iam-AGA‎ > ‎

Processes

What are the key processes comprising the solution?
To describe the functionality of the solution, it may be simpler to look at the core processes which enable the management of access. These processes illustrate consecutively the lifecycle in managing an access.


Defining the access catalogue

The definition of the access catalogue is the first step in the configuration of the access governance assured platform. The access catalogue can be populated with four object types: containers, resources, access and roles.



This catalogue will be used throughout the solution to allow personnel to browse for access. Permissions can be applied to any level of the access catalogue to ensure that only specified personnel can view particular areas of the structure. 

Requesting and approving access

The request for access is made by any personnel with access to the system. The process below illustrates how the access is requested.



Each access will have an approval routing assigned to it. These approval routings include:

  • No approval required
  • Line Manager approval
  • Access Owner approval
  • Line Manager, then access owner approval 
  • Multiple access owner approvals sequentially 
  • Multiple access owner approvals in parallel 
For each of these approval routes the following process illustrates how the person approving will action their approval.



Once all the required approvals have been received, the request will be provisioned via the relevant method assigned to the access. Typically this will be either via the service desk, or automated provisioning via a Identity Manager implementation.

Triggered attestation of access

To ensure that access assignments are kept current, rules can be defined to trigger an attestation of the assignment if any personnel information within the solution is changed. The information change will be provisioned into the solution from authoritative personnel records through an Identity Manager implementation.
 

 

A triggered attestation will be routed to the relevant line manager for review. Access assigned will be shown, grouped per resources. Each access must be approved or revoked.

Scheduled attestation of access

If nothing changes about a person, the access assignment should still be routinely attested to ensure that the assignment is still valid. When defining an attestation campaign, the attestation can be configured to route the approval to either a line manager, an access owner or both.


The access owner will only submit his acceptance of the access assignment, whilst the line manager will have the ability to approve or revoke access.