Event Driven provisioning
What is Event-Driven Provisioning?
Imagine you start a new job at a big company. On your first day, you need access to email, company tools, and databases to do your work. Instead of waiting for someone from IT to manually give you access, the system automatically provides it as soon as you join. This is called event-driven provisioning—a smart way for companies to manage employee access automatically based on events like joining, switching roles, or leaving the company.
How Does It Work?
Let’s say you get promoted from a Junior Analyst to a Senior Analyst. This change is recorded in the company’s HR system.
Without event-driven provisioning:
• You would have to ask IT for new access to senior-level systems.
• IT might take days or weeks to process it manually.
• You might still have old access that’s no longer needed, which is a security risk.
With event-driven provisioning:
• The system automatically updates your access when your job role changes.
• You instantly get the right permissions for your new role.
• Any unnecessary access is removed to keep things secure.
Why is This Important?
Saves Time – No waiting for IT teams to grant access.
Improves Security – Removes unnecessary access, reducing security risks.
Ensures Compliance – Helps organizations follow strict security rules.
Enhances Efficiency – Employees get what they need instantly.
Conclusion
Event-driven provisioning helps businesses stay secure, work faster, and reduce human effort in managing identity access. It ensures that every employee always has the right access at the right time—nothing more, nothing less!
Event-Driven Provisioning Process
IdentityIQ monitors data looking for changes, also known as events.
1. IdentityIQ constantly monitors identity data across HR systems, directories, and databases.
2. Whenever a change (event) happens, such as:
• A new employee is hired
• An employee gets promoted
• Someone leaves the company
3. IdentityIQ detects the event and updates access automatically:
• Grants new permissions for a promotion
• Revokes access when someone leaves
• Modifies access based on role changes
Why is this important?
• Real-time Access Updates – No manual intervention required.
• Stronger Security – Prevents unauthorized access by removing old permissions.
• Compliance & Efficiency – Ensures regulatory compliance and saves IT workload.
Think of it Like This:
It’s like a smart security system that automatically updates door access when employees join, switch departments, or leave—no need to manually lock or unlock doors!
Understanding Lifecycle Events with Rapid Setup in IdentityIQ
What is Event-Driven Provisioning in Lifecycle Events?
Event-driven provisioning in IdentityIQ automates access updates based on changes in an employee’s journey within an organization. Instead of IT manually handling access for every change, pre-configured lifecycle events (via Rapid Setup) streamline the process.
Three Key Lifecycle Events:
1️⃣ Joiners (New Employees)
• These are new identities starting with the company.
• What happens?
✅ Automatically creates new accounts.
✅ Grants initial access based on role (e.g., email, HR system).
✅ Assigns default permissions for their job function.
• Example:
• Alice joins as a Software Engineer.
• IdentityIQ provisions her access to JIRA, GitHub, and Slack.
2️⃣ Movers (Role/Department Changes)
• Employees switch roles, locations, or job titles.
• What happens?
✅ Grants new permissions needed for the new role.
✅ Removes old access no longer required.
✅ Ensures compliance with access policies.
• Example:
• Bob moves from HR to Finance.
• IdentityIQ removes access to HR systems and grants access to financial tools like SAP.
3️⃣ Leavers (Departing Employees)
• Employees leave the company (resignation, termination, retirement).
• What happens?
✅ Disables accounts immediately to prevent unauthorized access.
✅ Revokes all access and permissions.
✅ Ensures offboarding compliance and prevents security risks.
• Example:
• Chris resigns from the company.
• IdentityIQ automatically revokes his access to company systems on his last working day.
Why is Rapid Setup Important?
🔹 Pre-configured workflows = Faster onboarding, role changes, and offboarding.
🔹 Security & Compliance = Prevents unauthorized access by ensuring timely updates.
🔹 Efficiency = Reduces manual work for IT and HR teams.
💡 Think of it like this:
It’s like an automatic keycard system in an office.
• New employees get a keycard upon joining.
• If they move to a different floor, their keycard is updated.
• When they leave, their keycard stops working instantly.
Understanding Certification and Access Reviews in IdentityIQ
What is Access Certification?
Access Certification, also known as access review, is a security process that helps organizations ensure that users have the correct permissions and remove any unnecessary access to protect sensitive data and systems.
How Does the Certification Process Work?
1️⃣ Users Hold Different Access Permissions
• Employees have access to apps, directories, cloud systems, and databases.
• Over time, users may accumulate unnecessary or risky permissions.
2️⃣ The Certifier Reviews Access
• A certifier (often a manager or IT admin) reviews a user’s access to ensure it aligns with their job role.
• This ensures employees only have access to what they need and nothing extra.
3️⃣ Approve or Reject Access
• ✅ Approved: If access is still required, it remains active.
• ❌ Rejected: If access is no longer needed, it is revoked to reduce security risks.
4️⃣ Regular Certification Cycles
• Certifications should be performed quarterly, annually, or based on security policies to ensure compliance.
• Helps prevent unauthorized access, insider threats, and security breaches.
The image visually represents how Access Certification works in IdentityIQ, showing how a Certifier (a manager or security reviewer) examines and decides whether a user’s access should be approved or revoked.
🔵 Left Side: Certifier (Reviewer)
• The large blue circle represents the Certifier, who is responsible for reviewing access permissions.
• The three shield icons symbolize security and compliance, indicating that the certifier ensures only authorized access is maintained.
• Certifiers are typically:
• Managers
• Application Owners
• IT Security Teams
🔹 What does the certifier do?
• They review a user’s access to different systems.
• They approve or revoke access based on job roles and responsibilities.
🔵 Right Side: User’s Access Review
• The small human icon on the right represents the user whose access is being reviewed.
• The various icons connected to the user symbolize different IT-controlled systems the user can access:
✅ Apps (Approved)
✅ Directories (Approved)
✅ Cloud Services (Approved)
❌ Database Access (Revoked)
🔹 What’s Happening Here?
• The certifier reviews the user’s access and checks if it aligns with their job role.
• Some access remains approved (green check marks ✅).
• Some access is revoked (red cross ❌) if it’s unnecessary or a security risk.
Example Scenario
🔹 Meet Sarah – A Marketing Analyst
• Sarah has access to:
✅ Company Marketing Tools
✅ Employee Directory
✅ Cloud Storage
❌ Finance Database (which she should not have!)
🔹 Certification Process:
1️⃣ The Certifier (Manager) checks her access list.
2️⃣ Sees that she doesn’t need Finance Database access.
3️⃣ Revokes access to prevent security risks.
4️⃣ Approves the rest of her valid permissions.
Result: Sarah now has only the access needed for her job, improving security and compliance.
Why Is This Important?
🔹 Prevents Unauthorised Access – Employees don’t keep access they no longer need.
🔹 Enhances Security – Reduces data breaches and insider threats.
🔹 Ensures Compliance – Helps meet security regulations like GDPR, HIPAA, and SOX.
🔹 Improves Efficiency – Automates and simplifies access reviews.
Regular certification ensures that users always have the right access—nothing more, nothing less!
Understanding the Certification Process in IdentityIQ
The Certification Process in IdentityIQ is designed to help organizations review, approve, or revoke employee access to systems and applications. This process ensures compliance and security by making sure users have only the access they need for their job roles.
🔹 Step 1: Creating a Certification Campaign
• A compliance officer or admin creates a certification campaign.
• The campaign requires managers to review access for their direct reports.
• Admins configure:
✅ Campaign Name (e.g., “Manager Certification”)
✅ Certification Owner (e.g., “Admins”)
✅ Who will review access? (e.g., “All Managers”)
✅ How often? (e.g., “Annually”)
✅ Start date and included applications
🛠 Purpose: This ensures that certifications are scheduled at regular intervals, reducing security risks.
🔹 Step 2: Collecting Access Information
• IdentityIQ collects and compiles user access data from different applications, databases, and cloud services.
• The system organizes the information and creates access reviews for managers.
• The access reviews appear in the “Access Reviews” dashboard, where managers can see their assigned employees.
• Each review shows:
✅ Employee Name
✅ Number of Access Items to Review
✅ Completion Status (e.g., 0%, 47%)
✅ Review Phase (e.g., Active)
🛠 Purpose: This step ensures all necessary access data is available before managers start the review process.
🔹 Step 3: Reviewing Employee Access
📌 Manager Access Review for Amanda Ross
• Managers review the assigned access for each employee.
• Each access item is categorised:
✅ Roles (e.g., “Accounting General Access Profile”)
✅ Entitlements (e.g., “Approve on Capability,” “Reject on Capability”)
✅ Application Name
✅ Employee Identity
Managers Can Take Action:
✅ Approve if the user still needs access.
❌ Revoke if the access is no longer needed.
🔹 AI-Driven Recommendations:
• IdentityIQ provides recommendations based on similar users in the organization.
• Thumbs up 👍 (Approve) or Thumbs down 👎 (Revoke) icons help managers decide quickly.
🛠 Purpose: This ensures that employees have the right access based on their job role and security policies.
🔹 Step 4: Challenge, Sign-Off, and Revocation
📌 What Happens in This Phase?
• If an employee’s access is revoked, they can challenge the decision.
• Managers can review and reconsider their revocation decisions.
• After the review period, managers sign off on the certification.
• IdentityIQ automatically revokes access for users who no longer need it.
🛠 Purpose: This step provides an opportunity for employees to challenge decisions before access is removed, preventing unnecessary disruptions.
Understanding IdentityIQ Policies
IdentityIQ policies define rules that organizations use to manage access and security. These rules help prevent conflicts, security risks, and unauthorized access.
🔹 What is a Policy?
A policy in IdentityIQ defines unwanted access conditions that should not exist in an organization. Once a policy is defined, IdentityIQ can:
✅ Prevent the condition from occurring (Proactive enforcement)
✅ Check existing user access for violations (Auditing & Compliance)
🔹 Common Types of Policies (Explained with Images)
1️⃣ Separation of Duties (SoD) Policy
• Purpose: Prevents users from holding conflicting access that could lead to fraud.
• Example: One person should not be able to both approve a new vendor AND make payments to that vendor.
• Risk: If the same person has both permissions, they could create a fake vendor and pay themselves.
• ✅ Solution: IdentityIQ enforces a policy that ensures these responsibilities are split between two different users.
2️⃣ Dormant Account Policy
• Purpose: Identifies accounts that have been inactive for a long time.
• Example: An employee left the company, but their account still exists.
• Risk:•Hackers could steal and misuse the inactive account.
• The company continues to pay for unused licenses.
• ✅ Solution: IdentityIQ detects dormant accounts and allows security teams to disable or delete them.
3️⃣ Unauthorized Manager Access Policy
• Purpose: Ensures that only managers have manager-level access.
• Example: A regular employee should not have permissions to approve or revoke access for other employees.
• Risk:• A non-manager could grant themselves high-level permissions.
• Unauthorized access approvals could lead to security breaches.
• ✅ Solution: IdentityIQ detects these violations and removes inappropriate access.
🔹 Why Are Policies Important?
✅ Prevents Security Risks – Stops unauthorized access before it happens.
✅ Reduces Fraud & Misuse – Ensures no one has conflicting access.
✅ Ensures Compliance – Meets regulatory standards (SOX, GDPR, HIPAA).
✅ Improves Access Governance – Ensures employees only have the permissions they need.
💡 Think of it like an airport security check!
• A baggage handler should not also have access to flight controls (Separation of Duties).
• Expired boarding passes should not work (Dormant Accounts).
• A passenger should not have pilot privileges (Unauthorized Manager Access).
IdentityIQ ensures that organizations enforce the right security policies to protect sensitive data and systems!
Acting on Violations in IdentityIQ
IdentityIQ provides a structured approach to managing policy violations by allowing designated owners to take corrective actions. The goal is to identify, review, and remediate access risks to ensure security and compliance.
🔹 Understanding the Policy Violation Process
1️⃣ Violation Detection
• IdentityIQ detects violations based on defined access policies.
• Each violation is listed with:
✅ Name (e.g., “Aaron.Nichols Amanda.Ross”)
✅ Policy Name (e.g., “TRAKK SOD Policy”)
✅ Rule Description (e.g., “Cannot be Super and Input at the same time”)
✅ Owner (Person responsible for reviewing)
✅ Actionable Decisions (Allow, Revoke, or Certify)
2️⃣ Taking Action on Violations
• The violation owner can take one of three actions:
✅ Allow – Approves the violation as an exception.
✅ Revoke – Removes conflicting access to resolve the issue.
✅ Certify – Allows administrators to review all access held by the user and approve it holistically.
Purpose: Ensures that someone is responsible for addressing access risks, preventing security gaps.
🔹 Correcting a Violation
Example Violation: “Cannot be Super and Input at the Same Time”
• The user has two conflicting roles:
• Super (Admin-level access)
• Input (Data entry access)
• IdentityIQ flags this as a Separation of Duties (SoD) violation.
🛠 Action Options:
✅ Revoke One of the Roles – The reviewer can remove either Super or Input to correct the issue.
✅ Cancel the Action – If further investigation is needed, the reviewer can hold off on immediate changes.
Purpose: This step ensures that users do not have excessive or conflicting permissions, reducing security risks.
🔹 Handling Violations Over Time
• Exception Handling: Violations can be temporarily allowed as an exception for a specified period.
• Ongoing Monitoring: If the issue remains unresolved after the exception period, IdentityIQ flags it again to prevent oversight.
🔹 Why Is This Important?
✅ Prevents Unauthorized Access – Ensures users only have the access they need.
✅ Enhances Compliance – Meets regulatory requirements (SOX, GDPR, HIPAA).
✅ Reduces Risk of Fraud & Insider Threats – SoD violations can lead to financial fraud if not addressed.
✅ Automates Access Reviews – Makes security management more efficient.
💡 Think of it like a banking system!
• A single employee should not be able to both approve loans AND withdraw money.
• IdentityIQ detects this, flags it as a violation, and ensures corrective action is taken!
By acting on violations efficiently, IdentityIQ helps organizations maintain strong security and compliance standards!