IGA

Identity Governance & Administration

Know who is accessing what and why!

Contact us

Share:

IGA Offer

The objective of identity and authorization governance can be summed up in one simple phrase: " the right right person, at the right time.

From this starting point, it is then a question of answering different questions such as :

  • What are the identities of the users of the Information System?
  • What are their rights on the Information System applications?
  • Why were these rights granted?
  • Are these rights always legitimate and compliant?
 

To answer these questions, identity and authorization governance must be approached from several angles:

  • An organizational axis, taking into account the size of the company, its geographical distribution, its mode of governance, etc. ;
  • A functional axis, linked to the organization's internal processes, activities, regulations to be respected, etc. ;
  • A technical axis, depending on the complexity of the Information System, the history of its construction, a possible transition phase to the Cloud, etc.
IAM05 training

Centralized repository

One of the first objectives of the IGA is the implementation of a centralized and reliable repository, allowing the dissemination of quality information within the Information System:

  • This involves building a master repository containing all the identities of the users of the Information System, whether they are employees, trainees, temporary staff, service providers, etc., but it can also concern suppliers or partners;
  • This type of repository is able to centralize other types of complementary data, such as organizational structure or location information for example.

The objective is to build the repository of theoretical identity rights, allowing us to know at any time the identity's occupancy within the IS.

It is a question of allowing the diffusion and use of reference information by other applications / services composing the IS. This can be via access through a protocol such as LDAP, exposed APIs or a data synchronization engine.

Identity lifecycle

In order to keep the identity repository up to date, it is essential to manage the associated life cycle (arrival, mobility, departure) within the organization.

This can be provided via:

  • The implementation of data flows to import information from a master system, for example the HR IS;
  • The implementation of functional processes to manage the different types of movements.

The two approaches can be specific - depending on the population - or combined.
It is then a matter of provisioning this information in the various target systems, with the creation of "user" accounts for example.

Authorization management

The management of authorizations meets different needs:

As a first step, it is necessary to define a list of the authorizations or resources available within the organization, in a vocabulary that the end user can understand.

It must allow you to make an independent request for access, which will then follow a validation process (it must also allow you to modify or delete rights).

It is possible to build a role model that allows you to construct sets of rights, and to assign them or not in an automated way to users based on rules.

It is a matter of defining incompatibilities of rights or roles and setting up preventive detection rules (at the time of a request) or a posteriori (control reports for example).
Finally, the validated theoretical rights are automatically or manually provisioned in the target systems.

Governance / Audit and Compliance

From an auditability and compliance perspective, governance offers several approaches:

All the actions carried out on accounts and rights are traced, allowing the use of standard reports or the construction of a specific reporting.

By defining a risk level for the different rights available, it is possible to target controls on users at risk.

In order to ensure that the requested and approved rights correspond to the actual rights in the target systems, it is possible to set up automatic comparisons between these two states.

To ensure that the rights of a user are always in line with his activity, regular certification campaigns of the rights are possible, for example via the line manager or the resource owner.

Self-Service

Finally, the governance of identities and authorizations has the objective of decentralizing management actions. 

Thus, it is possible to provide the user with interfaces for :
  • Modify or complete your data;
  • Making access requests;
  • Implementing delegation of responsibility;
  • Manage your password autonomously (change and reset), by setting up password propagation mechanisms in the various target systems.

Identity and Authorization Governance at Synetis

Numerous consultants dedicated to identity and authorization governance with an average experience of over 4 years in the field of integration and 7 years in the field of consulting and project management;

More than 5 active partnerships with major market players (IBM, Ilex International, Kleverware, SailPoint, Saviynt) and a real expertise with other editors such as Brainwave, One Identity, Microsoft, NetIQ, Sun IDM, etc. ;

Over 30 publisher certifications acquired;

More than 120 projects in progress as of August 1, 2022, including more than 75 new projects in 2022 of all sizes (from a few dozen days to more than 1,000 days) and of all types (scoping, project management, audit, integration, TMA, CDS), with a commitment to results (fixed price) or to means (contracting)

DAG: Data Access Governance

  • Office documents, but also other formats (PDF, video, etc.) may contain sensitive data to be protected, which must be classified before managing and controlling access rights;
  • Initially focused on internal file systems, it is now a question of addressing the problem of documents stored in the Cloud.

Protection and monitoring of

Our Digital Identity experts
answer your questions

Contact us

You might be interested in these articles: