what is the approach you apply in your organization for user access reviews? Who is reviewing the user access? Business owner - users on his system/app? Supervisor - access for his reports? Somebody else? Are you using multi level review model - a reviewer does a portion, another reviewer will take over and finish? Are you using risk based approach? If so, how?
Until now, in our organization (40k+ people, hundreds of app - mainly servers) we used user access reviews performed by the business owner. This is working for business applications, but not for all. Especially not for IT infrastructure apps and IT systems (servers) we loaded into IG&L recently. Example: some of the BOs need to complete 20+ reviews each month. This is not sustainable anymore, so we are considering alternative review model for IT infra & systems - review the user access by supervisors, instead of BOs.
What is your approach to user access reviews?
Thank you for your answers.