Access Panel App™

Common User Experience

Access Panel is a fully featured identity and resource entitlement governance solution that forms part of the Identity Panel Suite of applications.  This provides the user with a consistent yet highly customizable interface experience while delivering beyond the capabilities typically expected of a market-leading Identity and Access Management (IAM) platform.

Flexible Connector Model

Any Access Governance solution is only as effective as the breadth, depth and granularity to which it integrates with your key Enterprise applications.  For Access Panel, Identity Panel’s Panel Providers offer access governance across all of your key entitlement sources, supporting multiple deployment architectures, including directly interfacing with target resources such as directories, databases and applications. 

Each resource is represented in Identity Panel as one or more data silos, and mediating data changes to these silos is achieved natively via the HyperSync Panel™ App or via existing synchronization services such as Microsoft Identity Manager.  Where referential integrity for relationships between identities, typically derived from an authoritative HR source such as Workday or SAP (e.g. manager) and resources (e.g. owner/owners, viewers) are enforced by the IAM platform, these are then leveraged for User Access Review (UAR) policy.

Access Panel implements a generic identity-to-resource data relationship model, which elevates the platform capabilities beyond traditional group management to broader categories such as organizational and application roles, as well as 3rd party resource types such as Microsoft Entra ID Access Packages.  This is achieved with the flexibility to support ACL and attribute-based permissions control.

This architectural flexibility allows Access Panel to integrate seamlessly with an existing or new IAM deployment to apply multi-modal access governance models, including ABAC (Attribute Based Access Control), Just-in-Time access provisioning/PAM, traditional RBAC (Role Based Access Control), and Attestation/Certification. Access Review models support requests, recurring review, risk modeling, and access expiry.

Disconnected Resource Governance

Not all application or system resources may be fully integrated with your IAM platform, and these may presently require manual access governance via a Service Desk, with access requests submitted in an ITSM platform (e.g. ServiceNow). In the context of Identity and Access Management these resources are often referred to as disconnected.

Access Panel supports consistent resource governance across the entire application and system landscape, whether connected or disconnected from the IAM platform.  This is critical in meeting compliance objectives such as enforcing segregation of duty (SoD) policy, where violations (or caustic role combinations) can occur both within the same resource and between different resources.

Support achieved by uploading disconnected resource data (identities, resources, and their inter-relationships) to Identity Panel in the form of one or more conforming Excel Spreadsheets to create the necessary data silos required for attestation.  Relationships within and between spreadsheets can be established to support both user manager and resource owner UAR approval models.  Provided the spreadsheet data can be periodically reproduced in a consistent format, the upload process is continually reused for all subsequent campaigns.

Unlike connected resources, where review actions such as the immediate automatic revoking of an entitlement on rejection by the reviewer, disconnected system actions must be performed manually.  While this is easily facilitated via an Identity Panel standard report to consolidate the activity required, the process can be further improved by raising ITSM request tickets via an ITSM connector such as the Panel Provider for ServiceNow.

Multi-Source Resource Governance

• Define multiple scopes and sources for user identities and resources including:
• Active Directory / LDAP
• Entra ID / M365
• 3rd party and proprietary line-of-business (LOB) applications
• SaaS apps via Cross Domain Identity Management (SCIM), direct connectors or report extracts
• Entitlements may be derived from:
• Reference attributes,
• Multi-value attributes
• Single-value attributes
• Rule-based objects

Policy Based Entitlement Management

Attribute Based Access Control (ABAC)

• Criteria based entitlement management
• Handling of group scenarios with native criteria (e.g. Azure dynamic groups)
• Member exception management
• Negative exception management for separation of duties
• Support for criteria-based candidacy

Role Based Access Control (RBAC)

• Assign entitlements based on role assignments
• Hierarchical role management
• Advanced criteria evaluation for roles
• Role based separation of duties

Just in Time Privileges (JIT)

• Support for candidate members with just-in-time activation
• Policy for processes on candidate activation including:
  • Activation time windows
  • Approval policies (owner/manager)
  • Activation extension policies
  • Custom justification forms

Separation of Duties (SoD)

• • Flexible policy definitions
  • Supported across all provider types
  • Includes role and user level conflicts
  • Exception management with advanced workflow support
    • violation prevention at time of request
    • violation detection at time of review
  • Access Review of SoD exceptions (violations)

Requests and Expiry

• Group join requests with customizable justification and approval forms
• Policy based on group risk and application association
• Multi-response request policies with escalation and reminder rules
  • Identity-relative: Self, Manager
  • Resource-relative: Owner, Owners
• Enforced and optional entitlement expiry policies with extension notifications
• Persistent logging for surfacing in reporting and Time Traveler
• Support for Email, SMS, and Workflow/Service Desk system integrated flexible approval flows

User Access Review (UAR)

Access Panel supports access reviews, also known as attestation or certification, which are run as campaigns across a wide range of object classes and filtering modes. Attestation may be performed against settings of security principals like users, groups, and applications, or against access levels like entitlements or role assignments. This allows organizations to attest against permissions directly, attest to the rules that drive permissions, and separately review policy exceptions and violations.

• Multi-mode Certifications
  • Entitlements (current permission/membership assignments)
    • Calculated as active at time of campaign launch
  • Resources — Including ownership, settings, criteria rules, role settings, data inventory, and change triggers
  • Roles and Role Assignments
  • Approval policies with escalation and reminder rules
    • Identity-relative: Self, Manager
    • Resource-relative: Owner, Owners
  • Activity policies with option to immediately revoke entitlement(s)
• Rolling, recurring, and ad-hoc attestation modes
• Offline user access review support via campaign upload from/download to Excel spreadsheets
  • One spreadsheet per campaign per reviewer
  • Convenience for where large numbers of resources and identities are involved
  • Convenience for when multiple concurrent campaigns are run for the same reviewer

• Persistent logging for surfacing in reporting and Time Traveler
• Communications queuing and consolidation, support for multiple delivery channels including:
  • Email (including email override support for campaign testing)
  • SMS
  • Service Desk/Ticketing system
  • Workplace messaging channels such as Teams or Slack
• Rule based certification triggers, including:
  • Attribute filters
  • Event-based / change response
  • Application assignment
  • Risk level
  • Assignment control (explicit membership vs. criteria vs. role derived, etc.)

The following is a sample Entitlement Review campaign to demonstrate how some of the above UAR concepts might be implemented: