Most enterprise implementations of an IGA system start by connecting to HRIS and existing directories [on-prem or in the cloud]. Provisioning is governed by “birthrights”, “xBAC” rules, approval processes and regular manager certification campaigns granting access and permissions while employees have a working relationship with the company.
We started this journey roughly 2 years ago and we quickly learned [the hard way] that the above strategy requires high quality employee data, onboarding procedures for each job position and managers deep understanding of what each of their team members need... but we weren’t nearly there.
To overcome our inconsistent HR data, inherited overprovisioned accesses granted after years of “mirror after me” practices and rubber-stamping approvals and reviews, we’re pivoting towards a “Just-in-time” and “Least-privilege” strategy using telemetry about last activity in downstream systems as well as working with business owners and team managers to shape a new dynamic provisioning to things that employees really need for work.
We’re convinced that this new Employee Lifecycle strategy will make us a more efficient and secure organization and probably other companies starting their journey would benefit from the lessons we’ve learned up to this point.