Notes from the Field: Identity Life-Cycling

19 July, 2023, by Stephen Swann

The Life Cycle of an Identity

An identity's life cycle can be characterised by the following primary events

  • Joiner
  • Mover
  • Leaver

In the world of IT, and its love of TLAs (Three Letter Acronyms), we call this JML. But it is a rather simplified view of the life cycle processes that govern an identity. Take, for example, the joiner process. Someone is hired, they are granted some entitlements, and they can begin to work.

However, what if that person wasn't just hired, but they were re-hired? Does that change our joiner process? For many organisations, the answer to that is most definitely yes!

Also, when a joiner is identified, they are normally identified well in advance of their actual start date. How does that impact on the onboarding process?

The IBM Security Verify Governance tool, like all other identity governance tools, will not be configured to meet a customer's esoteric requirements out-of-the-box. That's not to say that the tooling and the capability isn't there to meet even the strangest of life-cycling demands. But it will require configuration (or a change to business processes).

Life Cycle Event Types

The life cycle of a user certainly covers the provisioning and deprovisioning of logical and physical access. Account enablement on Start Date and entitlement removal on Leave Date can be considered life cycle events that occur on specific dates (and maybe at specific times). Long term leave processing as a result of maternity or sabbatical can also be considered as date specific.

But there are many life cycle events which are more ad-hoc - think of requests for access (whether initiated by the end user or a supervisor). The immediate suspension of a user's access as a result of a security breach/transgression can also be considered ad-hoc.

Whatever the trigger, it's important that the rules defined to handle the trigger are also cognisant of the overall state of the identity. What does this mean? Let's take this example:

Josephine Bloggs is to leave work temporarily on maternity leave. Her temporary leave start and end dates have been set as 1st July and 31st December.

Rules have been configured to disable access on temporary leave start dates and to re-enable access on temporary leave end dates.

Josephine, however, loves not working so much that sometime in September she decides to never return to the working environment. Her contract end date has been set for 31st October.

Her contract end date obviously takes precedence over her temporary leave end date, but it would be all too easy for a lazy developer to write a life cycle rule which would re-enable her account on 31st December.

In a similar vein, it would be all too easy to take the contractual state of an identity from the HR platform and merely apply that to downstream systems while forgetting that one of the identities has been marched off premises for bad behaviour and had their access immediately terminated! Their access status as a result of bad behaviour surely must trump any contractual status!

Identity Governance Configuration Considerations

At Madigan Solutions, our first steps when commissioning an IBM Security Verify Governance solution is to deploy our tried-and-tested life cycle ruleset which includes:

  • Joiner processes (including birthright entitlement assignment)
  • Mover processes (including birthright entitlement removal/assignment)
  • Leaver processes (including entitlement removal, account suspension & deletion)
  • Re-Hire processes
  • Long Term Leave handling processes (including maternity/paternity leave)
  • Dormant Account handling processes
  • A suite of reports to support all of the above

Crucially, our life cycle ruleset has been built to be fully aware of the state of an identity. With our ruleset, Josephine's account was never going to be re-enabled on the 31st December!

Of course, the ruleset can only be considered a "starter for 10". Every organisation has its own set of JML processes, life cycle processes, long term leave processes and policies, etc. But the ruleset is a solid foundation that can help ensure there are no gaps in your governance system.

© Copyright 2024 Madigan Solutions UK Limited
Madigan Solutions UK Limited is a company registered in Northern Ireland with Company Number NI675324. VAT Number 368 3929 47.

Home | Services | About | Blog | Contact

Terms & Conditions | Privacy Policy | Disclaimer