Gage Heeringa, IAM Consultant, SecureITsource, Inc.
The implementation of any system meant to address a complex issue may succumb to a common pitfall: focusing on fine-grained details of the implementation and overlooking the “big picture.” This applies to the design of a client’s implementation of an access governance solution such as SailPoint IdentityIQ, as well as every application which IdentityIQ will integrate with. While the applications which IdentityIQ integrate with are typically written by a third party, sometimes requiring the good to be taken with the bad, clients do have the means to design their IdentityIQ implementation with the big picture in mind, and that is one of the many undertakings consultants are here to help with! Understanding the different purposes the access management system fulfills and its fine-grained details, allowing for the synthesis of both, is a strategy to surpass shortcomings in IdentityIQ implementations.
The primary purpose of IdentityIQ is to ensure people have the right access to the right resources, in compliance with financial legislation, information security legislation, and organizational policies. Meeting these requirements serves as a starting point for the path to a mature system which serves the needs of the client, considers users who will be interacting with the system in design choices, and applies best practices. Verifiable metrics such as performance, scalability, and user feedback help the client understand whether these needs are being regarded. For example, a client’s system may be set up to comply with Sarbanes-Oxley, but considering this “check mark” in another context might reveal that users are hastily approving certifications in bulk to alleviate the burden of certifying thousands of entitlements every 3 months, rather than meaningfully designed roles.
Considering the “big picture” also accounts for how other applications are designed and interact with IdentityIQ. For example, I recently integrated a client’s IdentityIQ system with a web service application which required one of three different web service requests to remove a role assignment from a user account, depending on the user’s currently assigned roles. The application design could better consider the larger ecosystem in which the API would be used by requiring only one web service request for this simple operation. This was accounted for in IdentityIQ by introducing additional code to inspect the user’s account and format the corresponding web service request.
The big picture is composed of the fine-grained details, from the structuring of roles to the data structures used to automate a business process within IdentityIQ. The design details of a target application influence IdentityIQ’s design. For example, the aforementioned web service application prohibits assignment of roles from both organization-level and department-level accounts to a user. This technicality means that if a user is assigned a role for a departmental account, but now needs organization-wide permissions, they must have their department-level access removed first.
Applying this constraint to hierarchical accounts is unnecessary because a user with an organization-level role has all privileges associated with the departments under it. This was accounted for in IdentityIQ with a separation of duties policy which prevents users from requesting access to more than one level of the hierarchy. In place of this limitation, an application would ideally assign the higher level role to the user then revoke the lower level role “behind the scenes,” or at least permit assignment of implicit roles. Ideally the application synthesizes both the intended big picture with fine-grained details, but when this is not the case, it provides the opportunity to learn from the shortcomings then translate and account for them in the access management solution.
Documented best practices and experience help put a client in a good starting position to synthesize the big picture and fine-grained details of their implementation, as well as identify issues and transform their implementation’s framework if necessary, rather than continually tweak it with patches and exceptions. Though it can be difficult to think outside of a familiar system that is already in place, challenging the existing fine-grained details of the system and considering how they interact in a larger environment precede painting a prettier “big picture.” The same innovation led organizations from convoluted onboarding processes and binders of spreadsheets to the leveraging the advanced and quickly progressing state of access management.