In my opinion, IAM has to work very closely with the business users and the applications they use in the organization.
It needs business users to define the roles and what functions the role can access in an application.
Then it needs to integrate with the applications to impose these roles and functions on the applications.
Whenever the new functions are created in the application, administrators need to create them correspondingly in the IAM and discuss with the business users which roles should have them.
It is like having double work from 2 departments.
But it reduces recurring effort from the application to provision user accounts and to review roles assignment.
IAM can also give an overview of who has what access in which applications.
If the IAM receives input from the HR System, it would give the reviewer visibility of staff movement.
Most important, it should have the ability to grant/revoke access from a central control point.
Overall, the IAM should be owned by the Governance/Quality Assurance Team and supported by various operational heads.
Thanks All for your input some very useful thoughts and comments here which I will use to help shape my thinking and research.
Do let me know if I can be of help at any point in the future
Although you can make a bad situation worse with IAM technology.
Or to extend that statement: you can make any situation worse with technology.
I had originally put “bad, or badly implemented” but even well implemented good technology can make things much, much worse (see others’ comments about business involvement & requirements being paramount.)
Just my 2 penneth....
1. The business rarely views IAM as anything other than an IT concern. They don’t understand that IT Security (in my org’s case) facilitate access - but the business owners should be offering guidance on who gets what and why.
2. JML processes are inherently problematic. EVERYONE shouts when a new arrival doesn’t have access. Nobody cares about removing it when the employee moves or leaves. Except Security of course. HR are seldom as involved as perhaps they should be.
3. Few businesses correctly balance security with availability and functionality.
4. Few orgs get business owners to accept responsibility for systems and data that reside in their areas. Frustratingly, they are often the experts who understand what specific access does. Therefore, IT end up managing access that they rarely fully understand in enough detail.
5. RBAC is hard. Roles evolve, people move/take on additional responsibility/deputise etc. So the exceptions become the norm and the roles are reduced to being a starting position.