Groups are your cornerstone
You cannot build your identity house without a solid identity foundation.
Have you ever found yourself with an idea that grows in scope until the original idea has morphed into one that does not accomplish the original intention of the idea? This type of scope bloat is typical for many IT projects and seems especially affect IAM (Identity and Access Management) projects.
In the beginning, an organization recognizes a need to accomplish a singular or perhaps a few goals surrounding attestation, enhancing security, regulatory compliance, enhancing productivity, increasing efficiencies, reducing error from human factors, etc. What seems like some very understandable goals in the beginning becomes overwhelming when you start to calculate and realize the breadth of needs for your organization. Through this process it becomes easy to forget and miss some of the foundational components to a successful IAM improvement project.
Considering the purpose of identity in your environment, granting permissions to resources is key to the core purpose of managing such identities. In any organization, permissions are granted to groups and groups organize users. The entire lifecycle of permissions must include several key elements to make the remaining efforts worthwhile. Thus, automation, delegation, attestation, and lifecycle of groups are the foundation on which much of your IAM strategy must be based. After all, what good is a discovery tool for identity problems is your are relegated to manual action that is not enforced? While it is important to find weaknesses, shouldn’t your be deploying solutions that prevent or reduce the chance of problems?
When it comes to group management, we see the two primary tenants of directory best practices is to automate your membership. Automating membership requires that you leverage the intelligence you have about your organization in such a way that a computer is able to make decisions about group membership in a timely manner without human involvement. This automation is using the input you and others give it and deliver your intended actions in an ongoing basis. The second tenant and also a best practice is to delegate what you cannot automate. This practice of delegation is key to putting in the hands of the business stakeholders, the rights and ability to affect changes in their specific area of responsibility.
As you start considering all that needs to be done for your IAM project, your structure will do a much better standing against the shifting sands of time and change with a solid foundation. Remember your foundational components.