Description: Creation of privileged user accounts and assignment of corresponding entitlements are based on the results of a governance process. The governance process should include appropriate business justification approvals and risk mitigation, as well as constraints on access determined by business requirements. Governance process is tracked for auditing purposes.
Benefit: Provides evidence of control over who has access to what resources that are required to meet security controls and compliance requirements, for example PCI, HIPAA, SOX, etc.
Watch the deep dive webinar to learn more about this security outcome.
Implementation Approaches
- IGA Initiates Privileged Access Provisioning Workflow
- ITSM Initiates Privileged Access Provisioning Workflow
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-3: Remote access is managed
NIST SP 800-207; Zero Trust Architecture
- 3.1.1: The enhanced identity governance approach to developing a ZTA uses the identity of actors as the key component of policy creation.
- 6.3: Subject provisioning is a key component of ZTA.
Title | IGA Initiates Privileged Access Provisioning Workflow |
Technology Components | Identity Governance and Administration Privileged Access Management |
Description | User initiates a request for privileged access from role and entitlement catalog. A workflow is initiated and is routed to appropriate approver(s) based on defined policy. Business case is reviewed, and approval is granted. Request and entitlements granted are logged for audit purposes. User access is provisioned to PAM tool. User gets privileged access per the policy and constraints defined. |
Pre-requisites | Role and entitlement catalog has been built and populated. Approval process is defined for each role and entitlement. Policies are defined for what is considered privileged access. Policies are defined providing conditions and constraints for privileged access. Service accounts for authentication to PAM tool with rights to assign access. |
Supporting Member Companies | BeyondTrust, Centrify, CyberArk, Fischer Identity, Omada, Remediant. SailPoint, Saviynt, SecZetta |
Context Transfer | Account to be granted privileged access and entitlement to be granted. |
Title | IGA Initiates Privileged Access Provisioning Workflow |
Technology Components | ITSM (IT Service Management) Identity Governance and Administration Privileged Access Management |
Description | User initiates a service request for privileged access from ITSM service catalog. A workflow is initiated and is routed to appropriate approver(s) based on defined policy in ITSM tool. Business case is reviewed, and approval is granted. Request and entitlements granted are logged for audit purposes. ITMS hands off to IGA to provision user access to PAM tool. User gets privileged access per the policy and constraints defined. |
Pre-requisites | ITSM service catalog has been built and populated. Approval process is defined for each role and entitlement. Policies are defined for what is considered privileged access. Policies are defined providing conditions and constraints for privileged access. Service accounts for authentication to PAM tool with rights to assign access. |
Supporting Member Companies | BeyondTrust, Centrify, CyberArk, Fischer Identity, Omada, SailPoint, Saviynt, SecZetta |
Context Transfer | Account to be granted privileged access and entitlement to be granted. |