This month, we focused on one of the key functionalities of identity management â€“ workflows. Specifically,
- Provisioning and deprovisioning (which I abbreviate as de/provisioning)
- Non-employee management
- User and access recertification
These workflows build on each other â€“ itâ€™s necessary to identify how access is de/provisioned before any recertification can be set up, because ultimately once the reviewer completes their recertification, the de/provisioning workflows are kicked off in some capacity to make the indicated updates to usersâ€™ access.
Itâ€™s possible to go after recertification first, but itâ€™s a lot less powerful without closing the loop with de/provisioning.
Recertification is further broken down into non-employee management and everything else. Non-employee management is a fairly small and relatively simple sub-set of the larger recertification workflow set. By addressing it first, valuable experience can be gained and this is a high-visibility quick-win thatâ€™s desirable not only to the access services or security team(s), but likely also to finance, and possibly HR.
There is a lot of work involved in preparing for the implementation of these workflows. By spending some time up-front, it will not only speed the eventual implementation when a system is selected, but it will also generate invaluable requirements that will be critical to the selection of the right system.
The approach this month was as follows:
- Identify ways in which the workflow set could be developed, ensuring that the right scope is identified for your organizationâ€™s specific circumstances
- Populate the requirements list accordingly. This is critical â€“ miss these requirements and the product selection could be flawed. Select the wrong product and at best ROI will be reduced â€“ possibly significantly; at worst, a rip-and-replace may be needed.
- Execute the prep-work that can be done in advance of obtaining a system.
Yes, this month â€œprep-workâ€ can be considered a euphemism for â€œcleanupâ€ but not entirely. And no matter what you call it, itâ€™s gotta be done.
For de/provisioning, this means reviewing any current de/provisioning processes, streamlining them, and understanding the technical details in the access. The more work thatâ€™s already been done with role- and rule-basing (as discussed in June), the easier this will be. Now is also the time to start preparing target systems as needed â€“ such as by cleaning up UNIX UIDs.
For non-employee management, the key prep-work is ensuring that the user entry forms in identity manager have the needed fields designed into them, and that timelines have been considered for handling renewing fixed-duration non-employees. Itâ€™s also important to begin working with the appropriate internal groups (e.g., security, audit, affected business groups) to determine an appropriate frequency for recertifying ongoing non-employees.
User/access recertification may have the most time-consuming and difficult prep-work: defining the mappings between the technical permissions and the business access that they provide. This will likely require significant collaboration with business â€œpower usersâ€ and can be very time-consuming in database and mainframe systems where permissions are highly granular. Itâ€™s also important to think about frequency of recertification, and whether the line manager or data/access owner will be the reviewer for any given application/permission set.
Next month, weâ€™ll take a closer look at some special cases related to terminations and transfers, and how those circumstances can affect the de/provisioning workflows.
How can I help?
Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.