Business owners and managers must have an efficient process for managing all user access requests, to available organizational resources. If not, sensitive information is at risk.
In a hybrid environment, this will include all internal and 3rd-Party applications and services.
Historically, organizations used paper trails, like spreadsheets, to manage employee access, which was a time consuming nightmare.
Traditional Access Management also left many opportunities for human error, and possibly suspicious activities.
In reality, some organizations are still using spreadsheets to manage user access to critical assets.
Identity and Access Management systems, also known as IAM systems, are a modern, reliable, and nearly foolproof solution to control access to every user within an organization.
IAM solutions manage access to software applications, third-party resources, or services that the organization uses.
IAM systems provide administrators the tools to quickly view, certify, grant, and revoke user access, and enforce organizational policies on an ongoing basis.
Additionally, IAM systems control the circumstances in which users are granted or denied privileges to those resources, helping to ensure sensitive organizational information is secure.
Service vs. Application Requests
Application Management and Service Access Management both use a similar if not nearly identical process.
Traditionally these services have been siloed into their own systems. We recognized these two functionalities should be combined into one, and incorporated both functionalities inside of IDHub.
Self-Service Access Requests: What do other systems do?
Traditionally, Identity Management systems assign every employee with an IAM user identity, which houses all basic personal and business related information, within the user's account profile.
Every IAM has an access request feature, allowing users to request privileged access from their account, for applications and other organizational resources. Privileged user access is then granted, after the appropriate approval process takes place.
Administrative access is a critical part of managing user access. Admin access rights provide administrators with the permissions to create access policies, which allow them to completely control privileged access management and privileged identity management, for all users.
User Entitlements and Roles
Every requestable application has corresponding permissions within it. We call those application-specific permissions, entitlements.
Common entitlements within an application are User, Admin, or Super Admin along with any number of others.
Every entitlement has its own set of available permissions within the application, determining what a user can and cannot do with their access.
Multiple applications and corresponding entitlements, can be grouped together, creating a Role.
Roles are often used to define a set of access based on specific business units.
Using roles allows administrators to save time and avoid repetitive tasks by assigning a collection of permissions all at once rather than one at a time.
Some common organizational Roles are Marketing Manager, Marketing Employee, Sales Manager, IT Employee, HR Director, etc.
Roles are made available for users to request approval, and once approved, all the applications and entitlements attached to that Role, are automatically approved as well.
Applications and Entitlements attached to a Role, (for connected applications) will provide privileged access, and will be automatically provisioned into the user's privileged account.
User Entitlement Requests
Requesting entitlements is super easy with IDHub.
Every application has the corresponding entitlements visible and ready to request, directly within the application.
Entitlement management assists admins with fully controlling permissions within applications.
Entitlements can be configured to follow approval workflows, different from the workflows assigned to the application itself.
Entitlement workflows can provide more privileged access security, helping to eliminate malicious activity.
User Role Requests
Roles are requested from the same centrally located Search Catalog page, as applications and entitlements.
When viewing a role, users can see all the resources attached to that specific role.
Each individual resource within the role is granted to the user who requested access, automatically, upon approval.
Approval Workflow Examples
Below are a couple examples of what a simple approval workflow looks like for low-risk application accounts, as well as an approval workflow for high-risk applications, which require more granular access control.
Simple, Automatic Approval Workflow
In this example, Jack wants access to the connected application, Office 365.
His request for Office 365, is automatically granted access, and Office 365 is automatically provisioned into his account.
The approval workflow for Office 365 is “Automatic Approval”. Meaning, when a user requests Office 365, the user will automatically receive access, and Office 365 will automatically provision into the user account.
Jack will receive an email notification immediately after he requests access, informing him he has been approved for his request for Office 365.
Complicated, Group Approval Workflow
Sara requests for Office 365 application, as well as Office 365 Admin entitlement.
Just like Jack, Sara receives immediate access to the Office 365 application, because it's connected and the approval workflow is "Automatic Approval".
But, the Office 365 Admin entitlement follows a different workflow.
The Office 365 Admin entitlement is considered high-risk, and the approval workflow is “Group Approval”, requiring 3 groups to approve.
This means, when Sara requests for the Admin entitlement, Group 1, Group 2, and Group 3, in that order, will need to approve her request for access.
If one group denies her request, approval for the Office 365 Admin entitlement will not be granted.
All groups must approve her request, once all 3 groups have approved her request, Office 365 Admin will be automatically provisioned into her account.
Access Request Status
Requesting for resource access is super simple for the end-user, and fully transparent, making it easy for the user to understand what stage their request is in, and what the current approval status is.
IDHub provides users the ability to view a complete audit trail, for every request submitted.
Request Management Doesn't Require A Dedicated IAM Staff Anymore
With the modern functionality, Sath has built natively into IDHub, your capabilities to manage application requests have never been easier to complete, train and delegate to non-technical team members.
Try IDHub for FREE for 30 Days, no payment information necessary.
Try out our full working version of IDHub Cloud or Teams and explore right now!