When Alice goes to work each morning, she takes out her security badge and waves it in front of a sensor at the front door to unlock it automatically. That act of waving your badge “tells” the security system not only that it is Alice at the front door, but also what she has access to within the building. The system responds by verifying her in the system, unlocking the door, and creating an entry in the security log to keep for future use.
After walking through the front door, Alice enters the accounting offices because she’s the head of Accounting after all! She waves her badge in front of the sensor leading through the door to the Accounting department and the system now verifies whether or not she has access to this restricted area.
Since she’s not only an employee of the company but also a member of the Accounting department the system once again unlocks the door and creates an entry in the security log. If she were a member of the Sales or Operations team her badge would fail to unlock the door as her company decided that access to the Accounting offices is restricted due to certain compliance restrictions.
Directory Services are the exact same process but instead of granting you access to your office building or space, it grants you access to your computer network. Let’s use the example of Alice once again.
Alice sits down at her computer in the morning and logs into the network at her computer using her standard username and password. The network checks Alice’s credentials, verifies she is authorized to log in, grants her access, and logs the security event for future reference. Sound familiar?
Going a step further, Alice then attempts to access the accounting folder on the network to review quarterly financials before her staff meeting. After all, she is the head of the Accounting department! She clicks on the Accounting folder to open it and it opens. Why does it open? Because in the directory service on the network (the vast majority of the time this is Microsoft Active Directory) Alice is listed under the Accounting department and the system knows what level of access she should have (read, edit, delete) to all of the files in this folder. Just like her access to the building outlined above.
That is the basic concept of Directory Services and hopefully, it shows you why this is a critical function of your IT security program.