Over an employee or contractor's tenure in an organization, the user is likely to undergo business changes a number of times. Users may be assigned to a sequence of different projects, may be promoted, transferred or change locations.
Any one of these business events may trigger access changes -- typically in the form of additional entitlements required for the user's new responsibility or project.
Additive access changes happen reliably, because users who do not have the security rights they need inevitably complain to IT about problems and get those new missing rights. Unfortunately, users do not complain about having excess privileges. As a result, processes to terminate no-longer-required privileges are rarely timely or reliable. Over time, users accumulate un-needed privileges.
Access certification is a method for addressing entitlement accumulation. Periodically, managers, application owners or other business stake-holders are invited to review current user privileges and identify high risk items that appear to be inappropriate. These reviews can be described as "micro audits" since they are local in scope -- managers review their direct subordinates, application owners review users of their applications, etc.
A workflow process is used in conjunction with access reviews, to verify that the privileges flagged for removal are truly unneeded, at which time they are deactivated.
Using access certification, excess rights can be periodically revoked in a reliable, auditable fashion.
Hitachi ID Access Certifier is a solution for distributed review and cleanup of users and entitlements. It works by asking managers, application owners and data owners to review lists of users and entitlements. These stake-holders must choose to either certify or revoke every user and entitlement.
Access Certifier is included with Hitachi ID Identity Manager at no extra cost.