We’ve previously discussed the merits of automating the de-provisioning process. But even when automated, sometimes it can still take HR weeks to initiate the off-boarding process of a terminated employee due to alignment with their organizational payroll cycles. From a security perspective, allowing terminated employees to continue to access organization systems for weeks, days or even hours can present significant security risks.
The good news is that RapidIdentity’s out-of-the box delegation functionality allows for the immediate revoking of system entitlements with just a few mouse clicks.
RapidIdentity Delegation functionality allows non-IT employees, such as a group manager, someone in the Help Desk or someone in HR, to perform certain IAM functions. These typically include actions such as password resets, recertifications and even granting some low risk entitlements. Delegation responsibilities could also be extended to de-provisioning. Sometimes these delegations are part of a workflow and other times they are simply delegated authorities to perform immediate tasks.
In an ideal offboarding scenario, you have two methods of system revocation in place. Let’s say John Smith resigns or is terminated. His manager, Mia, through the delegated entitlement capabilities of the company’s IAM system, revokes all of his access privileges. However, if Mia forgets or perhaps is on vacation, the IAM system’s automation technology serves as a backup and de-provisions him when HR removes him from the company payroll systems.
Here’s how easy it is to revoke system access in RapidIdentity:
Log into RapidIdentity. Then go to Profiles and find the appropriate delegation tab - My Team Profiles, in this instance.
From there, select the appropriate user and then click the “Disable” button. This in turn will disable their account in Active Directory and if configured to do so, will revoke access to their target systems.
Other blog posts that might interest you: