Direct Active Directory User and Group Management for Canto Cumulus (or any other Software Solution)

Nextware is the leading implementation, integration and support specialist for Canto Cumulus and Softerra Adaxes (= Active Directory Automation Solution) in North America. We provide services ranging from needs assessment, implementation, integration, custom development, training and ongoing maintenance and support of these two solution. So we thought: why not “marry” these two solutions to get the best out of both worlds?

Challenges

Many Canto Cumulus clients manage their users and user groups/roles through their Active Directory. This maintains IT ability to centrally control all solution access. While CIOs and IT managers understandably want to stay in control of Active Directory access, endusers and DAM managers are consequently left out, as they fully depend on IT staff to:

1. Add, modify, delete, disable, enable, block or unblock DAM endusers
2. Change security group memberships (to elevate users to higher permission roles in Cumulus)
3. Create new security groups matching new permission roles in Canto Cumulus
4. Rename existing security groups to match renamed permission roles in Canto Cumulus
5. Reset or change DAM enduser passwords

Once Canto Cumulus is integrated with Active Directory, there is no possibility even for a DAM manager with Cumulus super administrator permissions to facilitate any of the changes listed above. In addition, in larger corporations, any of these changes can take hours in the best case scenario and a week or more in the worst case scenario, until they are executed by IT staff. This is not only frustrating for DAM managers and endusers, but also lowers productivity and the chances of enduser adoption of the DAM solution. It may even cause endusers to have higher permission access much longer than they should have!

Solution

Softerra Adaxes’ end-user friendly web interface puts all these changes into the hands of DAM managers and endusers, all without jeopardizing IT security or changing any aspect of the existing AD integration of Canto Cumulus. Your IT department still maintains control over users and security groups in Active Directory, but gives tightly limited and controlled, web-based access to just the AD changes DAM managers and endusers should be able to facilitate themselves.

This increases the productivity of IT staff, too, as they do not have to deal with dozens of group membership assignments/changes, password resets and account unlocks every day, to name just a few. Features like self-password reset even takes this a step further, with endusers being able to change and reset their passwords themselves, without ever involving IT and/or the DAM manager of a Canto Cumulus solution.

Further, valid concerns of IT managers such as password history, complexity & expiration policies, auto-account disable workflows as well as two-factor authentication can easily be implemented and enforced through Adaxes, too … removing ever more work from the already full plate of IT staff and DAM managers, so they can use that time for more productive tasks!

Nextware can assist you not only with implementing Adaxes, but also seamlessly integrating it with Canto Cumulus, both for DAM admins and for endusers. Below screenshots give you an idea of just a few possible implementations:

DAM Managers creating AD users and assigning them to groups
(= matching Cumulus permission roles)

Through Adaxes’ user-friendly web interface, DAM managers can be granted access to create users in very specific OUs only and with very specific restrictions, for example which fields they can edit and what naming conventions these fields have to adhere to. A typical examples is forcing the logon name to be auto-constructed from %firstname%.%lastname%, as in the example below:

Further, depending on what type of user they created, they can be asked to assign users to very specific groups and/or in very specific OUs only:

Once a user has been set up, automatic (and customizable) notifications with all initial login details will be sent to the new user, outlining all steps required to complete the initial account setup:

Enduser Changing Initial Password

After a DAM admin has set up a new user, this step enables endusers to change the initial password given to them by the DAM Manager to their own, safer password. Note that the initial password does not yet grant access to any system, including Cumulus, but only to their user profile:

Password history and complexity policies can ensure (at any step, including this one) that the enduser’s new password adheres to the security policies of your organization.

Once a user has set their own password, they can log into Cumulus moving forward.

Enduser Enrolling in Self-Password Reset

The next step enables endusers to reset their password themselves, if they ever forget it. Automatic daily, weekly or monthly reminders can be sent to all users who have not yet enrolled, until they enroll. These reminders can be shown as a pop-up in their user profile (see below), but can also be sent by email.

Self-password reset requires endusers to answer a set of security questions. These questions can be customized 100% in your self-password reset policy: number of questions, the questions themselves, that answers have to be different for each question, how many questions need to be answered and so forth.

Endusers Changing Their Own Password

Once in a while, endusers might want to change their password. Adaxes can also be configured so that all (or specific) endusers are forced to change their password in certain intervals. No matter if the user wants to change the password on his/her own or is forced to through a password expiration policy, endusers can change their password themselves through their user profile:

Once again, this step will honor password history, complexity & expiration policies required by your IT department.

Once the password was changed, you can also auto-notify the user to make sure they know it was them who changed the password:

Endusers Resetting Their (Forgotten) Password

We all have to remember dozens of passwords and it is thus only normal that endusers might forget it, especially for systems they might only use occasionally. Since they previously enrolled in self-password reset, regaining access will be a breeze for them. Once they click on “Forgot your password”, they will be directed to self-password reset:

As an extra layer of security, this could include a captcha step:

Once past the captcha, the user has to answer his/her security questions. This dialog is fully customizable, for example in terms of how many of their security questions endusers have to answer correctly. In this example, they have to answer 2 of 3 correctly:

Once they answer at least 2 of 3 security questions correctly, they can reset their password:

Last, but not least, you can auto-notify them about their self-password reset, to (once again) ensure they know the change was initiated by them and not someone else.

Integration with Canto Cumulus

The Adaxes user profile can easily be integrated with Cumulus through a custom “Manage Password” button linking to the Adaxes user profile on the login page of Cumulus Web Client and/or Portals:

Benefits

In summary, the combination of [1] Canto Cumulus (integrated with Active Directory) + [2] Softerra Adaxes’s Web Interface (for direct AD Management access) provides the following key benefits:

1. Much faster response times to enduser requests related to their user accounts and passwords, often with no DAM Manager or IT involvement at all
2. Much faster setup and modification of users and their roles by DAM Managers
3. Significant decrease of IT/help desk requests by both DAM Manager and endusers
4. Significant decrease of help requests sent by endusers to DAM Manager

And as we all know: time is money. This solution will pay off quickly as a result. Also keep in mind that the usage of Softerra Adaxes is by no means restricted to Canto Cumulus only. Once implemented for your organization, it can be used for a whole range of other purposes and a gamut of different workflows, by any department, for any software solution that is AD integrated. So the ROI is not restricted to Canto Cumulus only.

For more information, contact our Nextware team who will be happy to answer your open questions and demo this solution to you live.