Access requests and certification best practices

All-In-One Identity Management and Cloud Security

Emerging technologies are challenging old paradigms and unveiling new ways of approaching the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.

EmpowerID has embedded innovative technologies in every aspect, providing flexible and mature IAM capabilities in the cloud, on premise and in hybrid environments, addressing the mission-critical need across increasingly heterogeneous technology environments, and meeting increasingly rigorous compliance requirements.

access requests and certification One of the main issues with access requests by your users is they don't know what to ask for! Think about it, your user knows that they want to see the prior year's sales results sorted by average receivables age. They go to your access resource catalog and sure enough there isn't a resource named that.

You and I both know what they want is something called sales manager role in QuickBooks but that translation is not apparent to your user. How do you solve this? You can't name your role based on what they want to do because other users in that role have other needs. You can't necessarily have them ask to mimic Bob in the Scranton office's rights because you might have granted him a higher level of permission (never violate least privilege if you can help it).

Until we can intuitively read the user's mind and translate on the fly, we need a way for the user to understand what they're looking to do and assign permissions for that particular task.

We thnk the best way to do that is with access bundles. This way you don't have to create a bevy of highly specific roles but you can bundle a bunch of access into an access bundle that has multiple related access rights.

And that's where access certification and re-certification comes in. If you grant this access bundle to a role, user or group, then they all have it until time comes to an end. This shouldn't be. Any access request that is granted needs to be attested to often. The best recommendation is to grant access for 3-5 days initially, if the user still needs it after that they have to request to renew this access.

This request should kick off a workflow to the resource or role owner to certify that the user, role or group still needs access. At this point, they can grant access permanently, for a set period of time or deny permission. This certification process can vary by resource or the role of the user requesting.

View access as a privilege not a right. But if you are going to keep this principle of least privilege, then make it easy for access requests and certification. Next time we'll go over the fun part of designing your catalog of access bundles!

If you want to take a look at how this works, we can give you a demo and trial of EmpowerID, just click the beautiful button below!

Tags: Role Based Access Control (RBAC), Identity and Access Management (IAM)

All-In-One Identity Management and Cloud Security

Access requests and certification best practices

About EmpowerID

Latest Posts

Posts by category

Subscribe via E-mail