In the often overworked IT departments at local, state and federal agencies, the processes of creating, maintaining and disabling user accounts is usually a manual, paper-based process. This often leads user accounts to be created with improper access rights. This is usually done by copying an existing user’s permissions, employees whose job or department has changed being left with legacy access or even terminated employee’s accounts being left active. So what’s a busy IT staff to do, how can this process be improved?
Several solutions are available that can tackle this type of problem, without a large investment of time and money. One approach is to automate the process by linking an identity and access management solution (IAM) with the agency’s HR software. Each time a new employee is hired, has a job change or is terminated, their accounts are appropriately managed according to a defined set of rules. These rules can include actions such as, where in the directory they should be placed, what mailbox quotas are applied and role based – title department, location, etc. — access and application rights the individual should have, and much more. Then when the employee is no longer with the agency, access can be immediately revoked with one click and emails automatically forwarded to a manager. This ensures that an ex-employee can no longer access secure government systems.
The second approach involves a workflow system that delegates management of the user accounts from the IT department out to hiring managers. When a manager hires a new employee, they input basic information such as name, department and title into a web form. Drop downs can be used in the form to ensure the accuracy of the requisite information and to ease the data entry process. This basic information is then sent via a workflow process to other individuals responsible for entering other information as well as an approval. After the final approvals have been granted, the IT department has an opportunity to review and then automatically commit the changes to the network.
Both of these methods ensure that access rights within a government agency are correct and that an employee doesn’t accidentally have advanced rights to secure data which they shouldn’t.