--- name: identity-access-governance description: Manage identity governance including access reviews, certification campaigns, provisioning/deprovisioning, role mining, PTA, and compliance reporting. Use when conducting access reviews, managing privileged access, implementing SOX controls for IT access, or performing access certification campaigns. Triggers on phrases like "access review", "access certification", "privileged access", "PTA", "just-in-time access", "role mining", "access governance", "user lifecycle", "provisioning", "deprovisioning", "termination", "joiner-mover-leaver", "Segregation of Duties", "SoD review". --- # Identity Access Governance Manage identity governance including access reviews, certification campaigns, privileged access management, and user lifecycle automation. ## Workflow ### 1. User Lifecycle Management ``` JOINER-MOVER-LEAVER (JML) FRAMEWORK ═══════════════════════════════════════ JOINER (New Hire): ═══════════════════════════════════════ Trigger: HR system (Workday, BambooHR) — employee record created Process: 1. Receive joiner request (department, role, start date, location) 2. Map role to access profile (pre-defined entitlements) 3. Create accounts (just-in-time, day before start): → Active Directory / Entra ID (identity) → Email (Exchange / GSuite) → VPN / MFA enrollment → Applications (based on role): · Engineering: GitHub, Jira, Confluence, Slack, AWS · Finance: Oracle, QuickBooks, Excel, SAP · Sales: Salesforce, HubSpot, CRM 4. Provision hardware (laptop, badges, phone) 5. Send welcome email with setup instructions 6. Enable accounts on start date (automated) 7. Notify IT helpdesk and manager MOVER (Transfer/Promotion): ═══════════════════════════════════════ Trigger: HR system — role/department change Process: 1. Review current access (full entitlement list) 2. Compare new role entitlements (delta analysis) 3. Remove access no longer needed (deprovision) 4. Add new access (provision) 5. Manager approval required for sensitive access 6. Notify access owner of changes 7. Log all changes for audit trail LEAVER (Termination): ═══════════════════════════════════════ Trigger: HR system — termination record Process (IMMEDIATE for security): 1. Disable all accounts (within 1 hour of termination) 2. Revoke MFA tokens 3. Terminate VPN access 4. Forward email to manager (30 days) 5. Transfer files to manager/shared drive 6. Recalibrate shared resources (calendars, documents) 7. Collect hardware (IT helpdesk ticket) 8. Schedule full deprovision (30 days post-termination) 9. Document for audit trail ``` ### 2. Access Reviews & Certification ``` ACCESS CERTIFICATION CAMPAIGN ═══════════════════════════════════════ CAMPAIGN SCHEDULE: ═══════════════════════════════════════ Review Type Frequency Scope Owner ────────────────────────────────────────────────────────────────────── Application access Quarterly All applications App owner Privileged access Monthly Admin/root accounts Security team SoD conflicts Monthly All users Compliance Service accounts Quarterly Non-human identities IAM team External access Quarterly Contractors/vendors Security CERTIFICATION WORKFLOW: ═══════════════════════════════════════ Phase 1: Preparation (3 days) → Generate access reports from source systems → Enrich with user data (department, role, manager) → Pre-populate recommendations (keep/revoke based on policies) → Send campaign invitation to reviewers Phase 2: Review (14 days) → Reviewer logs into IAM portal → Reviews each user's access (bulk review for low-risk) → Actions: Approve, Revoke, Escalate, Recertify later → Requires justification for exceptions → Manager notifications for overdue reviews Phase 3: Resolution (7 days) → Auto-revoke denied access → Escalate unresolved items to next-level manager → Generate exception reports → Close campaign Phase 4: Reporting (2 days) → Summary report: Access approved, revoked, exceptions → Trend analysis: Access growth, orphaned accounts → Compliance report: SoD conflicts resolved → Audit trail: All actions logged CAMPAIGN RESULTS — Q4 2024: ═══════════════════════════════════════ Users reviewed: 2,400 Access items reviewed: 18,500 Approved: 16,200 (87.6%) Revoked: 1,800 (9.7%) Escalated: 500 (2.7%) SoD conflicts found: 23 Orphaned accounts: 45 Impact: → Reduced excessive privilege by 12% → Identified 5 former employees with active access → Resolved 18 SoD conflicts ``` ### 3. Privileged Access Management (PAM) ``` PRIVILEGED ACCESS FRAMEWORK ═══════════════════════════════════════ PRIVILEGE TIERS: ═══════════════════════════════════════ Tier Role Access Level Approval Review ─────────────────────────────────────────────────────────────────────────── Tier 1 Helpdesk L1/L2 Limited admin IT Manager Quarterly Tier 2 System Admin Server admin IT Director Monthly Tier 3 Security Admin Security tools CISO Monthly Tier 4 Emergency/Break-glass Root/Admin CISO+CEO Per-use Tier 5 Service Accounts Application-level App Owner Quarterly JUST-IN-TIME (JIT) ACCESS: ═══════════════════════════════════════ → Privileges granted only when needed → Time-bound access (1-4 hours) → Request approval workflow → Session recording (screen capture + keystroke logging) → Auto-revoke after session expires → All sessions logged for audit JIT REQUEST FLOW: ═══════════════════════════════════════ 1. User requests access: Application + duration + justification 2. Manager approval (automatic for routine, manual for sensitive) 3. Access granted for requested duration 4. Session starts: Screen recording + command logging enabled 5. Session ends: Access revoked automatically 6. Session review: Logged, searchable BREAK-GLASS ACCOUNTS: ═══════════════════════════════════════ → Emergency access when normal PAM is unavailable → Credentials stored in sealed envelope / hardware vault → Usage triggers immediate alert to security team → Full session recording required → Post-incident review mandatory within 24 hours → Credentials rotated after each use ``` ### 4. Segregation of Duties (SoD) ``` SOD MATRIX — IT AND FINANCE ═══════════════════════════════════════ SoD Rule ID Incompatible Role A Incompatible Role B Risk ─────────────────────────────────────────────────────────────────────────────── SoD-01 Code developer Production deployer High SoD-02 Financial entry creator Financial entry approver Critical SoD-03 Purchase order creator Vendor payment approver High SoD-04 IT system administrator Security log reviewer Medium SoD-05 Master data creator Transaction processor High SoD-06 Bank reconciliation Payment run execution Critical SoD-07 Change request creator Change approval authority Medium SoD-08 User provisioning Access review approver Medium SOD DETECTION AND RESOLUTION: ═══════════════════════════════════════ Current conflicts detected: 23 Priority 1 — Critical (4 conflicts): → 2 users with both entry creation AND approval (Finance) → 1 user with bank reconciliation AND payment execution → 1 service account with full admin + log management Resolution options: 1. Remove conflicting access (preferred) 2. Compensating control (enhanced monitoring + approval) 3. Role split (separate users for conflicting duties) 4. Exception approval (business justification + sign-off) ``` ### 5. Compliance Reporting ``` ACCESS GOVERNANCE REPORT — Q4 2024 ═══════════════════════════════════════ USER STATISTICS: ═══════════════════════════════════════ Total active users: 2,450 Total service accounts: 380 Total external users: 120 New hires (Q4): 85 Terminations (Q4): 62 Transfers (Q4): 34 ACCESS METRICS: ═══════════════════════════════════════ Applications connected: 45 Total entitlements: 18,500 Average entitlements per user: 7.6 Privileged users: 85 (3.5%) Users with SoD conflicts: 23 COMPLIANCE METRICS: ═══════════════════════════════════════ Access reviews completed: 100% (4 of 4) SoD conflicts resolved: 18 of 23 (78%) Orphaned accounts: 0 (all terminated within SLA) Password compliance: 98% (2% exception — legacy systems) MFA adoption: 100% Break-glass usage: 1 (reviewed and approved) AUDIT FINDINGS: ═══════════════════════════════════════ SOX controls: All operating effectively PCI-DSS: 2 findings (remediated) SOC 2: No findings GDPR: Access logs complete, DSR processing within 30 days ``` ## Edge Cases - **Emergency access**: Break-glass procedures, sealed credentials - **Mergers/acquisitions**: Identity consolidation, access migration - **Contractor lifecycle**: Time-bound access, auto-deprovision - **Global workforce**: Multi-region IAM, data residency - **Legacy systems**: No IAM integration; compensating controls ## Integration Points - **IAM platforms**: SailPoint, Okta, Entra ID, OneIdentity - **HRIS**: Workday, BambooHR, ADP (joiner-mover-leaver) - **Directory**: Active Directory, LDAP, Entra ID - **MFA**: Duo, RSA, YubiKey, Entra MFA - **PAM**: CyberArk, BeyondTrust, Thycotic - **SSO**: SAML, OAuth 2.0, OIDC, Kerberos ## Output ### Governance Summary ``` ACCESS GOVERNANCE — Q4 2024 ═══════════════════════════════════════ Campaign completion: 100% Access revoked: 1,800 items (9.7%) SoD conflicts: 5 remaining (from 23) Compliance: SOX effective, PCI remediated MFA: 100% adoption Next campaign: Q1 2025 (January 15) ```