What are nested security groups?

In many IT environments, access is controlled by collecting individual user accounts into security groups and then specifying access control on organizational IT resources for these security groups instead of for individual user accounts.

For instance, in IT infrastructures that are powered by Microsoft Windows Server, Active Directory security groups are used to collect domain user accounts into a single collective, and then access in granted or denied to various IT resources such as Sharepoint portals or File servers using these security groups.

In many cases, it can be beneficial to take a security group and make it a part of another security group so as to be able to collectively grant access to a large collective of users. The process of making one security group a member of another security group is referred to as group nesting and these groups are then referred to as nested security groups, since they are, well, nested.

While nesting security groups can be helpful, it can often also be problematic because it can make it hard to identity nested groups and it can make it harder to determine who ultimately has what access because of these nested security groups memberships, especially when groups are nested beyond two levels. In certain cases, a variety of tools can be used to identify nested groups. In particular, IT admins can use Active Directory reporting tools to identify nested groups and also use native Microsoft security group management tools to then manage these groups.

Overall, security group nesting for the purpose of access control can be helpful if used carefully, and can be problematic if used haphazardly.

No comments:

Post a Comment