- Too many security groups and mail distribution lists.
- Groups represent business functions but are only manageable by IT.
- Hard to tell whether membership and access are appropriate.
- Assigning privileges is complex and costly.
- Groups and memberships persist long after needed.
- Empower business users to create, manage groups directly.
- Apply policy to requests, naming, metadata.
- Make groups and memberships temporary where possible.
- Calculate group membership where there is supporting data.
- Use request/approval and review/revoke workflows to clean up.
- Apply analytics to find too-small, too-large, overlapping, etc.