Automate Permission Management via IGA Tools ( SailPoint, Saviynt )
Let's dive into entitlement management in a business context and how automation benefits everyone.
What is Entitlement Management ?
Think of entitlement management as a system for controlling access to a company's resources. These resources can be anything from software applications and databases to hardware like laptops and servers. Entitlement management dictates who gets access to what, for how long, and under what conditions.
Why is it Important?
There are several reasons why entitlement management is crucial for businesses:
- Security: Ensures only authorized users have access to sensitive data and systems, reducing the risk of breaches and misuse.
- Compliance: Helps meet industry regulations and standards that mandate secure access controls.
- Efficiency: Streamlines the process of granting and revoking access, saving IT admins time and effort.
- Cost Control: Prevents unauthorized use of paid software or services.
Automation to the Rescue
Traditionally, entitlement management was a manual process, which can be slow, error-prone, and difficult to scale. This is where automation comes in.
Entitlement management software automates tasks like:
- Provisioning access: Assigning users the necessary rights and permissions when they are hired or their role changes.
- Enforcing access policies: Making sure users only access the resources they are authorized to use.
- Reviewing access: Regularly auditing entitlements to ensure they are still valid and appropriate.
Benefits for Everyone
Automating entitlement management benefits everyone in the organization:
- IT admins: Saves them time and effort, allowing them to focus on more strategic tasks.
- Employees: Get faster access to the resources they need to do their jobs.
- Managers: Have greater control over who has access to sensitive information.
- The Company: Improves security, compliance, and overall efficiency.
In short, entitlement management ensures the right people have the right access at the right time. Automating this process makes it faster, more secure, and easier for everyone involved.
Practical Use case Implementation :
The above flow diagram will provide you an overview of how you can automate Entitlement Management within your application landscape.
Business Requirement :
Whenever we bring a new application within the IT Infrastructure, business use-cases will require multiple users to have appropriate permission to manage their own workflows based on their day to day job.
Challenges - The Traditional Way :
Without a centralized user repository like AD/LDAP, we typically create users within the application and utilize out-of-the-box native roles to assign permissions. However, managing users locally presents operational and audit challenges. To address this, we often integrate with a user repository like AD/LDAP systems. This allows us to map native roles to AD roles, and user access can be governed by a process known as User Access Management (UAM). In UAM, a fulfillment team picks up tickets from ITSM tools like Jira or Remedy and manually assigns members to AD groups. The main challenge lies in auditing, as there is no efficient way to track who assigned users to AD groups.
Challenges:
- Operational Challenges:
- Inefficient user creation and management.
- Difficulty in maintaining user data consistency.
- Audit Challenges:
- Limited visibility into user provisioning activities.
- Difficulty in tracking who assigned which roles.
Enhanced Way :
- Integrate with an AD/LDAP for centralized user management and improved auditing.
- Implement an Identity and Access Management (IAM) solution for streamlined user provisioning and role-based access control.
Here's where IGA Tools like SailPoint fill the gaps. User assignments to AD groups are done through a User Access process that entails approval from stakeholders. SailPoint also offers recertification features to regularly review user access.
In this scenario, SailPoint demonstrates another use case. SailPoint can even automate the creation of AD/LDAP groups and assign members. Once a new application is onboarded to an Asset Management tool, it receives a new Asset ID along with assigned Owners and Approvers. This information is then synchronized with SailPoint. When a user requests access to associated entitlements, the approval workflow is routed to the Owners and Approvers defined in the Asset Management tool.
Here’s a breakdown of the functionality:
- Native Roles vs AD/LDAP Groups: The app has its own set of roles, but these can also be mapped to groups within an external Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) system. This allows for centralized management of user permissions.
- RBAC (Role-Based Access Control): The app uses RBAC to control user access to features and functionalities. Users are assigned to native roles within the app, and these roles are then mapped to AD/LDAP groups.
- User Provisioning: There are a few different ways that users can be provisioned (given access) to the recruitment app:
- App Admin Manual Assignment: An administrator can manually assign users to native roles within the application. However, the diagram notes that this is not ideal due to compliance concerns.
- IGA Tool (Identity Governance Administration): This path involves an Identity Governance Administration tool. Here, users would request access to the app through the IGA tool, which would then provision them with the appropriate role based on a pre-defined workflow.
- Direct Connector: This refers to a direct connection between the recruitment app and the user store (AD/LDAP). User provisioning would then be synced automatically.
- User Access: Once a user is provisioned, they can access the recruitment app through the User Dashboard. Here, they will see features and functionalities relevant to their assigned role(s).
SailPoint can connect with Application in the one of the followings ways :
- Direct Connector - SailPoint comes with OOTB connectors which can be directly integrated with applications and all the roles are pulled into SailPoint Entitlement Dashboard. In this, roles are directly assigned by SailPoint. This is the standard and enhanced way to manage entitlements, however we don't SailPoint connector for all the applications.
- Via AD/LDAP - In this, Sailpoint manages the AD/LDAP group lifecyle ( creation, manage, assignment, and deletion )
Please subscribe for more practical use-cases.