What Should Users Access?

Realizing the principle of least access

In an ideal world, users should only be granted access to applications and information required to perform their jobs within the organization—no more and no less. The cornerstone of compliance today has become effective management of entitlements. This has become increasingly obvious through significant scrutiny of audit committees and compliance officers.

Due to complexity and the lack of available tools, compliance has proven to be a daunting task. The results have left user entitlements far from honoring the original principles of least access. One common reason for this gap is the accumulation of an individual's rights over time because of job transitions or changes in duties. No effective de-provisioning or attempts to simplify prior rights are employed resulting in provisioning by creation of fewer and broader roles. Thus, rights are granted beyond the scope of the position.

Ideally, users should have access to:

• Just enough to do their job
• Not enough to do damage
• Entitlements that adhere to compliance regulations
• Entitlements that meet corporate policies and audit guidelines

A solution that works

Solving this problem is easier said then done. Many Ad hoc solutions have been attempted. Establishing a "Golden Employee" and replicating these entitlements to employees with similar responsibilities is but one example. These solutions can be effective if your organization is small, but they rarely work in large, complex organizations.

The most typical approach used by organizations involves conducting extensive interviews. Managers of functional teams attempt to ascertain—from the manager's point of view—what requirements are. These interviews are costly and often fraught with error for two primary reasons.

1. Managers typically request broader access than is truly required for fear that less may disrupt business functions
2. Managers have difficulty in understanding the scope of authority that may be granted by allowing access to various applications and data resources

New tools have appeared in the marketplace recently. These tools assist in role development by using a method to gather current entitlements for all users. Once gathered, similar patterns are recognized and roles are established based upon what users have been authorized to access in the past. While this method may help streamline or reduce roles, it does nothing to to account for elimination of excessive access.

The Prodigen solution delivers, and learns

The key to the Prodigen solution is to understand what users truly require to perform daily tasks. The Contouring Engine® accomplishes this by learning exactly what each identity needs. Combined with an identity's current entitlements, The Contouring Engine® can deliver a "Gap Analysis" without the interview process. Now, managers can reel in excessive entitlements with confidence through meaningful and actionable information. On top of that, managers can ensure that roles are established inline with rules already in place to establish corporate compliance objectives. This insures that no roles will be in conflict with policies. Thus, entitlements granted from the roles will be no broader than required based on actual usage.