Traditionally, user management is chaotic in most G2000 organizations, with requests coming from various channels (paper forms, phone calls, e-mails, help desk requests, etc.), and moving through various de facto fulfillment procedures. Often, a security or security administration group is involved in performance of the user management process (for internal users, while external users are often managed through a more coherent process--owing either to their larger scale, or to their status as "outsiders"). As organizations adopt a more holistic, process-centric view (2003/04) and move toward automation (2002-05), we expect security groups to involve themselves only in policy management, process design, and compliance monitoring, while the help desk or operations group owns the execution of the process (2006). Human resources, sales, or other business areas will have increasing input (2005/06) in policy development and, in some decentralized or federated organizations, may even own the process execution.
Taking the process view, we find that users should have a "life cycle" of access to systems, applications, and databases (with a defined beginning and end, as well as changes in between). Unfortunately, in many organizations, users accumulate access over time, and when the user separates from the organization, that access continues (about 30 percent of users do not have access removed, according to recent Meta Group surveys, resulting in a perceived 23 percent increase in risk). Looking at this user life cycle, we find three distinct phases: provisioning, maintenance, and termination.
The link for this article located at ZDNet is no longer available.
