The goal of compliant access delivery is to reduce the need for end-users to request additional access, also known as “exceptions.” Access not granted by a person’s roles is considered an exception and must go through a controlled yet easy-to-use process before being granted. Exceptions represent an additional risk and create extra work to be processed and approved, as well as audited during compliance recertifications. EmpowerID’s best practice approach to exceptions management ensures that exceptions are always based on proper justification, traceable and auditable, manageable, and temporary whenever possible. To help organizations achieve the best possible outcome delivering compliant access, Compliant Access Delivery in EmpowerID includes the following components:
IT Shop
Eligibility
Approvals and Approval Routing
IT Shop
EmpowerID provides a central location called the "IT Shop" from which users can request access to the IT resources your organization makes available. To do so, users navigate to the IT Shop, where they can see their current resources and request access to more. Depending on their job function, users may also request resources for other users. To shop for a role or other resource, they simply select the resource type and search for the specific resource item belonging to that type. Once they have found the desired item, they request access, which opens a drawer. From the drawer, users can optionally place time constraints on the request and add it to their carts or simply close the drawer to discontinue. Once a resource is added to a user’s cart, it stays there until the user either checks out (submits the cart) or removes it. By keeping resources in the cart, users can navigate away from the IT Shop as needed without losing the contents of their carts. When ready to submit their requests, users review the items in their cart and when ready submit them to the Identity and Access Management platform (EmpowerID). If they decide they don’t want to request an item that is in their cart, they can simply remove it.
Figure 1 below shows the main flow that occurs for users shopping for roles in the IT Shop, as well as the IT Shop user interface.
Eligibility Policies
EmpowerID offers a powerful policy engine to control which users may see and request which resources in the IT Shop. These policies are known as “Eligibility.” Eligibility policies may apply to users by attribute query, role, group, or other criteria, making it easy to target who receives which policies and have the assignment automated and maintained throughout their lifecycle.
Eligibility policies can be defined as either inclusion rules or exclusion rules. Inclusion rules define the items a user is authorized to see and request in the IT Shop and ensure these are only the ones that would make sense for them to request. An application example could be rules that filter resources available for Field Sales employees and developers. The catalog of requestable roles and resources available to each of those employees should be different to ensure that unwarranted access requests are not generated, creating unnecessary approval tasks. Additionally, inclusion and exclusion rules help organizations provide employees a more pleasant user shopping experience as they are shielded from
Inclusion rules include the following:
Eligible – Users can request items in the IT Shop, and the request will go for approval unless the requesting person has the RBAC delegations needed to grant the access being requested.
Pre-Approved – Users assigned the policies are pre-approved for the items to which the policy is applicable. When the IT Shop user later requests access, it will not require an approval step before being fulfilled.
Suggested – The IT Shop item will show a “Suggested” additional item they may request because of their existing roles or in the context of a role they are currently requesting. The item will still follow standard approval routing rules.
Figure 2: Eligibility Policy applied to a person
Approvals and Approval Routing
EmpowerID includes a powerful approval routing engine and friendly end-user interfaces for task tracking and decisions. As discussed above, Eligibility policies are considered when calculating if a request requires approval and if so, how many approval steps and to whom should the tasks be assigned at each step. Determination of the approval process is dynamic and considers the roles of the requestor, the sensitivity of the items being requested, and an organization’s risk and Segregation of Duties (SoD) policies. Based on these factors, approval for a requested item may not be required or it could require multiple levels of approval and an additional SoD approval by a risk owner.
Approvers are notified via configurable and localized email notifications with reminder emails configured based on flexible policies. All decisions at each step in the process are logged and traceable up to and including the final fulfillment of access.