IDM:Clean – The IDM365 Identity and Access Cleanup Tool
The Clean process is step 2 in our four step rapid IAM implementation process, but it can also be performed separately.
Housekeeping maintenance to keep system identities and access permissions in check is a hard and time consuming task as permission requests seem to pop-up endlessly like weeds on a summer day. On the other hand, putting it off can cause problems—especially for major business critical systems like Active Directory (AD), HR databases and other systems where organizations can easily lose track of things over time. In the end, a business may end up with more defined permissions and identities than it even has users.
Part of the problem is that, over time, system permissions can lose their actuality—their usefulness. New permissions are created whenever a new need arises, but these may end up targeting the same users already part of a contained group. Other groups are just forgotten shells that become empty when all the users in it were terminated or moved into other groups. System permissions may otherwise be assigned only to inactive users or be outdated in some other way, making them redundant.
Unless the organization implements an effective change policy for introducing and removing identities and system permissions, this situation can only spin out of control, making cleanup efforts ever more arduous.
IDM365 makes it easy to control and maintain a lean, clean-cut system; but before getting there, the first step is to get the system ready by running our stand-alone system analysis identity and access cleanup tool.
IDM:Clean – Our Identity and Access Cleanup Tool
The IDM:Clean tool is part of our implementation toolbox for IDM365. For system analysis using this tool, the following data is needed:
- A list of users
- A list of system permissions
- A list of assigned user permissions
The analysis performed by IDM:Clean will help you perform housekeeping of permissions in an efficient and documented manner for all of your authentication systems. It will allow you to consolidate user permissions, clean up legacy data and improve overall system performance.
In addition, IDM:Clean includes options for generating scripts which can perform the actual cleanup of identities and access in the analyzed systems, allowing for quick, automated fulfillment of this task.
The Clean Report
An IDM:Clean analysis report will normally contain a set of several recommended actions that support effective identity and access management. Depending on the current state of the system, these actions make it possible for system owners to reduce the number of permissions by as much as 50%. The reports will cover different scenarios—each one with a detailed list of permissions, the users assigned to them, and the suggested action that will help maintain the system’s identities and access controls.
Some basic scenarios covered by the IDM:Clean analysis tool are:
- Empty permissions—Permissions (or groups) with no real user objects. Rather than zero, a lower limit of one or two users can be set, helping to weed these out as well.
- Inactive permissions—Permissions either filled with or having a large percentage of disabled and inactive users. The lower limit can be set as a percentage (for example, where at least 90% of the users are disabled or inactive).
- Redundant permissions—Multiple permissions which have been assigned to an identical set of users. Again, this can be set to show permissions where all but one or two users are the same to catch close matches as well. For example, if the system owner notices when going over the report that the same 10 users are assigned in AD to both groups A and B, with only one additional user in B, he may conclude that the groups can be consolidated into a single group AB.
You can see how an automated tool, even in just the above three scenarios, can greatly improve the efficiency and overall cleanliness of your systems, identities and access permissions. The reports generated by IDM:Clean cover these scenarios and more, adding huge value to your system housekeeping efforts.