Navigation
The Black Book of Identity Access Mgmt
This form does not yet contain any fields.

    Entries in oracle identity manager analytics OIM OIA certification approval provisioning (1)

    Tuesday
    Jan292013

    Decisions, decisions: You CAN get there from here

    It’s not enough to simply make important security decisions. You have to provide your documented reason for each decision. The only person who really gets away with deciding something without justification is your mom.

    “Mom, why can’t I have a cookie before dinner?”

                    “Because I said so.”

                    Justifications are good things. First off, they’re part of the documentation process. Auditors want to know why and how users received entitlements. They want to know why those entitlements were later revoked. If you somehow mitigated an SoD violation, if you approved an override to a policy, if you granted temporary privileged access, you need to say why.

                    These justifications also lead the way to future decisions, by way of setting precedents.

                    So here’s how information serves you. If you’re an approver looking at a request for additional access, you might say, “I don’t know the requester that well. Or he’s only been in my department for a week. Or I haven’t yet determined the level of risk the organization deems acceptable for this kind of request. And so on.”

                    So how do you make yourself comfortable, or at least cover your butt? Examine what other people in the approval chain said. Who approved their piece of the request before it came to you? What else does the requester already have in terms of entitlements? What has he had in the past?

                    Now, let’s say it’s time for you to certify users for existing privileges. “Here are all the people who can currently access this application. It’s that time of year, so let’s review who keeps it and who loses it.”

                    So you create a certification process in analytics, and reviewers receive their lists of users they are required to certify. Okay, now I’ve got a guy on my screen who may or may not need to keep that access. But again, I don’t know if I have all the info I need to make that decision. So I should be able to readily examine the risk level, the combo of the user and the privilege. And I should be able to click a link and see how long he’s had that access, or HOW HE GOT IT. Was it a request, and if so, was it was requested by him or his boss? Did he get it automatically, based on rules that acted on his profile in the HR system? Did he get it in some back-door fashion, bypassing the appropriate approval process?

                    Okay, so he got it through a request. I can click another link and see all the people who originally participated in the approval process.

                    I can even see what other people have that access.

                    In my world, I would use Oracle Identity Manager to make those requests and approvals, and Oracle Identity Analytics to perform that certification. In the broader world, I need to make sure I stay secure, and I need to stay compliant, by making the right decisions for the right reasons. Oh, and by the way, once I make those decisions, I also add to the greater documentation posture, so that the next person in my position can also make good decisions. Because, y’know, I only do smart stuff, so you should do what I do.