Help-desk-assisted Active Directory self-service using ADSelfService Plus

Approval-based workflow for self-service

For businesses reeling under the effort and costs associated with help-desk-assisted account unlocks and password resets, self-service is a great solution, as it empowers end users to solve their own IT problems. However, some businesses stay away from deploying a self-service solution due to security concerns. For example, even though it is tedious for the help desk to maintain up-to-date profile information of every user in Active Directory, organizations may not allow end users to update their own profile information in Active Directory for fear of losing control over security and data consistency.

ADSelfService Plus, an identity security solution with MFA, SSO, and self-service password management capabilities, helps organizations maintain their security stance by enabling admins to review and approve users' self-service actions, such as updating their profile information or resetting their passwords.

Help desk software with an approval workflow feature, such as ADManager Plus, is required for the review and approval process. The approval workflow rules set by the admin in the help desk tool determine who can review and approve the self-service requests. In ADManager Plus, admins can create and modify any number of self-service approval workflow rules for different types of requests. For all self-service actions, admins verify users’ identities by configuring security questions based on Active Directory attributes. Once ADSelfService Plus is integrated with ADManager Plus, users' self-service actions are taken as requests instead of being directly updated in Active Directory.

Help-desk-assisted directory update and mail group subscription: How it works

• A user attempts to update their profile information or subscribe to a group. The user proves their identity to ADManager Plus by answering Active Directory-based security questions.
• A request for the self-service action is automatically created and sent to ADManager Plus (the workflow provider).
• A help desk technician reviews the request and approves it based on the workflow rules configured in ADManager Plus. Only the information that complies with the organization’s policies is approved.
• Once approved, the profile information or group subscription is automatically updated in Active Directory by the workflow engine or help desk software.
• The user can view the status of their request in the self-service portal. They can also be notified if their request is declined.

Help-desk-assisted self-service password reset and account unlock: How it works

By enabling an approval workflow for self-service password reset and account unlock actions, admins can give help desk technicians the ability to review and approve user activities. Identities are verified using a set of security questions based on Active Directory attributes, such as "What is your mobile number?" and "What is your department name?" Here’s how the approval workflow model works for self-service password reset and account unlock requests:

• A user clicks the Forgot your password? or Account locked down? buttons from the login screen of the web portal, the mobile app, or their login screen.
• The user is asked to verify their identity via the authentication techniques configured during their enrollment. The user is also required to answer Active Directory-based security questions to prove their identity to ADManager Plus.
• The user receives a pop-up saying that the request has been sent to a technician.
• After reviewing the request, the technician accepts or rejects it. If the request is accepted, the user receives a link via email.
• In the case of a password reset, the link takes the user to the Password Reset page where they can enter their new password. For an account unlock, the link takes them to the Unlock Account page where they can unlock their account after successfully verifying their identity.

Details like who created the request, who approved the request, and when the request was approved are recorded in reports for later use. Users can view the status of their request by logging in to the self-service portal of ADSelfService Plus.

Benefits:

• Ensure security and consistency

  Approval-based self-service gives admins control over users’ self-service actions and ensures that they are handled in a secure, consistent manner.

• Significantly reduce IT service request calls

  Users can create requests on their own without having to call the help desk. This significantly reduces the costs associated with users calling the help desk to submit IT service requests.

• Enforce OU- and group-based policies

  Admins can enforce a self-service approval workflow for one set of users based on their OU or group membership. That is, they have the option to give certain users, like those in the managers OU, a pure self-service experience by excluding them from self-service approval.