Role Assignment Automation: Finding the Balance of Technology and Process
Meet the Experts
Determining access in an organization is an important function and major challenge for Governance, Risk, and Compliance (GRC) teams that can have vital implications on the business. Role assignment helps determine who gets access to what systems and information, but it can be a heavily manual and time-consuming process. Companies are trying to automate many areas of GRC and automation of role assignments is one area that can help reduce the resources spent on user access.
“Access is very important—if we don’t give the right access to users, they can’t transact,” says Chis Aramburu, Senior Director of Product at Fastpath, which specializes in access control management. “One of the key challenges is finding the right balance of technology and process, and that’s really based on your organizational climates.”
How are companies using technology for access currently? In our User Access and Identity Management report last year, we found that over half of respondents were using technology to support access control, and nearly half were looking to make further investments in access control.
However, just because companies have a technology to support a process doesn’t mean they have automated that process. For example, 63% of respondents in our User Access study reported using GRC automation technology, but only 26% had a fully automated process for tracking who makes changes to their systems.
The Value of Role Assignment Automation
When it comes to role assignments, Fastpath’s Aramburu says the provisioning process can be manual, error-prone, and introduce extra risk. If the process falls short, there are issues around redesigning access, adding more time and effort to the access control process. Audit and compliance issues also may arise, such as terminated employees retaining access after termination.
Automating role assignments can help remove some of the manual processes—it can integrate with segregation of duties, and allow GRC teams to establish rules that are automatically applied. Data collection, distribution, and access requests can be automated. So, if someone changes roles, the process to change their access can be automatically triggered. Some tools also allow for time-based access automation—such as if an employee only needs certain access for a week or even a few hours—that access can also be automated.
In our research, we’ve found that companies that use access control technology and automate processes tend to be more satisfied with their GRC processes. Given that we’ve also found that GRC teams are increasingly stretched, any automation to provide relief is beneficial.
What Does This Mean for SAPinsiders?
- Evaluate your role assignment process for inefficiencies and risk. Does your process for role assignment require a lot of manual work that also leaves room for human error? Find out how that is impacting your business—is it slowing down other business processes that rely on access? Is creating risk or compliance issues because of improper access? Role assignment is fundamental to access—find out where you can improve.
- Identify areas of automation in role assignment. The highest performing GRC departments tend to have automation and utilize access control technology. There is room for efficiency gains in role assignment processes at many companies—and automation may help.