IAM Sprint: Access Requests That Work
28 May, 2024, by James Mowbray
Several years ago, identity governance tools were seen as a panacea for enterprises. These tools were sold as a silver bullet to the problem of who has access to what. The truth of the matter is that while the tooling did have that technical ability, it required a little more business analysis and configuration effort than organisations could spare. Automation of joiner and leaver processes was successful, but the well of enthusiasm was often dry by the time it came to enabling end user access requests. The Service Desk were left to pick up the pieces.
What end users really want is frictionless access to the platforms and systems they need to access to fulfil the requirements of their job. No blockers. No painful processes. Business owners want to ensure access requests are fulfilled smoothly and efficiently and there is no risky over-entitlement.
The Warm Up
Review your current suite of entitlements and the existing processes for requesting and assigning those entitlements.
Users want access when they need it. They don’t want to request access only to find that the approval process injects unnecessary delay and is then followed by a vexatious manual entitlement assignment process.
Manual processes may be fine for micro-organisations, but at scale, they fail. Failure results in frustration. Frustration results in people trying to find a way around processes. By-passing processes results in increased risk. Everyone’s a loser – contrary to what Hot Chocolate had to say in the 1970s.
A clearly defined role model with a means of requesting, approving and (ideally) automatically provisioning access above and beyond birth right entitlements is achievable!
The Sprint
If you already have a well understood suite of entitlements and you have managed to roll them up into Business Roles, give yourself a pat on the back. Not many organisations have achieved that!
If you haven’t, the first step in your sprint ought to be running a role mining activity. Many governance tools are provided with such capability and with good quality datasets, they can unearth candidate roles very quickly.
Once the roles have been mined, it’s time to publish them. Optimally, you will do so in a way that means that many are automatically assigned to users because of attributes associated with those users.
Birth-right entitlements are fabulous, but a process should be put in place to periodically review those entitlements to assure they continue to be appropriate.
For the next stage you will need to build request workflows for entitlements that cannot be automatically assigned. The key here is to keep it simple! Often, there is a temptation to build over complicated workflows and approval processes. In most cases, this is unnecessary. Keep those steps to a minimum, otherwise fulfilment timescales are going to look a little crazy.
Just as birth-right entitlements can be automatically assigned to users, they can also be automatically unassigned. The same rule could potentially be applied to requestable entitlements. However, these requestable entitlements will need some form of periodic review. Now is the time to configure an Access Certification review which will enable you to demonstrate how recurrent certification campaigns can be used to limit entitlement drag.
The Warm Down
Role mining should not be considered a one-off exercise. It should be repeated regularly to ensure there are no candidate roles lurking about in your infrastructure.
The process of access request and approval workflows can also be delegated to those tools which excel at the task, such as Service Now. The APIs in your Identity Governance tool ought to allow for such externalisation to provide a consistent IT Service Request process to your users.
And finally, now you have your access recertification review in place you should also establish a BAU process for looking at the structure of entitlements. Business roles evolve over time and should be reviewed regularly to ensure that they are still relevant for your business.