Hello,
what is the approach you apply in your organization for user access reviews? Who is reviewing the user access? Business owner - users on his system/app? Supervisor - access for his reports? Somebody else? Are you using multi level review model - a reviewer does a portion, another reviewer will take over and finish? Are you using risk based approach? If so, how?
Our case:
Until now, in our organization (40k+ people, hundreds of app - mainly servers) we used user access reviews performed by the business owner. This is working for business applications, but not for all. Especially not for IT infrastructure apps and IT systems (servers) we loaded into IG&L recently. Example: some of the BOs need to complete 20+ reviews each month. This is not sustainable anymore, so we are considering alternative review model for IT infra & systems - review the user access by supervisors, instead of BOs.
What is your approach to user access reviews?
Thank you for your answers.
Roman Chlebcok
Hi,
Is the problem a) the number of created reviews or b) the number of entitlements to be reviewed?
In case a) you can create one user access review which covers all IT infra apps and servers as well. The reviewers will see all the user entitlements to be reviewed in single review.
In case b) you have to decrease the number of entitlements to be reviewed. You can ask Risk Management to classify apps and review entitlements only from risky apps or even you can classify entitlements based on some custom attribute (entitlement_classification, collected or managed, as it serves you better). Again it needs some effort from risk management to classify entitlements.
Regards,
Zoltan