Incomplete Deactivation

In many organizations, there is no complete record of every login ID associated with users. As a result, access deactivation may be incomplete, leaving some login IDs enabled on systems where system administrators did not know the user had them.

In other organizations, the termination process does not notify every relevant system administrator of a user's departure. In these cases, system administrators may fail to remove old login IDs simply because they were unaware of the user's status.

Regardless of the cause, access deactivation is often slow, unreliable or incomplete.

• Access Certifier is an effective tool to periodically review the access rights held by each user and to flag inappropriate access rights for termination.
• One of Access Certifier's modes of operation is to invite managers to review a list of their direct subordinates and to flag departed users. This process can catch stragglers whose entitlements were not properly deactivated.

Access Certifier can be used by organizations to ensure that access deactivation is comprehensive and reliable.