Global cardholder management (GCM) and Active Directory integration are both used to centralize the management of cardholder information in Security Center, but their approach is different.
The following table highlights the differences between GCM and Active Directory
integration.
Best Practice: Use Active Directory integration and GCM in tandem.
The sharing host should be the only system that integrates with the Active Directory.
This approach keeps Active Directory protected on the corporate LAN, while the
sharing host only pushes the necessary employee information to the satellite
systems.
| Active Directory integration | Global cardholder management (GCM) |
|---|---|
| Purpose: Centralized employee (users and cardholders) security management | Purpose: Centralized employee (cardholders) security management |
| Enables an organization to manage employee information from a central location and share it with a single Security Center system (users and cardholders). | Enables an organization to manage cardholder information from a central location and share it with all Security Center systems within the organization. |
| The corporate directory service is the information source. Security Center retrieves employee information from the corporate directory service. | One Security Center system acts as the information source (sharing host) and shares it with all other Security Center systems within the organization (sharing guests). |
| Security Center connects to the information source (directory service) through the Active Directory role. | The sharing guests connect to the information source (sharing host) through the Global Cardholder Synchronizer (GCS) role. |
| Custom fields defined on the Active Directory can be linked to Security Center custom fields. | All custom fields and data types are shared. |
| Employee information can only be modified in the Active Directory. The cardholder picture is the only piece of employee information that can be uploaded from the Security Center to the Active Directory. | All sharing parties can modify the shared information. The sharing host validates and propagates the changes to all parties involved. |
| Information retrieved from the directory service cannot be shared with a second Security Center system. If multiple Security Center systems need to share the same information, they must connect individually to the corporate directory service. | The central Security Center system can share cardholder information with as many satellite Security Center systems as needed. |
| If you delete an Active Directory role, you can release ownership of the entities to your local Security Center system. If you recreate the role, it can reclaim ownership of the entities that were previously released. For more information, see Releasing ownership of Active Directory entities to Security Center. | If you delete a GCS role, the sharing guest automatically loses access to the entities in the shared partition. The only way for a sharing party to transform a global entity into a local entity is to remove it from the shared partition. When this is done, all other systems lose their access to that entity. For more information, Stopping entity sharing with other sites. |