Mat Hamlin's Identity Management Blog: Keepin' it simple

How can managers, when presented with their employees' access across all enterprise applications, make a determination of accuracy?  They can't, or won't, if they don't understand what they are attesting to. 

So, we have to make it easy for them.

Here are a few ways to make it easier:

Glossary

For business users to understand a list of fine grained access rights currently held by their employee, the information must be easy to understand.  There needs to be a translation between the IT representation of access and what it actually means if you were explaining it to someone face to face.  For example, if I were to ask a manager, Joe, if his employee, Suzy, should have SAP TCode 'BGM1', Joe would have no idea... let alone sign his life away on a decision.  We must translate it to, "Is it ok if Suzy has rights to create master warranties?"  Ideally, your company would establish a cross-departmental governance board to translate these items, and manage and maintain them over time.

ID Card / Contact Information

During the attestation process, if a manager is provided translated access information, but still doesn't know if the access is correct or not, who can help?  The owner of the access.  During automated access certification, the contact information of the owner of the access could/should be presented to the person making the decision about appropriateness, so they can contact them directly and talk about it.

Delegate the decision

What if a manager is reviewing access for an employee, and finds entitlements that they believe are tied to a temporary project, or cross-functional task?  They really are not the appropriate attestor of this access....  So, a manager should be able to delegate the decision about access to the appropriate business owner.

Present the right information to the right people

From the outset of you access certification process, you should be thinking about who should be determining appropriateness of access to what applications and data.  Building on the example above... the project manager should be presented a list of access relating to the project for individuals on the project.  Ensuring your automated solution provides this flexibility of certification populations is important.

Present information about the access data

Enable your attestors/certifiers to make an informed decision.  Indicate to them during the certification process if certain access is deemed high risk, or is part of an existing SoD violation, or is of a certain classification (like Finance), or is access that has been previously revoked.  All of this metadata about the access information will increase the effectiveness of your access certification process.

Simple Answer: Sit with your certifiers and understand why and where they are having difficulty completing their certifications, and apply some of the items above to make it easier for them.