they are executed across the system landscape. Compared with correlating
multiple usernames and passwords from different systems, the audit trail
with identity management systems is much improved.
Identity management helps keep track of who is doing what. Setting up users
is known as user provisioning. Users are given an identity that gives them
access to all the systems they need and assigns them the roles necessary to
do their jobs in a way that is free of SoD violations (which is why you’ll hear
it called compliant user provisioning). Because all of this setup work can be
complex without automation, it can take a long time — as much as a week —
to give new employees access to all the systems they will need. Automating
user provisioning accelerates this process to just a few hours — which
means workers are happy with the access they need and auditors are happy
because the access is clean from the start.
Part of user provisioning relates to assigning roles with their associated
access. When a variance from an existing role is requested, a review process
should be put into place to see if such variances are really needed or if the
access can be handled in another way. The idea is, once again, to keep roles
clean and standard, known quantities, free of SoD violations and without those
“just for this user” variances that eventually create access control problems.
Managing Exceptional Access ....................................................................
What if you have a small branch office and just one accounting clerk? What if
you have year-end closing and need to grant exceptional access to the system?
Remember the master key? The key supervisor hands it out to someone who
needs it desperately, and never gets it back. The people who receive these
special keys are called superusers. Just like Superman, superusers have super-
powers and can do anything.
Superuser access is hard to manage and risky to control, and yet it is some-
times needed. Some users are given carte blanche access, giving them free
access to all systems, all objects, all transactions. This is the worst case
scenario, because it means that their company has no control over who
does what.
Furthermore, one of the first questions external auditors ask is “How many
users have superuser access?”
For all these reasons, exceptional access needs to be managed carefully.
Rather than handing out such access freely, both IT and business need to
coordinate their work so that privileges can be granted, monitored, and
revoked in a timely fashion to prevent SoD violations.
124 Part II: Diving into GRC
