Recertification of User Permissions – How Do You Ensure Sustainability?

An increasing number of companies are being forced by legal requirements and compliance demands from auditors, financial auditors, and internal revision departments to implement measures for the recertification of access or user permissions. However, introducing recertification processes comes with numerous challenges — the quality of the results is often unsatisfactory, and above all, the question arises: How can the sustainability of a recertification be ensured?

Let’s assume that you manage to carry out a recertification successfully despite all the challenges — how long do you think this clean state of permissions will last?

Exactly until the next new user is created, someone leaves the company, or changes their job or department — and the permissions are not correctly assigned or removed. As experienced and critical IAM consultants, we find this situation highly unsatisfactory. Just hours later, despite all efforts to complete a recertification properly, the first security risks may reappear due to incorrectly assigned permissions or dangerous permission combinations. So, the question remains: How can the sustainability of a recertification be ensured?

But let’s start at the beginning: First, we’ll outline the challenges of recertification and offer practical solutions. Then, we’ll present three scenarios to help improve the sustainability of your permission recertification efforts.

The Challenges of a Recertification

In theory, recertifying user permissions sounds quite simple. Users and their associated permissions are read from the systems to be reviewed, and the information is presented to the responsible parties, such as department managers. These individuals review the permissions and either approve or reject them, allowing administrators to clean up the systems accordingly. Sounds pretty straightforward, right?

Now imagine you are one of the people responsible for recertification, already overloaded with work, and between two meetings you receive a stack of paper with usernames and incomprehensible permission abbreviations — what would you do? Just approve everything blindly?

The real challenge is to implement recertification processes in a meaningful way. Identity Governance solutions can help — if used correctly. These solutions not only read user data and their associated permissions from the target systems but also offer the ability to translate cryptic permission codes into understandable descriptions before presenting them to supervisors using workflows and web forms. This way, those responsible for recertification actually understand what they are approving or rejecting.

Identity Governance solutions also help reduce and distribute the workload of recertification more effectively by allowing the definition of recertification campaigns. Based on certain selection criteria, the number of users and systems to be recertified can be limited and scheduled for different timeframes. With smart filtering, the group of reviewers can also be expanded — for example, to include application owners or project managers — which distributes the workload across more people. Another method to reduce the number of permissions requiring recertification is the use of roles. This means only the role itself needs to be recertified, not each individual permission within it. However, this also requires that the role itself undergoes regular review.

By using an Identity Governance solution effectively, you can overcome the challenges of implementing recertification processes and increase acceptance among reviewers. As a result, reviewers will take the necessary time to carefully examine the permissions presented to them, significantly improving the quality of the recertification process.

Nevertheless, sustainability remains an issue — your clean authorization state can be compromised as soon as the first permission is modified. Below, we present three solution scenarios to improve long-term sustainability.

Solution Scenario 1: Shortening Recertification Intervals

The first solution scenario assumes the existence of an Identity Governance solution and is relatively easy to implement. The intervals for defined recertification campaigns are shortened so that recertification must occur, for example, every six or three months instead of annually.

Advantages: The review period is shortened, allowing incorrect permissions to be detected and corrected sooner.

Disadvantages: The workload for reviewers increases significantly, which may reduce both their acceptance and willingness to conduct recertifications with the necessary diligence. Even with shorter intervals, the sustainability issue remains — there are still timeframes during which the permission state may not reflect the intended target state, leading to potential security risks.

Solution Scenario 2: Assigning Expiration Dates to Permissions

The second solution scenario benefits from using either an Identity Governance or Identity Management (IDM) solution. The basic idea is to grant permissions with an expiration date, requiring them to be reviewed and re-approved after that period. Depending on the Identity Governance product, this feature may or may not be available — in most IDM solutions, it is standard functionality.

Advantages: Recertification processes could be eliminated altogether, as permissions would only need to be periodically reviewed and approved — a process that should already exist in every organization.

Disadvantages: Similar to scenario 1, this increases the workload for approvers, who are likely to be supervisors or department heads as in traditional recertification processes. Even though permissions now expire and must be reapproved, the sustainability issue still isn’t fully resolved — periods still exist where permissions may not reflect the intended target state, posing security risks. It’s also questionable whether auditors would be willing to forgo traditional recertification or consider such alternatives.

Solution Scenario 3: Always Assigning Permissions Correctly

Our third scenario involves using an Identity Governance solution to meet auditors' requirements for recertification, while also deploying an Identity Management (IDM) solution to ensure all permissions are assigned correctly at all times. Unlike scenario 2, this scenario requires implementing a business role model in the IDM system to guarantee proper assignment of permissions. Even when changes occur — such as department transfers, job changes, or employee departures — permission corrections will be executed accurately. However, experience from IAM projects shows that covering more than 80% of all permissions via roles is not economically viable. The remaining permissions should be assigned individually through the IDM system. Since individual permission assignments are more error-prone, the Identity Governance solution helps compensate by regularly recertifying and correcting the smaller number of potentially incorrect permissions. By the way, there are now several IAM vendors that offer integrated Identity Management and Identity Governance solutions.

Advantages: The use of an Identity Governance solution meets auditor requirements. The combination with an IDM system ensures that most permissions are correctly assigned from the beginning and that the clean permission state achieved through recertification is maintained over time.

Disadvantages: Implementing an IDM project involves significantly more effort than deploying a Governance-only solution. User lifecycle processes, workflows, and a business role model must be implemented in the IDM system, along with connectors to source and target systems — this is hardly feasible without external IAM consulting.

Conclusion

To meet audit compliance requirements, there is likely no way around an Identity Governance solution in the coming years. When used properly, such a solution can help manage the challenges of introducing recertification processes and significantly improve result quality.

To ensure long-term sustainability of recertification, as a reputable IAM consulting firm, we can only truly recommend the third solution scenario to our clients. Although it involves the highest implementation effort, it also delivers the greatest benefit in preventing security risks caused by incorrectly assigned or combined permissions. We recommend first implementing an Identity Governance solution to enable recertification, and then — or in parallel — beginning the implementation of an Identity Management system. Before committing to any of the three scenarios, you should carefully weigh the costs and benefits for your organization, and consult an IAM expert in case of uncertainty.