Solutions: User Access Request
Problem
While some of the access that a user has can be defined as birthright access (access that is automatically granted based on some criteria), there may be other access that is not automatic. This access needs to be requested.
Organizations that have not implemented an IAM solution try to solve this problem by using either:
- Excel-based forms that end users complete and then submit to AD
- Service desk solutions like ServiceNow, Remedy or Freshservice
The problem with the first approach is that it’s cumbersome at best:
- The user has no visibility into a request
- Service desk staff must transfer the content manually
- No audit information
Using a service desk solution also has problems:
- The service desk solutions are not connected with target systems and have no easy way to maintain an entitlement catalog
- Audit information is now distributed across applications which again increase the complexity of performing regular SOC-2 audits.
Solution Overview
OpenIAM’s Workforce Identity solution provides a comprehensive, easy-to-use access request solution.
The sections below describe how OpenIAM can simplify access requests for both users
and administrators.
Rich entitlement catalog
Entitlements for each application can be imported into OpenIAM using the connectors or through a CSV file. Once loaded, these applications and their entitlements are available through the catalog in the self-service portal.
Multi-level workflows
OpenIAM supports N levels of approvals. Approval flows can be defined at either the application or entitlement level. If there is consistency in the approval flow, then it can be defined at the application level and then overridden at the entitlement level if a particular entitlement has a different approval flow.
Time-based access
OpenIAM supports the ability to request access for a specified length of time. Entitlements can also be configured with a “max duration period” where access cannot be requested for duration longer than is allowed by the duration parameter.
Reminders and escalations
All workflows in OpenIAM support the ability to send reminders and to escalate when requests have not been processed in a timely manner.
Delegation
In some cases, requests need to be reassigned to another reviewer. OpenIAM allows both individual and bulk delegation of requests. Similarly, out-of-office delegation can also be defined where requests are routed to another person. In the case of senior executives who do not want to receive such requests, a permanent delegate can be defined.
Audit and compliance
With all operations being processed by OpenIAM, there is a detailed audit log which can be provided to auditors that shows how, why and when access was granted.
Integration with ticket systems such as ServiceNow
Customers that use ServiceNow, Freshservice or another ticket system can also leverage the OpenIAM catalog. Requestors can create tickets in OpenIAM and once the request has been approved, a notification is sent to the ticket system where service desk staff can follow their normal processes to full request.
Let’s Connect
Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.
For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.