
Best practice
As part of his role, Doug is the Service Owner for a loan origination application that is going through an upgrade process.
One of his innovations has been to upgrade the functionality of the service, and he’s created some new roles in the process.

As a Service Owner, Doug owns the role data for his service and ensures all the information about these roles and their entitlements is complete, accurate and remains fit for purpose.
A recent upgrade to the functionality of the service has meant that new roles need to be created. Doug needs to ensure that the requirements for the new roles are properly defined, documented and approved.

Doug’s service has been on-boarded to and is managed by the Group’s centralised Identity and Access Management (IAM) service – Identity Manager. This allows Doug to leverage automated and semi-automated IAM controls that protect his service.
Doug will definitely need to ensure the new roles he has created are updated in Identity Manager, but not just yet.
This becomes clear after he contacts Linda from DPG’s IAM Solution Delivery team. Linda points out that Doug hasn’t provided risk ratings for the roles yet and hasn’t considered any Segregation of Duties (SoD) requirements, which is a problem. Completing this information upfront will ensure that these roles are managed appropriately throughout their lifecycle.
Doug commits to getting back in touch after engaging the right teams to assist with his impact assessments.

Doug engages the right teams to complete his initial change, risk, and Segregation of Duties (SoD) impact assessments. He engages his Line 1 Risk team as he’s going to need some help to ensure the roles are appropriately risk-rated. He also engages the DPG’s Access Control Enablement team to discuss role management minimum standards and SoD in more detail.
Through this process, he identifies:
- some roles that pose a higher risk (e.g. System Administrator) which will require additional approvals before access can be granted
- some of the roles overlap in problematic ways, resulting in SoD violations
Doug updates his requirements and raises a service request to engage the DPG IAM Solution Delivery team to ensure the roles are updated in Identity Manager.
Doug asks what is drift reporting?
Drift reporting shows the discrepancy between roles assigned through an application and what is noted in Identity Manager. It is essential that, where a service has been onboarded to Identity Manager, roles are always assigned and managed through that tool. Roles that are assigned outside of the tool present a risk to CBA, and will be reported.
Doug asks what is drift reporting?
Drift reporting shows the discrepancy between roles assigned through an application and what is noted in Identity Manager. It is essential that, where a service has been onboarded to Identity Manager, roles are always assigned and managed through that tool. Roles that are assigned outside of the tool present a risk to CBA, and will be reported.