IT AI Skill

Identity Access Governance

Manage identity governance including access reviews, certification campaigns, provisioning/deprovisioning, role mining, PTA, and compliance reporting. Use when conducting access reviews, managing privileged access, implementing SOX controls for IT access, o...

Identity Access Governance

Manage identity governance including access reviews, certification campaigns, privileged access management, and user lifecycle automation.

Workflow

1. User Lifecycle Management

JOINER-MOVER-LEAVER (JML) FRAMEWORK
═══════════════════════════════════════

JOINER (New Hire):
═══════════════════════════════════════

  Trigger: HR system (Workday, BambooHR) — employee record created
  Process:
    1. Receive joiner request (department, role, start date, location)
    2. Map role to access profile (pre-defined entitlements)
    3. Create accounts (just-in-time, day before start):
       → Active Directory / Entra ID (identity)
       → Email (Exchange / GSuite)
       → VPN / MFA enrollment
       → Applications (based on role):
         · Engineering: GitHub, Jira, Confluence, Slack, AWS
         · Finance: Oracle, QuickBooks, Excel, SAP
         · Sales: Salesforce, HubSpot, CRM
    4. Provision hardware (laptop, badges, phone)
    5. Send welcome email with setup instructions
    6. Enable accounts on start date (automated)
    7. Notify IT helpdesk and manager

MOVER (Transfer/Promotion):
═══════════════════════════════════════

  Trigger: HR system — role/department change
  Process:
    1. Review current access (full entitlement list)
    2. Compare new role entitlements (delta analysis)
    3. Remove access no longer needed (deprovision)
    4. Add new access (provision)
    5. Manager approval required for sensitive access
    6. Notify access owner of changes
    7. Log all changes for audit trail

LEAVER (Termination):
═══════════════════════════════════════

  Trigger: HR system — termination record
  Process (IMMEDIATE for security):
    1. Disable all accounts (within 1 hour of termination)
    2. Revoke MFA tokens
    3. Terminate VPN access
    4. Forward email to manager (30 days)
    5. Transfer files to manager/shared drive
    6. Recalibrate shared resources (calendars, documents)
    7. Collect hardware (IT helpdesk ticket)
    8. Schedule full deprovision (30 days post-termination)
    9. Document for audit trail

2. Access Reviews & Certification

ACCESS CERTIFICATION CAMPAIGN
═══════════════════════════════════════

CAMPAIGN SCHEDULE:
═══════════════════════════════════════

Review Type                  Frequency    Scope              Owner
──────────────────────────────────────────────────────────────────────
Application access           Quarterly    All applications    App owner
Privileged access            Monthly      Admin/root accounts Security team
SoD conflicts                Monthly      All users           Compliance
Service accounts             Quarterly    Non-human identities  IAM team
External access              Quarterly    Contractors/vendors  Security

CERTIFICATION WORKFLOW:
═══════════════════════════════════════

  Phase 1: Preparation (3 days)
    → Generate access reports from source systems
    → Enrich with user data (department, role, manager)
    → Pre-populate recommendations (keep/revoke based on policies)
    → Send campaign invitation to reviewers

  Phase 2: Review (14 days)
    → Reviewer logs into IAM portal
    → Reviews each user's access (bulk review for low-risk)
    → Actions: Approve, Revoke, Escalate, Recertify later
    → Requires justification for exceptions
    → Manager notifications for overdue reviews

  Phase 3: Resolution (7 days)
    → Auto-revoke denied access
    → Escalate unresolved items to next-level manager
    → Generate exception reports
    → Close campaign

  Phase 4: Reporting (2 days)
    → Summary report: Access approved, revoked, exceptions
    → Trend analysis: Access growth, orphaned accounts
    → Compliance report: SoD conflicts resolved
    → Audit trail: All actions logged

CAMPAIGN RESULTS — Q4 2024:
═══════════════════════════════════════

  Users reviewed: 2,400
  Access items reviewed: 18,500
  Approved: 16,200 (87.6%)
  Revoked: 1,800 (9.7%)
  Escalated: 500 (2.7%)
  SoD conflicts found: 23
  Orphaned accounts: 45

  Impact:
    → Reduced excessive privilege by 12%
    → Identified 5 former employees with active access
    → Resolved 18 SoD conflicts

3. Privileged Access Management (PAM)

PRIVILEGED ACCESS FRAMEWORK
═══════════════════════════════════════

PRIVILEGE TIERS:
═══════════════════════════════════════

Tier    Role                        Access Level       Approval    Review
───────────────────────────────────────────────────────────────────────────
Tier 1  Helpdesk L1/L2             Limited admin      IT Manager  Quarterly
Tier 2  System Admin               Server admin       IT Director Monthly
Tier 3  Security Admin             Security tools     CISO        Monthly
Tier 4  Emergency/Break-glass      Root/Admin         CISO+CEO    Per-use
Tier 5  Service Accounts           Application-level  App Owner   Quarterly

JUST-IN-TIME (JIT) ACCESS:
═══════════════════════════════════════

  → Privileges granted only when needed
  → Time-bound access (1-4 hours)
  → Request approval workflow
  → Session recording (screen capture + keystroke logging)
  → Auto-revoke after session expires
  → All sessions logged for audit

JIT REQUEST FLOW:
═══════════════════════════════════════

  1. User requests access: Application + duration + justification
  2. Manager approval (automatic for routine, manual for sensitive)
  3. Access granted for requested duration
  4. Session starts: Screen recording + command logging enabled
  5. Session ends: Access revoked automatically
  6. Session review: Logged, searchable

BREAK-GLASS ACCOUNTS:
═══════════════════════════════════════

  → Emergency access when normal PAM is unavailable
  → Credentials stored in sealed envelope / hardware vault
  → Usage triggers immediate alert to security team
  → Full session recording required
  → Post-incident review mandatory within 24 hours
  → Credentials rotated after each use

4. Segregation of Duties (SoD)

SOD MATRIX — IT AND FINANCE
═══════════════════════════════════════

SoD Rule ID    Incompatible Role A          Incompatible Role B        Risk
───────────────────────────────────────────────────────────────────────────────
SoD-01        Code developer               Production deployer          High
SoD-02        Financial entry creator     Financial entry approver      Critical
SoD-03        Purchase order creator      Vendor payment approver       High
SoD-04        IT system administrator    Security log reviewer          Medium
SoD-05        Master data creator         Transaction processor         High
SoD-06        Bank reconciliation         Payment run execution         Critical
SoD-07        Change request creator      Change approval authority     Medium
SoD-08        User provisioning           Access review approver        Medium

SOD DETECTION AND RESOLUTION:
═══════════════════════════════════════

  Current conflicts detected: 23

  Priority 1 — Critical (4 conflicts):
    → 2 users with both entry creation AND approval (Finance)
    → 1 user with bank reconciliation AND payment execution
    → 1 service account with full admin + log management

  Resolution options:
    1. Remove conflicting access (preferred)
    2. Compensating control (enhanced monitoring + approval)
    3. Role split (separate users for conflicting duties)
    4. Exception approval (business justification + sign-off)

5. Compliance Reporting

ACCESS GOVERNANCE REPORT — Q4 2024
═══════════════════════════════════════

USER STATISTICS:
═══════════════════════════════════════

  Total active users: 2,450
  Total service accounts: 380
  Total external users: 120
  New hires (Q4): 85
  Terminations (Q4): 62
  Transfers (Q4): 34

ACCESS METRICS:
═══════════════════════════════════════

  Applications connected: 45
  Total entitlements: 18,500
  Average entitlements per user: 7.6
  Privileged users: 85 (3.5%)
  Users with SoD conflicts: 23

COMPLIANCE METRICS:
═══════════════════════════════════════

  Access reviews completed: 100% (4 of 4)
  SoD conflicts resolved: 18 of 23 (78%)
  Orphaned accounts: 0 (all terminated within SLA)
  Password compliance: 98% (2% exception — legacy systems)
  MFA adoption: 100%
  Break-glass usage: 1 (reviewed and approved)

AUDIT FINDINGS:
═══════════════════════════════════════

  SOX controls: All operating effectively
  PCI-DSS: 2 findings (remediated)
  SOC 2: No findings
  GDPR: Access logs complete, DSR processing within 30 days

Edge Cases

Emergency access: Break-glass procedures, sealed credentials
Mergers/acquisitions: Identity consolidation, access migration
Contractor lifecycle: Time-bound access, auto-deprovision
Global workforce: Multi-region IAM, data residency
Legacy systems: No IAM integration; compensating controls

Integration Points

IAM platforms: SailPoint, Okta, Entra ID, OneIdentity
HRIS: Workday, BambooHR, ADP (joiner-mover-leaver)
Directory: Active Directory, LDAP, Entra ID
MFA: Duo, RSA, YubiKey, Entra MFA
PAM: CyberArk, BeyondTrust, Thycotic
SSO: SAML, OAuth 2.0, OIDC, Kerberos

Output

Governance Summary

ACCESS GOVERNANCE — Q4 2024
═══════════════════════════════════════

Campaign completion: 100%
Access revoked: 1,800 items (9.7%)
SoD conflicts: 5 remaining (from 23)
Compliance: SOX effective, PCI remediated
MFA: 100% adoption
Next campaign: Q1 2025 (January 15)