How can we make User Attestations easier for Managers?

Its that time of the quarter again! Lets do some User Access Reviews! Its pretty much the case with most organizations, managers do not look forward to performing attestations. And I wouldn’t blame them. Certifying a users access on a mainframe or Active Directory is not a manager’s dream job. As a vendor and product manager, some questions related to this problem arise:

1. How do we make it easier for managers to perform their access reviews?

2. How do we ensure that access reviews are a breeze, enabling our managers to move on to more important tasks?

3. How do we provide managers with sufficient information that allows them to make educated decisions on certifying a users access?

From a product perspective, a few solutions come to mind, that make it easier for managers to quickly and accurately get through their attestations:

1. User Interface: Make it a seamless, easy to use, UI that allows Managers flexible options to certify hundreds of user entitlements with fewer clicks, while presenting the information they need to see (no cryptic entitlements! use glossary!).

2. Flag High Privileged, High Risk Entitlements. Red Alert!

3. Display the type of account a manager is certifying to, is it a System Account, is it an Email Account, etc.

4. Was the account a part of a Segregation of Duties violation? Is the violation still open? Was the account a part of a Segregation of Duties violation and was accepted as a risk for a particular time period?

5. Flag access that was previously revoked in a prior certification. Red Alert! The users access was not cleaned up in Q1, IT sucks!

6. For ongoing attestations, display user access that was changed (added/modified) since the last attestation. Maybe grey out the access that was constant so the manager does not have to attest it again, unless they really want to. Makes it faster for a manager to go through a larger attestation, spanning multiple departments or cost centers.

7. Move towards Role based access control! Isn’t it easier for a manager to certify his employee accessing the “Accountant” role with access to underlying applications, that certifying on each individual application and their numerous entitlements itself?

8. Display any role assignment rules that were used to assign Roles to a user. Provides validation on why a user has access to them.

9. Integrate with your Provisioning solution (assuming it uses a self service interface and has approvals and workflow set up). Extract Workflow approval logs from the solution and display 1) Who Approved What? 2) When was it approved? 3) Approval Comments. This informs managers that the users entitlements went through a legitimate approval process and are a no-brainer to approve during the attestation.

10. Integrate with an SIEM Solution. How cool would it be for managers to not only see what entitlements a user has access to, but whether those entitlements were being put to good use or not? If a user has not logged into an accounting application for the past one year, but still has access to it, maybe he or she does not need it anymore. This would prove to be extremely valuable for managers to make quick decisions and move their users towards least privilege.

Lets make life easier for our managers…they have more important work to do! Oracle Identity Analytics is one of the industry leading attestation solutions in the market today and you can get more information on the product by clicking here.

0.000000 0.000000