A few years ago I traveled to Texas to perform a penetration test on the web site for an oil company. I landed at the Houston (Bush) airport, ventured out under the overhang and got on the rental car bus, got off the bus under another overhang, went out under another overhang and got in the car, drove to a parking garage, took the elevator up to an above-ground tunnel to the building across the street, visited the customer, then did all the same thing in reverse.
Sitting on the plane to go home late that day, something very strange occurred to me: not once during the entire day trip to Houston was I ever directly under the sky. The entire time there, I had something over my head.
This is how a good IdM system is supposed to work. Cradle to grave, you are always covered. You don’t get in, you don’t get stuff, you don’t get out, without the policies going along. You don’t get into the directory unless the authoritative source (hopefully the HR system) says you belong there. You don’t get group memberships or attribute values, unless your role or job code or hat size (as specified in said directory) are in agreement. You don’t get access to target systems unless those group memberships or attributes or roles say you can.
If you get access rights out of band, you don’t keep them if the policies don’t back them up. You can’t even request additional access unless you’re authorized. You can’t see possible access rights in the catalog unless you’re entitled to them.
(Kind of unrelated, but you don’t get to complain about the government unless you VOTE.)
You don’t get to make requests, perform approvals, perform provisioning tasks, perform other administrative tasks, access a resource, change your password, or do much of anything else, without your actions being captured for later reporting and auditing. Yeah, that’s kinda creepy, but that’s called security and compliance.
You are always covered. Until you leave.
No, you don’t get to see the sky. Unless you own the company, and you’re not publicly traded.