I wanted to create a topic specific to entitlement management to gather information of how others do it in hopes that we might get some ideas in the community on how we might be able to manage them better.
Respond however you want, but I’m going to break it into a few different categories and describe each
Onboarding
We use ServiceNow to help onboard Active Directory security and distribution groups. The workflow first goes to our team to review, mainly to ensure there is adherence to naming conventions and the description is understandable by the masses. Being able to document an application that it’s linked to would also be helpful.
After the review step, ServiceNow creates the group in AD, waits for the next aggregation, searches for the entitlement, then creates the access profile using the API, setting the owner based on the owner that was requested in the form.
Ongoing Maintenance
When it comes to changing ownership of entitlements and access profiles, we have a ServiceNow catalog item that lets people request ownership changes. If the current owner is active, it sends them an approval request. If they’re not, it sends their manager one, and if the manager isn’t active anymore, it goes to our team for review. After approved, it uses the IDN API to change the ownership of each access item requested.
Offboarding
We don’t have an official process for retiring entitlements, but it typically follows these steps
-
Remove the entitlement from all users
-
Wait a pre-determined period of time to see if it broke anything
-
If nothing was broken, delete the source entitlement and access profile if exists
Main pain points
One thing I feel is missing from this tool is the ability to create certifications for entitlements owners and require them to certify
-
The metadata of a given entitlement (name, description, owner) is accurate
-
The entitlement is still in use and needed
We struggle greatly with both of these, specifically around entitlements in Active Directory.
I would love to hear from the rest of you!