If the primary purpose of identity and access management is to ensure that users have only the entitlements they require to do their jobs, no more or no less, then the RSA IMG user access review (or "review" for the sake of brevity) is the primary instrument for supporting that purpose. Regularly scheduled reviews ensure compliance with access security policies in your organization. But that goal is undermined if reviews are not completed in a timely manner. (How long do you want someone with inappropriate access to retain that access?) Human factors come into play:
- A reviewer may not be qualified to decide whether to maintain entitlements that are in violation of a user access or segregation of duties rule. In some cases, "exceptional access" can and should be maintained to users who have those entitlements. In other cases, they should immediately be revoked. In either case, the review process is best served by allowing a reviewer to delegate responsibility to another reviewer who is qualified and can address the review items.
- Some reviewers simply do not or cannot complete their reviews on time. In either case, a review owner or a review monitor should be able to delegate review items to someone who is available and who will complete the review on time.
Reviews can be configured to allow review participants — reviewers, review owners, and review monitors — to delegate review items to someone else or simply relinquish responsibility for review items. Specifically, RSA IMG provides the following review delegation options that can be configured for a review:
- Allow sharing of review (or owner/monitor) items — The reviewers or owner/monitors can share review items with other users.
- Allow reassignment of review (or owner/monitor) items — The reviewers and owner/monitors relinquish review items and give them to others.
- Allow unassignment of review (or owner/monitor) items — The reviewers and owner/monitors relinquish review items.
Another option, a review “escalation”, enables you to automate review reassignment. Here, you simply specify a "trigger date," which specifies when you want the escalation initiated, and the workflow that designates who the review should be assigned to. RSA IMG provides a default reassignment workflow that delegates the review to a reviewer's supervisor. You can create additional workflows to customize the reassignment process.
With these reassignment and delegation features at your disposal, you can ensure that your reviews are completed within a time frame that meets your access compliance policies. If you are a current RSA IMG user, how have you used the review delegation features? Feel free to share. And readers, feel free to ask questions.