1 Introduction

IGA (Identity Governance & Administration) is a core discipline within IAM. IGA focuses on the deploy-time aspects of IAM with managing identities, creating user accounts, and assigning entitlements as well as providing post-event time capabilities for Access Governance such as the regular recertification of assigned entitlements. IGA, as Access Management for user authentication and session control, and Privileged Access Management (PAM) for managing access with elevated privileges such as administrative access, are the three main pillars of common IAM deployments.

IGA itself consists of several core components. These include

• Identity Lifecycle Management (ILM) for managing the lifecycle of identities from their creation to retirement and of the associated user accounts in managed applications, the so-called target systems.
• User Access Provisioning (UAP) for connecting to target systems, enabling IGA solutions to automatically create user accounts and assign entitlements in these systems.
• Identity Access Governance (IAG) for requesting and approving access of users, for supporting role management as an established model for managing entitlements, and for regular access recertification to enforce the least-privilege principle and avoiding over-entitlement of users.
• Workflow management for supporting user lifecycles as well as access request and approval workflows.
• Connectors for directly integrating with target applications.

IGA is an established technology that is needed for efficient management of users and entitlements across the IT landscape, including both infrastructure such as servers, databases, and IaaS (Infrastructure-as-a-Service) and PaaS (Platform-as-a-Service) environments, and applications across the range of their deployment models from on-premises applications to SaaS solutions.

Figure 1: IGA projects, more than any other IAM discipline, are facing a range of challenges that put them at risk.

IGA counts amongst the complex areas within IAM for a variety of reasons. IGA focuses on integrating the management of identities, user accounts, and entitlements across the full range of IT services and applications in use. This makes IGA a cross-divisional project, involving not only many different units within IT but also the owners of business applications. It also builds a bridge between the users that need access to applications and services and the technical infrastructure, requiring the mapping of technical information such as system-level access entitlements to the business perspective of functional access requirements.

Two areas within IGA where the challenges of bridging between business and IT commonly become visible are role management and access recertification:

• Role management requires the definition of roles, commonly at various levels such as IT roles and business roles, and their mapping. With business roles being intended to reflect the business view on entitlements based on the organization, business processes, and business functions, IT roles abstract the detailed, frequently complex entitlement structures of the target systems. Both the definition of business roles and their correct mapping to IT roles requires business involvement. With several systems such as Microsoft Active Directory, Microsoft Windows File Servers, SAP ECC, and other business applications having complex internal entitlement models, role projects tend to become complex.
• Access recertification is another major challenge, requiring business managers to review the state of entitlement assignments for their team members. Business managers need to understand the entitlements for doing a proper and efficient review. In many implementations, access recertification suffers from a proper business representation of technical entitlements and thus results in rubber-stamping instead of a thorough review of entitlements.

In addition, there are various technical challenges in IGA that add to the complexity. The two most common areas are application onboarding and customization of the IGA system.

• Application onboarding requires technical interfaces to the target systems. SCIM (System for Cross-Domain Identity Management) is emerging as a de-facto standard. However, SCIM lacks depth for complex entitlement structures of target systems and is primarily used for connecting to SaaS applications. Legacy applications commonly require specific connectors. Building integration is time-consuming. In addition, this requires close interaction between the IGA project and the various owners of target applications. Also, many applications are customized, requiring the adjustment of standard connectors.
• Customization primarily impacts two areas. One is the user interface (UI), the other is workflows for ILM as well as for access requests and approvals. Unfortunately, there still is no established IGA process framework available that describes these processes. Also, most solutions don’t provide a comprehensive process framework out-of-the-box. Thus, process definition and implementation commonly consume a large portion of the budget and time in implementing IGA processes. Also, adapting the standard UI to the specific needs of the customer organization and potential integration with other solutions such as IT Service Management (ITSM) add to the project complexity and effort.

Success in IGA thus needs both a strong technical foundation and strong project management. When selecting an IGA solution, organizations are well-advised to focus on the ability of the solutions in addressing above-mentioned challenges and enabling lean, business-focused IGA.