Security Control - Privileged Access Management Governance
Description Provide compliance overview of accounts designated as privileged
Components and Required Capabilities

Identity Governance

  • Must have the ability to provide account status information to privileged access management application
  • Must have the ability to initiate identity administration workflow for disable/delete

Privileged Access Management

  • Must have the ability to provide account information to identity governance application
Best Practice Recommendation

Where additional identities are required, for certain privileged roles (e.g. DBA), or test accounts, a Privileged Access Management solution should be implemented to ensure the integrity and security of this access.  

For certifications, when using entitlements only, consider direct manager capability allowing a manager to reviews subordinates at one time, for the period of the certification. Highly restricted applications, privileged access, etc may require 90 day reviews, whereas all other access could be yearly.  

Once roles are deployed for provisioning, they can be expanded to be used in certification of access as well. This has a benefit to all end users, but especially to certifying privileged user access that typically comes with large numbers of entitlements to certify.  Be sure to certify the composition of the role at least yearly.   

Interaction Diagram