An access rights review, also known as authorisations recertification, is an essential component of your IAM strategy, closely linked to identity lifecycle management and to account and rights provisioning.
The aim is to ensure that information system users have the access rights they should have, and to certify them, or – if necessary – carry out remediation operations in the event of non-compliance with the company’s authorisation policy.
This IAM component therefore helps ensure good governance and authorisations control, in order to provide the expected compliance guarantees. It allows companies not only to ensure compliance with their security policy and to limit operational risks, but also to meet a wide range of regulatory challenges, including those relating to regular audits by the parent company or by official auditors.
Which best practices should be followed
for effective rights review campaigns?
To ensure that rights reviews are genuinely effective, one challenge is to involve functional managers: they must be able to evaluate simply whether their teams’ authorisations are legitimate and justified.
This entails, at least:
- Determining a relevant and reasonable scope for the review: which user populations, which applications, which business managers, etc.
- Raising awareness, and providing tools, training and support for the business managers involved in the review campaign
- Industrialising the authorisation review by harnessing the right tools and a precise methodology
In fact, while an access rights review is a highly operational identity and access control and governance process, it is essential to link it closely to your identity and access management platform. The latter must be capable of organising recertification campaigns, in which all stakeholders will be involved according to remit, and it must have great functional richness:
- Advanced configuration of rights review campaigns (duration, frequency, targeted resource and populations, campaign administrators and approvers, etc.),
- Capacity to carry out preliminary simulations of rights to be recertified in order to anticipate how anomalies will be handled,
- Option to harness notification and approval workflow processes so that the people affected by the campaign can validate or reject the authorisations they are responsible for,
- Capacity to perform operations including the recalculation of the rights model if necessary and the remediation of any anomalies observed, including by implementing automated provisioning operations,
- Provision of detailed reports on rights review campaigns and tracking of the progress of campaigns, the percentage of rights reviewed, statistics, etc.
Discover the advanced
access rights review features
of our Meibo People Pack identity and authorisation management solution
Main challenges and benefits
of an access rights review
An access rights review helps not only to enhance control of the operational risks associated with the authorisations actually in effect in the organisation, but also to meet the regulatory compliance challenges organisations increasingly face.
1
Security/reduction
of operational risks
- Remove orphan accounts
- Check that accounts are actually closed for people who have left the company
- Check that each person does indeed have the minimum rights needed to access the IS resources
- Check rights to generic accounts and that they are matched with physical people
2
Compliance/Regulatory audits
- Satisfy the constraints imposed by internal control, regulators and auditors
- Facilitate authorisation reviews and the performance of audits and controls
- Check compliance with the SoD (Segregation Of Duties) principle
- Ensure that individuals do not hold multiple toxic rights