Create a configuration plan

We want to identify the smallest set of existing PI groups that can define our existing access permissions. Ideally we want to retire all PI user accounts. To see how this works, look at the list of unique access strings we identified in the previous example:

We need to distill our list down into the smallest number of access permission sets and we need to keep track of who currently has that level of access. Another way to look at our current access permissions is as follows:

Looking at the above table, notice the following:

• If we are not going to disable PIWorld, then the pi_ops access permissions are not needed. For the purposes of this example, assume we will continue to rely on PIWorld.

• The PI user nancy and the PI group pi_eng have identical access permissions. Since these access permissions are already defined for pi_eng, we will leave this PI group in place. We need to create a mapping between pi_eng and a Windows group that contains the following users:

  • Windows users represented by the PI user members of pi_eng

  • Windows user represented by the PI user nancy

    We can retire the PI user called nancy.

• The PI user bob has unique access permissions. We have two choices:

  • We can keep the PI user bob and create a mapping between the corresponding Windows user and PI user bob. This gives us Windows authentication, which is much more secure than PI user accounts. We can continue to use the access permissions defined for bob.

  • Another solution would be to create a new PI identity, grant it the same access permissions as bob then map a Windows group containing the corresponding Windows user to this new PI identity.

    We choose to continue using bob for now, but we plan to create a new PI identity and retire the PI user bob in the future.

    

The following table summarizes our new security configuration:

The next step is to create the required mappings and then disable the PI group pi_ops and the PI user nancy.