Re: Access Reviews Question

Billygoat · ‎10-31-2019

Hi All,

I got certified last year, but I'm new to the community here. I've got a question regarding access reviews that I'm hoping someone can help me with. Apologies in advance for the length of the post, but it's important for you to understand the background here. I've recently started working at a new company that is trying to automate its access management as much as possible. In the last company I worked for, access management was very manual so I've never had the experience of seeing the end to end access management process work in an ideal state.

What I'm wondering specifically pertains to access reviews. Historically, my new company has had a process where an individual's manager would request the person's access on their behalf, of course detailing the business need, and the application owner would need to review and provide approval. Then, for access reviews, both the individual's manager and the application owner would be required to certify that the access is still appropriate.

We're going to be putting in a lot of work to fully define roles within the company and what permissions they have. Once we get to the point where we have everyone's roles defined including what applications and permissions within those applications each role should have access to, and we're using a human capital management system connected with AD to ensure that any hires, role changes and terminations flow through to the applications, what is the best way to simplify access reviews? Can you simply have the application owners re-certify that the applications and permissions granted to the defined roles remain appropriate (rather than the individuals) on a periodic basis and not have them look at the individuals since the provisioning/deprovisioning would be an automated control based on changes in the HCM system?

Any guidance or even a good article as to how efficient access reviews are implemented in a proper RBAC access management schema without a stand-alone solution like Sailpoint would be much appreciated.

Steve-Wilme · ‎10-31-2019

There are applications that look for clusters of privileges as a means of highlighting likely roles and also allow the identification of outliers who appear to have excessive privileges for someone notionally in the same job role. It would be worth examine those identity management solutions even if you decide to develop your own.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

Billygoat · ‎10-31-2019

Thanks for your reply, Steve. I'm not really looking to buy another tool to help with the access reviews. I'm more looking for some best practice guidance for doing the access reviews when a proper RBAC system has been formally established to govern access management.

It seems to me that the application owners shouldn't need to look at the individual employees' permissions at that point, and instead just validate that the established role configurations remain appropriate. Then, someone in HR can do a universal check of all employees in the HCM system to ensure they have the right roles assigned since those roles would authoritatively flow down to AD and the other applications from there.

That being said, I've never worked for a company that had their roles and role based access properly defined so I'm not sure what basic access reviews typically look like in that scenario, but I feel like they should at least be simpler than what we've historically done.

Troy_Fine · ‎10-31-2019

I think your RBAC system is good and this definitely simplifies it. However, if HR is initially assigning roles, then someone independent of HR should be reviwing access to said roles. In this case, I think the role owners should be reviewing that access to roles is appropriate. If application owners are the same as role owners in your case, then this is probably not the answer you wanted.

I do agree that the application owners should only have to review permissions assigned to roles and not individual user access to roles, unless role owner and application owner are the same at your company.

mgorman · ‎11-02-2019

While the system you describe sounds very well engineered, I have yet to see a system involving humans follow engineering rules. If I understand your posts, you will have a tightly defined set of roles, tied to job title/department, I assume. From these business roles, permissions roles will follow, tightly coupled. Therefore, HR can manage the assignment, and the application owners can manage the roles' permissions definitions. That seems wonderful, but a recipe for disaster to me. Being that, someone's manager/director/vp is going to want them to do x, y and z. This is going to require a shift in their permissions, now you have a special case. Within a year, you have dozens, and the whole thing falls apart under it's own weight. That has been my experience. As a general rule, I think what you are setting up (provided I understood it correctly) is a great default, and making sure that whatever process allows exceptions puts the burden on the management to define and explain the need, it should work in general. But make sure it can support exceptions, unless you are in a very, very controlled environment. On a secondary note, I think management should always be at least partly responsible for the access review. It is their responsibility to support the business, and to protect it. They can't do that if they aren't in the loop.

Billygoat · ‎11-04-2019

Hi mgorman,

Thank you very much for your detailed response. This is all theoretical for me at this point so this is exactly the kind of insight I was looking for from someone who has seen RBAC implemented in the past. So in your experience, even with roles defined, documented and related to job titles, it makes the most sense for both the individuals' managers as well as the application owners to review the access quarterly?

Also, has anyone used the Azure AD Access Reviews feature? I haven't had a chance to play with it yet, but looking at the documentation, it appears to allow you to design automated access reviews that will be kicked-off at the cadence of your choice. If anyone has experience using this, I'd love to hear whether that's been positive or not.

Thanks!

mgorman · ‎11-04-2019

Yes, I think supervisors should always review access, for a couple reasons. Primarily, they know what the real job of the person is, regardless of what HR might think. Secondarily, they are responsible for the actions of their reports. If they don't know what resources they have access to, how can they perform oversight properly?