Access Governance In 5 Easy Steps See How To Master Access Governance In 5 Easy Steps

Have you ever had to respond to this question: “who has access to this file”? It seems easy, doesn’t it? Surely, reporting on who has access to a given file or application and who had it in the past couldn’t be that difficult?

Well, here is the truth: it is!

Key points
  • What is access governance and what does it apply to?
  • How could you use IAG processes in practice?
  • Where can you find more information?

This post has originally been published on Oct 24, 2019. It has since been updated for better readability.

If you haven’t come across this matter yourself, you’ll have to trust my 20+ years of experience. Or, you can always go and try asking your friendly IT admin the following question:

“If we needed to get information on who has access to those files and who had it in the past, how would you do it?”

After reading this, I encourage you to try it out at your organization.

Be prepared for a long talk on where all systems fall short and how dispersed the information is. This is a real problem!

Well, for every issue there is solution: in this case, it’s called Identity and Access Governance (IAG).

Sounds complicated? It doesn’t have to be. Let’s get started!

Identity and access governance: why all the fuss?


You’ve just entered the realm of identity and access governance (IAG for short).

Besides being a fancy acronym to stick on your resume, it is also a professional domain that provides solutions for the real identity challenges that you might be facing today.

What kinds of issues does it solve? Let’s face them.

Look at a group in your Active Directory or Office 365 and ask yourself:

  • Why are all these people there and who put them there?
  • Are these folks in the right groups?
  • What resources has this group been granted access to? Are we sure about this access?

Studies show that about 90% of cyber-security breaches are caused by a human error (source: Willis Towers Watson research). In most cases, IT team members are not involved, we are talking about non-tech employees.

Considering that roughly 70% of employees don’t even have a basic understanding of cyber-security best practices, you don’t want to take the risk of over-provisioning access, right?

NoteIt’s easy to create a group. But, the moment you create one, you lose control of how other people will use it. You may have created a group to manage access to a particular workspace but someone else might use it for different purposes.

Actually, you will never be able to tell where it is used. You only control its intended use and intended members. This is where access governance can help you.

Here’s the thing: you are not the first nor the last person with this problem. This is a common issue at many organizations.

Without burdening you with the gory details, let’s take a look at how IAG process and tools solve the problem by providing clear visibility into access granted for users, and how they help to establish a way of keeping it in check for the future.

NoteI will be using Omada Identity Suite as a tool of choice, however, the same principles apply to other products in this space. You can read about these processes in a tool-agnostic format in the IdentityPROCESS+ guide provided as free download on Omada’s website, or in one of my previous articles.

Ready for a practical explanation of the IAG process? Let’s begin! Identity and access governance showcased in 5 easy steps!

Step #1: Onboarding: Make it right from the start

It all starts with the onboarding. HR sets up a new employee account, and then what? Typically, there is a bunch of requests for this person to be granted access to all the systems. Access requests are based on organizational knowledge: people know what to request or ask for the same access their colleagues have.

Requests are placed in the ticketing system. Tickets are fulfilled by IT / Support departments. This takes time!

Now, how is this different with an IAG process in place:

  1. Hiring a person triggers an onboarding process
  2. The onboarding process is routed to a person closest to the new hire from a business perspective, e.g. their manager
  3. Basic access rights are granted automatically
  4. Additional access rights are requested for the user by the manager during the onboarding process.

In this short video, I illustrate what the onboarding process looks like in the Omada IAG tool.

How to use Omada to onboard a user

Quick win Correct access from day one. With all the appropriate assignment policies predefined, the new identity automatically gets access to basic rights with minimal effort from IT, HR, and the hiring manager. Additional access rights are requested on the spot by the line manager during onboarding.

Step #2: Access. It is all about access!

Over time, as users progress through their employment, they might need additional access to systems. Their job will change, and they will take on new tasks.
We need to ensure the following:

  1. Users can request additional access to business applications
  2. Managers and systems owners can approve or deny access
  3. Access is being provisioned automatically for the user, or it’s routed to be provisioned
  4. The user has clear visibility into the process and its current stage.

Below is a typical process of access requests and approvals within the organization, implemented as part of access governance.

Access request and approval process

Quick win The user has a clear path for requesting additional access. New access rights are approved with a clear process. Once approved, there are no unnecessary delays in the provisioning of new access rights. All decisions are audited and documented.

Granting access is easy. But what if you need to block access for a specific user quickly? You can use emergency lockout to revoke access temporarily, then wait for the situation to resolve itself for a full de-provisioning process to kick-in.

Enabling emergency lockout in Omada

Step #3: Compliance is king: using the magical powers of your Compliance Dashboard

With processes in place to manage access to systems, you gain one, very important superpower: transparency! It’s now visible what permissions are granted to which systems, which were requested/approved, and which of those are just there with no clear indication of why.

This is our state of compliance. With all access rights gathered in one place, regardless of their state, we can take a look at where we are. It might take a form of a Compliance Dashboard.

This is a one-stop shop to get an overview of your organization’s access landscape. Green is what we want; all the other colors are what we’re starting out with.

Compliance Dashboard in OIS for executing access governance

Compliance Dashboard in Omada Identity Suite

Quick win A single place to visually assess the current state of access rights within an organization. Visual controls indicate whether we are in the right place (green is our target state) or if we still have a way to go.

But, there is a lot of color other than green on this dashboard. Let’s look at how to fix it.

Enjoying your read? Get plenty more insights and practical advice every two weeks from our expert newsletter! Sign up

Step #4: Attestation made easy! How to find out what you have?

Let’s face it. The majority of us will start in the state of unknown (all but green on our dashboard). We know that these permissions are there. We know people have granted access rights. However, we don’t know why and whether they should keep them.

Once you have a window into your current status, you can use it as a starting point to make it right. In terms of access governance, it is called the attestation process. Simply put:

  1. Start with the current state. Define what you want to review
  2. Set up a survey for business owners (managers) or system owners. Ask them whether the access permissions are in place as they should be
  3. Gather responses and process them in the system
  4. Provision or de-provision permissions based on the responses.

Instead of trying to figure out from one central point if the permissions are correct, you can delegate this task to multiple people with a better business perspective. The sum of these tasks is your compliance state.

Here is a short video on how this process looks, implemented in the Omada IAG tool.

Setting up a survey on permissions

KEY TAKEAWAYS: With tools and processes in place, you can quickly assess the current state of permissions and gain control of the system. You can also repeat this process regularly or assess specific permissions if they don’t seem to be correct.

Step #5: All you need is in the reports!

With all of the above, you can finally start answering the question of “who has access to this file?”. Access governance processes with the right tools ensure that all actions such as

  • Identity onboarding and offboarding
  • Application and data access granted and the approval process
  • Additional access requests
  • Emergency lockouts
  • Attestation process and decisions

are stored in an audit database and are ready for you to review. Typically, each of such solutions comes with a canned set of reports, ways to create more if needed, or a data export functionality to external systems.

Identities report in OIS

Identities report in Omada Identity Suite

Built-in reporting and auditing capabilities make it easy to address common audit and compliance requests.

Detailed identity report in OIS

Identity details report in Omada Identity Suite

You can answer questions about current access, point-in-time access rights and historical changes.

Access governance: identity resource history in OIS

Identity resource history in Omada Identity Suite

Even if an employee is no longer with your company and they’re gone from your HR system, you can still review that person’s permissions.

Access Governance: reporting audit in Omada tool

Reporting audit in Omada Identity Suite

Wrapping up

That was quite a journey! These 5 practical cases do not fully cover all of the access governance topics. There is so much more to talk about.

There are different actors and stakeholders in each of the processes. You will have tasks related to the management of your role and permission models. Then there are applications and system owners, and different variations of approval processes.

As I tried to demonstrate, access governance doesn’t have to be a complicated process with the right tool!

Instead of wondering who manages access to a given resource, you get a clear and easy way to discover a catalog of all access available to you.

IT or compliance executives won’t have to try to figure out what a given person does in their job in advance. The onboarding process makes it easy for a new employee’s direct manager to grant all the necessary permissions.

And finally, instead of time-consuming approaches to building reports around existing access, we have a clear attestation process with complete records stored in the audit database.

Further reading

If you want to read more on the subject, Omada’s IdentityPROCESS+ guide is a good start to understanding all these areas and what is required at your organization.

In fact, this might be a great start to your career as an IAG professional. Or maybe just a journey to make your organization safer, easier to manage, with fewer troubles to answer the simple question of: “who has access to this file?”.

  1. With access governance you can simply implement processes which mitigate the risk of over-provisioning access to your resources.
  2. You can use IAG to set up a standard procedure for the onboarding process, then assign and revoke permissions later as necessary. You also get a complete insight into the state of resource access at your organization which will help you take the appropriate action. Finally, you have reports on all access-related actions in your systems for full transparency and compliance.
  3. Check out the links and guides mentioned in this article for more information.

Sign up for Predica Newsletter

A weekly, ad-free newsletter that helps cutomer stay in the know. Take a look.


Want more updates like this? Join thousands of specialists who already follow our newsletter.