Managing user access is one of the most critical yet tedious tasks in IT and development. Manually clicking through admin panels to add or remove users from groups is slow, prone to human error, and a significant security risk. As organizations grow, this manual approach simply doesn't scale.
The gold standard for scalable and secure access management is Role-Based Access Control (RBAC), implemented through group-based permissions. You grant access to roles (e.g., "engineers," "sales-team," "admins"), not individuals. But how do you manage this programmatically, especially in a hybrid environment with a mix of Active Directory, LDAP, Okta, and Azure AD?
The answer lies in automation. This guide will walk you through the challenges of programmatic group management and show you a simpler, more powerful way to automate access control across all your directory services.
Before diving into the "how," let's quickly recap the "why." Shifting from individual permissions to group-based permissions is a foundational security practice with massive benefits:
The benefits are clear, but the implementation is historically complex. Most companies don't have a single, clean directory service. The reality is a messy combination of:
Automating group management means writing code that speaks to each of these systems' unique APIs. You'd need to handle LDAP queries, the Microsoft Graph API, Okta's REST API, and others. This results in brittle, complex code that is a nightmare to build and maintain.
What if you could ignore all that complexity and use a single, universal API for all your identity management needs?
This is where Directories.do reimagines directory services. Our platform acts as a universal translation layer, providing a single, elegant API to manage users, groups, and access across any underlying service.
Instead of wrestling with multiple SDKs and authentication methods, you can perform any user management or access control operation with a simple API call.
Let's see it in action.
Imagine you need to automate your Joiner-Mover-Leaver (JML) process. Here’s how you could handle common scenarios programmatically using our unified API.
A new developer starts today. You need to create their user account and grant them access to engineering resources.
import { directories } from 'sdk.do';
// Create the user and assign them to initial groups
const newEngineer = await directories.users.create({
firstName: 'Alex',
lastName: 'Rivera',
email: 'alex.rivera@example.com',
groups: ['engineers', 'vpn-access'],
attributes: {
employeeId: 'E54321',
githubUsername: 'alex-rivera-dev'
}
});
console.log(`${newEngineer.firstName} provisioned with ID: ${newEngineer.id}`);
// Alex provisioned with ID: usr_def456...
With one API call, Directories.do creates the user in your primary directory (like Active Directory) and adds them to the "engineers" and "vpn-access" groups—whether those groups live in AD, Okta, or Azure AD.
Jane Doe is moving from the product team to an engineering manager role. You need to update her permissions accordingly.
import { directories } from 'sdk.do';
const userId = 'usr_abc123...'; // Jane's user ID
// Remove from old group
await directories.groups.removeMember({
group: 'product-team',
userId: userId
});
// Add to new groups
await directories.groups.addMember({
group: 'engineering-managers',
userId: userId
});
// You can also add a user to multiple groups at once
await directories.users.update({
id: userId,
groups: {
add: ['budget-approvers']
}
});
console.log('User permissions updated for role change.');
Notice the simplicity. You don't need to know where these groups are managed. You just declare the desired state, and Directories.do executes the agentic workflows to make it happen across your connected systems, from an on-prem LDAP API to a cloud IDP.
When an employee leaves, access must be revoked immediately.
import { directories } from 'sdk.do';
const userId = 'usr_xyz789...'; // The departing user's ID
// A single call can disable the user and remove them from all groups,
// effectively revoking all access instantly.
const offboardedUser = await directories.users.disable({
id: userId,
// This flag ensures all group memberships are removed
removeFromAllGroups: true
});
console.log(`User ${offboardedUser.id} has been fully offboarded.`);
This single action is one of the most powerful security automations you can implement, closing off access points instantly and systematically.
As the examples show, Directories.do is far more than just a user provisioning tool. Our Business-as-Code platform enables you to automate the entire identity lifecycle:
By abstracting away the underlying complexity of your identity infrastructure, Directories.do empowers your developers to build secure, scalable, and automated access control systems with ease.
Ready to stop managing permissions and start automating identity?
Q: What directory services does directories.do support?
A: Our platform is designed for universal compatibility. It can connect to any standard directory service, including Microsoft Active Directory, Azure AD, LDAP, Okta, Google Workspace, and more, providing a unified API layer on top.
Q: Is this just for user provisioning?
A: No, directories.do covers the full identity lifecycle. Beyond provisioning, you can automate de-provisioning, access reviews, attribute updates, group management, and password resets, all through our Business-as-Code platform.
Q: How does directories.do handle security and credentials?
A: Security is paramount. directories.do securely stores encrypted credentials and uses them to execute agentic workflows on your behalf. All API traffic is encrypted, and access is controlled via API keys, ensuring your identity infrastructure remains protected.