The Problem

Users often need to request access for a variety of things ranging from access to an application to ordering a new laptop. Some of the requests may be time-bound, where access is only to be granted for a period. Other requests may need multiple levels of approval.

Companies often try to solve this problem by creating excel (or equivalent) based forms to capture requests. In other cases, we have seen companies try to replicate this process in ticket or workflow systems.

Both approaches have their shortcomings. Tracking requests through documents is cumbersome as it does not provide the organization with good audit information which can be easily extracted for compliance purposes. Nor does this approach provide any visibility into the approval process. Solutions that are based on service desk or workflow solutions typically have high total cost of ownership (TCO) that require a lot of ongoing maintenance as common IGA functionality needs to be implemented. Both approaches fail in their ability to provide:

  • A unified view of a user’s access
  • End-to-end traceability of a user's access
  • Automation to control the provisioning/de-provisioning of a user's access

The limitations of these approaches result in:

  • Lost end-user productivity
  • Excessive costs related to audit and compliance
  • Potential security risks resulting from not having visibility into a user’s access and how they obtained it

The OpenIAM Solution

OpenIAM provides a comprehensive Access Request solution based on a service catalog and shopping cart which fits into the overall OpenIAM IGA ecosystem. Using the Self-Service Portal, end-users can create requests for access as well as other objects using the service catalog. The catalog can be organized based on the organization’s needs. From the catalog, employees can request specific entitlements for their work and, if mandated by their organization, provide reasons for the entitlement as well as specify how long the resource is needed for. The request is then automatically sent to the appropriate approver(s) for review where they can accept or reject the request. Reviewers may also delegate a request. If they are out of the office, then out-of-office delegation can be enabled, and requests will be re-routed to the assigned delegate.

The Self-Service Catalog has support for time-based access so that entitlements can be automatically revoked after a certain length of time elapses. Workflows are provided out-of-the-box so that organizations have the option to:

  • Designate multiple approvers for a request
  • Define SLAs with the option to escalate in the event the request is not dealt with in a timely manner

For applications with connectors, approved requests will be provisioned automatically upon approval.

The entire journey from the creation of the request to approvals and provisioning is captured in the audit logs providing complete visibility into the access that user has, how they got it, and when.

Benefits

By leveraging the access request functionality, organizations can:

  • Improve end-user efficiency through a user-friendly access request solution
  • Improve approver and service desk staff productivity by eliminating time-consuming processes related to reviewing and approving access manually
  • Improve security by removing unauthorized access in a timely manner
  • Simplify compliance processes by having easy access to comprehensive audit logs which demonstrate how a person gained access, when and by whom