0

Best practice

As part of his role, Doug is the Service Owner for a loan origination application that is going through an upgrade process.

One of his innovations has been to upgrade the functionality of the service, and he’s created some new roles in the process.

What next steps should he take?

As a Service Owner, Doug owns the role data for his service and ensures all the information about these roles and their entitlements is complete, accurate and remains fit for purpose.

A recent upgrade to the functionality of the service has meant that new roles need to be created. Doug needs to ensure that the requirements for the new roles are properly defined, documented and approved.

Doug’s service has been on-boarded to and is managed by the Group’s centralised Identity and Access Management (IAM) service – Identity Manager. This allows Doug to leverage automated and semi-automated IAM controls that protect his service.

Doug will definitely need to ensure the new roles he has created are updated in Identity Manager, but not just yet.

This becomes clear after he contacts Linda from DPG’s IAM Solution Delivery team. Linda points out that Doug hasn’t provided risk ratings for the roles yet and hasn’t considered any Segregation of Duties (SoD) requirements, which is a problem. Completing this information upfront will ensure that these roles are managed appropriately throughout their lifecycle.

Doug commits to getting back in touch after engaging the right teams to assist with his impact assessments.

Doug engages the right teams to complete his initial change, risk, and Segregation of Duties (SoD) impact assessments. He engages his Line 1 Risk team as he’s going to need some help to ensure the roles are appropriately risk-rated. He also engages the DPG’s Access Control Enablement team to discuss role management minimum standards and SoD in more detail.

Through this process, he identifies:

  • some roles that pose a higher risk (e.g. System Administrator) which will require additional approvals before access can be granted
  • some of the roles overlap in problematic ways, resulting in SoD violations

Doug updates his requirements and raises a service request to engage the DPG IAM Solution Delivery team to ensure the roles are updated in Identity Manager.

What’s Doug’s best way of ensuring these roles are properly assigned?

With the role creation requirements properly scoped for risk and SoD impact, Doug engages Linda to ensure that these roles will be reflected accurately in Identity Manager.

She also ensures they can only be requested and approved by the right people through Identity Manager.

Doug asks what is drift reporting?

Drift reporting shows the discrepancy between roles assigned through an application and what is noted in Identity Manager. It is essential that, where a service has been onboarded to Identity Manager, roles are always assigned and managed through that tool. Roles that are assigned outside of the tool present a risk to CBA, and will be reported.

Yes, that’s right.

Doug should ensure that users are directed to use Identity Manager to request or remove access. He also ensures that Linda and the DPG IAM Solution Delivery team are kept informed of future role modifications to minimise any drift reporting.

Doug asks what is drift reporting?

Drift reporting shows the discrepancy between roles assigned through an application and what is noted in Identity Manager. It is essential that, where a service has been onboarded to Identity Manager, roles are always assigned and managed through that tool. Roles that are assigned outside of the tool present a risk to CBA, and will be reported.

Not quite.

Doug should ensure that users are directed to use Identity Manager to request or remove access. He also ensures that Linda and the DPG IAM Solution Delivery team are kept informed of future role modifications to minimise any drift reporting.