-5300
(202) 651-5477 (Fax)



Martin Manjak wrote:
> Our campus is laboring under the effort to manage employee AD accounts.
> PeopleSoft is our HR system of record and the problems arise as staff
> are hired, depart, or move from one OU to another. Currently, AD account
> management is largely a manual process as departmental liaisons submit
> requests for new accounts or terminations that have to be correlated
> with the employee's status in HR.
>
> A desired state would enable departmental staff, who already have the
> authority to authorize accounts, to manage this activity directly (with
> the appropriate verifications against the HR records).
>
> James A. McCloskey provided an excellent example of access management
> and reporting to the list early in August. I was wondering if anyone was
> facing similar challenges on the account creation and termination side. 
>
> We are considering developing web based applications that integrate with
> AD, but a better solution would leverage the existing PeopleSoft web
> portal and permissions structure. Is there PS AD module? 
>
> At any rate, I'd be very interested to hear how other folks are handling
> AD accounts management.
>
> Martin Manjak
> CISSP, GIAC GSEC-G, GCIH
> Information Security Officer
> University at Albany
> MSC 209   437-3813 
> "Information security controls should be considered at the systems and
> projects requirements specification and design stage."
> ISO/IEC 17799 Code of Practice for Information Security Management
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
>

More information about the unisog mailing list