October 14

Identity Management Series – Workflows Part 5: Wrapping Up

This month, we focused on one of the key functionalities of identity management – workflows. Specifically,

  • Provisioning and deprovisioning (which I abbreviate as de/provisioning)
  • Non-employee management
  • User and access recertification

These workflows build on each other – it’s necessary to identify how access is de/provisioned before any recertification can be set up, because ultimately once the reviewer completes their recertification, the de/provisioning workflows are kicked off in some capacity to make the indicated updates to users’ access.

It’s possible to go after recertification first, but it’s a lot less powerful without closing the loop with de/provisioning.

Recertification is further broken down into non-employee management and everything else. Non-employee management is a fairly small and relatively simple sub-set of the larger recertification workflow set. By addressing it first, valuable experience can be gained and this is a high-visibility quick-win that’s desirable not only to the access services or security team(s), but likely also to finance, and possibly HR.

There is a lot of work involved in preparing for the implementation of these workflows. By spending some time up-front, it will not only speed the eventual implementation when a system is selected, but it will also generate invaluable requirements that will be critical to the selection of the right system.

The approach this month was as follows:

  1. Identify ways in which the workflow set could be developed, ensuring that the right scope is identified for your organization’s specific circumstances
  2. Populate the requirements list accordingly. This is critical – miss these requirements and the product selection could be flawed. Select the wrong product and at best ROI will be reduced – possibly significantly; at worst, a rip-and-replace may be needed.
  3. Execute the prep-work that can be done in advance of obtaining a system.

Yes, this month “prep-work” can be considered a euphemism for “cleanup” but not entirely. And no matter what you call it, it’s gotta be done.

For de/provisioning, this means reviewing any current de/provisioning processes, streamlining them, and understanding the technical details in the access. The more work that’s already been done with role- and rule-basing (as discussed in June), the easier this will be. Now is also the time to start preparing target systems as needed – such as by cleaning up UNIX UIDs.

For non-employee management, the key prep-work is ensuring that the user entry forms in identity manager have the needed fields designed into them, and that timelines have been considered for handling renewing fixed-duration non-employees. It’s also important to begin working with the appropriate internal groups (e.g., security, audit, affected business groups) to determine an appropriate frequency for recertifying ongoing non-employees.

User/access recertification may have the most time-consuming and difficult prep-work: defining the mappings between the technical permissions and the business access that they provide. This will likely require significant collaboration with business “power users” and can be very time-consuming in database and mainframe systems where permissions are highly granular. It’s also important to think about frequency of recertification, and whether the line manager or data/access owner will be the reviewer for any given application/permission set.

Next month, we’ll take a closer look at some special cases related to terminations and transfers, and how those circumstances can affect the de/provisioning workflows.

How can I help?

Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!