Business owners and managers must have an efficient process for managing all user access requests, to available organizational resources. If not, sensitive information is at risk.
In a hybrid environment, this will include all internal and 3rd-Party applications and services.
Historically, organizations used paper trails, like spreadsheets, to manage employee access, which was a time consuming nightmare.
Traditional Access Management also left many opportunities for human error, and possibly suspicious activities.
In reality, some organizations are still using spreadsheets to manage user access to critical assets.
Identity and Access Management systems, also known as IAM systems, are a modern, reliable, and nearly foolproof solution to control access to every user within an organization.
IAM solutions manage access to software applications, third-party resources, or services that the organization uses.
IAM systems provide administrators the tools to quickly view, certify, grant, and revoke user access, and enforce organizational policies on an ongoing basis.
Additionally, IAM systems control the circumstances in which users are granted or denied privileges to those resources, helping to ensure sensitive organizational information is secure.
Service vs. Application Requests
Application Management and Service Access Management both use a similar if not nearly identical process.
Traditionally these services have been siloed into their own systems. We recognized these two functionalities should be combined into one, and incorporated both functionalities inside of IDHub.
Self-Service Access Requests: What do other systems do?
Traditionally, Identity Management systems assign every employee with an IAM user identity, which houses all basic personal and business related information, within the user’s account profile.
Every IAM has an access request feature, allowing users to request privileged access from their account, for applications and other organizational resources. Privileged user access is then granted, after the appropriate approval process takes place.
Administrative access is a critical part of managing user access. Admin access rights provide administrators with the permissions to create access policies, which allow them to completely control privileged access management and privileged identity management, for all users.
IDHub Self-Service Portal
IDHub houses all active resources in the form of, Applications, Entitlements, Roles, and Service Requests, on a centrally located Search Catalog page, providing all users the ability to request access to them for themselves, or on behalf of another user, with their privileged credentials.
Users can easily access the Search Catalog page, with the click of a button from the dashboard, and view all available requestable resources, active users, and their access.
User Entitlements and Roles
Every requestable application has corresponding permissions within it. We call those application-specific permissions, entitlements.
Common entitlements within an application are User, Admin, or Super Admin along with any number of others.
Every entitlement has its own set of available permissions within the application, determining what a user can and cannot do with their access.
Multiple applications and corresponding entitlements, can be grouped together, creating a Role.
Roles are often used to define a set of access based on specific business units.
Using roles allows administrators to save time and avoid repetitive tasks by assigning a collection of permissions all at once rather than one at a time.
Some common organizational Roles are Marketing Manager, Marketing Employee, Sales Manager, IT Employee, HR Director, etc.
Roles are made available for users to request approval, and once approved, all the applications and entitlements attached to that Role, are automatically approved as well.
Applications and Entitlements attached to a Role, (for connected applications) will provide privileged access, and will be automatically provisioned into the user’s privileged account.
User Entitlement Requests
Requesting entitlements is super easy with IDHub.
Every application has the corresponding entitlements visible and ready to request, directly within the application.
Entitlement management assists admins with fully controlling permissions within applications.
Entitlements can be configured to follow approval workflows, different from the workflows assigned to the application itself.
Entitlement workflows can provide more privileged access security, helping to eliminate malicious activity.
User Role Requests
Roles are requested from the same centrally located Search Catalog page, as applications and entitlements.
When viewing a role, users can see all the resources attached to that specific role.
Each individual resource within the role is granted to the user who requested access, automatically, upon approval.
Access Approval Request
Every application, entitlement, and role, follows a specific approval request process, known as the Approval Workflow.
Approval workflows can be super simple, like automatic access from a default approver once requested, or can be complicated for high-risk resources, requiring multiple approvals and access reviews, before access is granted.
Traditional approval processes rely on rigid protocols, making them extremely complicated to work with.
IDHub solves this problem by empowering administrators with the capabilities to design their own custom workflows.
Custom workflows in IDHub require no code, and can be easily created with our drag-and-drop functionality.
Custom workflows are tailored to an organization’s needs, fully managing any level of access control to all users.
Custom workflows provide a layer of protection that helps ensure organizational compliance mandates, regulatory requirements, privacy regulations, and prevent access by users with malicious intent.
Immediately after a user requests for access, an appropriate email notification is sent to their assigned email address. Administrators are able to create custom emails, which can be attached to workflows.
Approval and denial via email message, ensures the user is fully aware of the request status, and gives administrators and approvers extra time to focus on new, incoming requests.
After a request has been submitted, IDHub will automatically generate a task, and send it to the appropriate approver or group of approvers.
If a group approver is the configured approver, individual members of the group will have access to view and claim the task, before approving it.
Members of the group are able to pick and choose the tasks they want to work on based on the groups that they are in.
Once the task is claimed by a member of the group, the task will not be accessible to the other group members, and will only appear on the tasks list for the member who claimed it.
The group member does have the opportunity to withdraw the task, which would then send it back to the shared task list, and make it available for another group member to claim it.
Each task has a predetermined time access for approvals.
Once the allowed time frame has passed, tasks will expire, and the requester would then need to re-request access to the resource.
This is an amazing, built-in IDHub feature, which helps control security risks, prevent malicious activity, and gives approvers the flexibility to work on tasks as they need.
IDHub gives administrators full control over the approval policies and processes configured within all applications, entitlements, and roles, as well as full user profile management, and user access.
Approval Workflow Examples
Below are a couple examples of what a simple approval workflow looks like for low-risk application accounts, as well as an approval workflow for high-risk applications, which require more granular access control.
Simple, Automatic Approval Workflow
In this example, Jack wants access to the connected application, Office 365.
His request for Office 365, is automatically granted access, and Office 365 is automatically provisioned into his account.
The approval workflow for Office 365 is “Automatic Approval”. Meaning, when a user requests Office 365, the user will automatically receive access, and Office 365 will automatically provision into the user account.
Jack will receive an email notification immediately after he requests access, informing him he has been approved for his request for Office 365.
Complicated, Group Approval Workflow
Sara requests for Office 365 application, as well as Office 365 Admin entitlement.
Just like Jack, Sara receives immediate access to the Office 365 application, because it’s connected and the approval workflow is “Automatic Approval”.
But, the Office 365 Admin entitlement follows a different workflow.
The Office 365 Admin entitlement is considered high-risk, and the approval workflow is “Group Approval”, requiring 3 groups to approve.
This means, when Sara requests for the Admin entitlement, Group 1, Group 2, and Group 3, in that order, will need to approve her request for access.
If one group denies her request, approval for the Office 365 Admin entitlement will not be granted.
All groups must approve her request, once all 3 groups have approved her request, Office 365 Admin will be automatically provisioned into her account.
Access Request Status
Requesting for resource access is super simple for the end-user, and fully transparent, making it easy for the user to understand what stage their request is in, and what the current approval status is.
IDHub provides users the ability to view a complete audit trail, for every request submitted.
Request Management Doesn’t Require A Dedicated IAM Staff Anymore
With the modern functionality, Sath has built natively into IDHub, your capabilities to manage application requests have never been easier to complete, train and delegate to non-technical team members.