Access Panel supports dynamic governance policies, including the ability to configure which attribute changes initiate a recertification process for users who have changed roles or responsibilities—commonly referred to as "movers." This functionality is crucial for maintaining security and compliance by ensuring users retain only the access appropriate to their current role.
Change-Triggered Attestation: Attribute Sensitivity Matters
Access Panel includes a feature called Attestation Campaigns, which are used to confirm that a user’s access rights remain valid over time. These campaigns can be configured to trigger automatically when specific user attributes change. Commonly monitored attributes include:
-
Job Title
-
Department
-
Location
-
Manager
-
Employment Type
Using Criteria Policies and Just-in-Time (JIT) Policies, Access Panel monitors for changes to selected identity attributes. When a change occurs, it can automatically initiate a targeted attestation—prompting managers or system owners to review and confirm or revoke the user's access based on the updated data.
How It Works: Policy Configuration and Event Triggers
Administrators can define what changes should trigger a mover attestation using criteria policies. These policies evaluate identity attributes during each synchronization or event. When a match is detected—such as a department change—Access Panel launches a scoped attestation campaign. The configuration allows organizations to:
-
Choose specific attributes to monitor
-
Define thresholds or conditions (e.g., location changed from Region A to Region B)
-
Route reviews to the appropriate approvers or system owners
-
Automate downstream actions based on the attestation outcome
The identity lifecycle, especially the "mover" phase, is supported with this change-driven governance model. This reduces risk by ensuring former entitlements are not carried into a new role.
Comments
0 comments
Article is closed for comments.