The Identropy Blog

Subscribe by Email

Your email:

Most Popular Posts

Current Articles | RSS Feed RSS Feed

3 Insights on Developing a Deprovisioning Policy

Posted by Ash Motiwala on Fri, Apr 09, 2010
  
  
  
  

Identity Management technology can be tricky.  But in most instances, it's not the technology that trips up an implementation. It's the policy development (or lack thereof) that causes the heartache.

Deprovisioning Policy is typically more complex than a simple policy  that states that when HR says a person is terminated, the identity system terminates the user's access to all systems. Here are a few things to consider when developing your Deprovisioning Policy.

1. Deprovisioning Policy (Technical View)

The technical view of a deprovisioning policy is concerned with what the identity system should do once we know that the user should be deprovisioned for each target system.

  • Should the user's account be hard deleted or just disabled?
  • If disabled, how is that done? (Move the AD account to a disabled users OU, place the row into an archive table, etc.)
  • How long should disabled users be kept in the system?
  • What should happen to the person's shares, mailbox, etc.?

2. Deprovisioning Policy (Business Process View)

The business process view of a deprovisioning policy addresses the states that should trigger a deprovisioning action. Here are a few questions to ask your policy team:

  • How do we calculate the actual last day a person should have access? Is there an effective date that can be used?  Is HR using that field properly?
  • How should 'leaves of absence' be handled?
  • What should happen if a person wants to use his/her vacation days directly before retirement?  What if the person may still provide off-site help during this time period and therefore needs access?
  • How should sabbaticals be handled?
  • Should a user's current access be terminated in a department transfer?  What if they still need their old access for some time?
  • How should unused sick days be taken into consideration?

3. Take Compliance Policy into Consideration

Besides the business process view of the policy, sometimes existing regulatory compliance rules may have an adverse impact on an otherwise sensible policy.  For example, definitions of 'termination', 'employee job role change' and 'leave of absence' will directly impact the overall policy and should be taken into consideration. 

By thinking through these issues, an effective Deprovisioning Policy can be put together prior to implementing an IAM solution.

 

Tags: 

Comments

Hi Luca, 
 
Interesting point.  
 
From a policy standpoint, both sides (biz process view and tech view) have to be defined. And although the business process view (i.e. defining the states of the user should trigger a decommissioning of the user's access) is critical, the policy would simply be incomplete without the tech view. 
 
From a dependency standpoint, I really don't see that one piece of this is dependent on the other...(although I'm still thinking through it). It's almost as if both sides of the policy can be developed independently.  
 
Thoughts?
Posted @ Tuesday, April 13, 2010 11:13 AM by Ash Motiwala
Hi Luca, 
 
I'd agree in general that business process development should happen before technical analysis, (as I've mentioned in other articles <a href=http://www.identropy.com/blog/bid/9217/Identity-Management-Workshop-Critical-Ingredients> here). 
 
In order to think through this, I posed myself the following: should the following 2 questions (1 business process oriented, the other technically oriented - as defined in the article) be answered in a specific order? 
 
1. Should a leave of absence translate to termination of access? 
2. What should happen to a person's shared folder contents once terminated? 
 
Thinking through this, the 1st question should be posed to the business process owner - whose answer will provide context to the technical owner to answer his part of the question...since a leave of absence (as a state) will probably have a direct impact on how long to hold on to a person's mailbox or shares. And will probably have a different impact on a person who was terminated for cause. 
 
So yes...I agree. Thanks for the insight, Luca!
Posted @ Wednesday, April 14, 2010 5:42 AM by Ash Motiwala
He who does not advance loses ground.
Posted @ Thursday, February 24, 2011 9:11 PM by Ugg Style Boots Online
 
I appreciate when I see well writen material. Your time isn't going to waste with your posts. Thanks so much and stick with it No doubt you will defintely reach your goals! have a great day! 
http://www.aiakc.org/member/30693/ 
http://www.oahuislandnews.com/index.php/member/18916/ 
Posted @ Thursday, May 26, 2011 6:23 PM by Brenda
Great article about this topic, I have been lately in your blog once or twice now. I just wanted to say hi and show my thanks for the information provided.
Posted @ Friday, May 27, 2011 3:21 AM by abercrombie deutschland
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics