You just hired a new employee, great news! Luckily you have an easy onboarding process to get them access to all of the systems that they will need to access… right? If you just had a moment of panic, then keep reading because you're not alone.
Granting access to your databases and servers for a new user can be a painful process if you have to do it in an ad-hoc manner every time. What permissions will they need? Do they just need to log in for a one-time query, or will they need persistent access? By standardizing on a set of roles and the permissions that they should receive, you can simplify the steps involved and eliminate a lot of wasted time trying to dial in to the right mix of access and control.
Provisioning an account for an employee or team member should be simple, and frictionless, and it should ideally tie into the identity system that your company is already using, whether that is a variation of Active Directory, or the perennial favorite OpenLDAP. If this can be self-service, that's even better!
At some point you will also need to deal with deprovisioning. This could be due to the individual in question moving to a new position or a new company, or it could simply be that their account is compromised and you need to protect your systems. If your provisioning process involves creating a set of credentials on each database and SSH server that you manage, whether manually or via tools such as Ansible or SaltStack, then this will be much more involved.
Why does it matter?
In a word, productivity. By ensuring that your users are able to get set up quickly and easily then you are removing barriers to their productivity. When running a critical analysis, or diagnosing a problem on one of your servers requires filing a ticket for access, and then waiting for an administrator to execute on it, that is wasted time and wasted effort.
How To Automate Provisioning
There are a number of ways that you can provision a user in an automated or self-service fashion. The real challenge lies in keeping track of who those credentials apply to and how long they are valid for. This is of particular importance when deprovisioning the user's account.
The first pass of automating user provisioning will often be in the form of shell scripts or a module in your configuration management tool of choice. The real difficulty occurs in the handoff of credentials from administrator to user. There are tools such as Keybase, Magic Wormhole, or the recently released Firefox Send but they all still require some measure of coordination between the user requesting access and the administrator providing the credentials. There is also no oversight of what anyone does with those credentials once they have been delivered.
The next option is to perform the provisioning automatically by leveraging your existing identity platform. In the case of LDAP or Active Directory that typically involves deploying and configuring an agent that integrates with your server's authentication system. This is convenient and easy once it is set up, but getting it configured and maintaining it across your entire infrastructure can be a challenging and time-consuming endeavor.
How We Do It
The way that we have approached this problem in strongDM is to push the complexity of creating and managing accounts into the proxy layer, thereby reducing the surface area of the problem. Rather than forcing you to integrate your identity service into each system that you manage, strongDM speaks every native database & server protocol and gives you one place to manage access and authorization.
From a user's perspective, in order to query a database, ssh or RDP to a server, they log into strongDM using their existing SSO. strongDM acts as a local proxy, assigning a port to each database or server and then intelligently routing the session (see screenshot below). Users no longer need to keep track of individual database credentials or key pairs.
You can onboard new hires through your SSO, through strongDM or CLI automation to provision a new user and assign them to roles that inherit all appropriate database & server permissions.
You may use the sdm admin users add --template > import.json command to get a JSON template to modify for later import.
Here’s an example JSON for adding two users. Each user must have a unique email.
Once you have created your JSON, you can easily import it into strongDM.
sdm admin users add --file import.json
From an administrator's perspective, there is only one integration that needs to happen for each server or database, rather than a multitude. Once the strongDM gateway has been configured, their job is done. Provisioning and deprovisioning of users is a much simpler process. Simply provision a new hire in your existing SSO, direct them to install the strongDM client and you’re done. That account can live directly in strongDM if you don't have a company directory, or they can delegate to the single sign on platform that your company uses everywhere else.
If you want to learn more about how to use strongDM for building a push-button provisioning process, simply sign up for a free-trial and get started in minutes.