I’ve been part of midPoint community for about five years now. During that time, I’ve made several deployments of midPoint Identity Management in both medium and large organizations. I’m proud that all of these projects came to be successful for us (as the Evolveum partner) and the customer as well. Big thanks for this goes to Evolveum, for their support and leadership of this open-source project. My post today is about Identity Governance. In the first part, I describe where Identity Governance is positioned in IdM architecture and I will also mention challenges and benefits for the end customers. In the second part, I describe my actual experience with implementing governance features using midPoint Identity Management.
Usual practice is to design Identity Management from bottom to top, starting with identity synchronization and data integration. At the beginning, you get friendly with things like provisioning, connectors, HR, password resets, identity lifecycle and so on. If you do the job right, in the end you have nice automation of identity flow in the organization. Identity synchronization is mostly technical (IT focused) and usually it brings many quick wins without getting hands too dirty with people from outside of IT department (aka business). In fact, many organizations are still completely fine with doing just identity synchronization.
In the world of ever-growing regulations and always-present security risk bare data synchronization may not be enough. Security officers and business managers are responsible for sensitive data of their company and customers. Who has access to this data? When was this access granted, who approved it? Is the access still required? When you are being asked these questions, it is time to move on to higher IdM level – Identity Governance and Administration (IGA). Identity Governance, in short, is not well-defined term yet. Generally, it means that access rights are controlled by policies. In practice, policies may include automated rules, workflows, certification campaigns and other aspects that help to shape and automate identity flow. For organization it usually means that IdM moves closer to business users, while IT personnel stick to more specialized activities rather than e.g. creating excel sheets for manual roles certification.
One of the common examples of Identity Governance is Segregation of Duties (SoD) rules, which forbids single user to cumulate certain roles. For example, one user has role to create invoice, different user has bank access to transfer funds. Other example of IGA feature is periodical access rights review, which is often called certification campaign. In these campaigns reviewers re-approve or reject already assigned roles. Not surprisingly, users tend to cumulate more and more roles as their time in organization goes by, most often users or managers themselves do not actively ask for the roles to be unassigned. Very effective way how to battle this is to start certification campaigns periodically in IdM and let approvers decide once again if the role assignment is still necessary.
I remember one customer who ran their certification campaign in midPoint for the first time. The campaign ended with 15 % user-role assignments being unassigned from their critical CRM system. 15 % is not much, you may say, but if you look at it from the other side, there were 15 % users with unnecessary access to sensitive customer data. From my practice, periodical campaigns are best combined with so called ad-hoc campaign which is single-user focused and triggered by specific event – e.g. when employee changes organizational assignment.
Implementing full Identity Governance in big organizations is not possible without solid support from higher management. Key element in IGA is business user, e.g. manager who knows best what sort of work does each subordinate do. This element is also the weakest, since business users do business and they don’t want to do IT stuff. Access privileges, roles, rules, certifications, workflows are IT things. One of the greatest challenges in IGA is not technical, it’s in the company’s culture to line out processes that each responsible employee or partner must follow. It is up to IT department to provide best tools possible, easy, fast, least-disturbing. This is where midPoint is very strong. I will show you some of that in the next part of this article.