{"id":106610,"date":"2024-02-26T16:48:18","date_gmt":"2024-02-26T21:48:18","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=106610"},"modified":"2024-02-27T16:59:44","modified_gmt":"2024-02-27T21:59:44","slug":"nested-groups","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/nested-groups","title":{"rendered":"Why Nested Groups Don\u2019t Exist in the Cloud\u00a0"},"content":{"rendered":"\n
Every Active Directory (AD) admin is familiar with nested groups. Rights are assigned to objects by virtue of their location in the tree; that\u2019s just how things work. It\u2019s convenient and makes entitlement management easier\u2026 until you consider its lack of maturity for identity governance. What once worked well now increases security risks and management overhead.<\/p>\n\n\n\n
Cloud directories have the benefit of shedding that type of technical debt. However, it\u2019s a change in how admins think about how entitlements are handled. The benefits that a flat structure brings to IT efficiency and security may not be obvious, even when attribute-based access control<\/a> (ABAC) solves identity governance problems that have been festering over the past 20 years.<\/p>\n\n\n\n This brief examines why nested groups have become undesirable and discusses how cloud directories automate user\/device lifecycles and enable more effective work through dynamic groups. You\u2019ll also learn how cloud directories will increase your security.<\/p>\n\n\n\n AD is a directory services database and uses Lightweight Directory Access Protocol (LDAP<\/a>) for interacting with data. Its architecture enables admins to make one AD security group<\/a> a member of another, thus \u201cnesting\u201d one group within another. Members of that group then inherit the permissions and rights assigned to the parent group. That concept is simply referred to as nested groups<\/em>.<\/p>\n\n\n\n Security groups in AD assign users and resources permission to access shared IT assets, and user assignments are either granted manually or by using PowerShell to create elaborate if-else conditions. Nesting is convenient for user provisioning when there are well-specified roles\/functions; however, it\u2019s vulnerable to human error. It\u2019s important that best practices are followed to avoid security breaches due to forgotten users or overprovisioning. <\/p>\n\n\n\n Add-ons such as Microsoft Identity Manager (MIM) were created out of necessity to manage the identity lifecycle, because nested groups lack automated user management or the ability to synchronize identities between systems. An entire ecosystem of add-ons exists for this purpose.<\/p>\n\n\n\n Admins that don\u2019t take a proactive approach to lifecycle management through access governance, or purchasing add-ons to extend AD\u2019s capabilities, will encounter problems.<\/p>\n\n\n\nWhat Are Nested Groups?<\/h2>\n\n\n\n