<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Life's like a box of chocolates 🍫 Your access shouldn't be. Register for our new webinar.

Close icon
Search bar icon

Role & Access Discovery | Who Has Access to What Now?

It’s a nightmare scenario. You work in a regulated market, like financial services or healthcare. There’s a breach. You know the question is coming, but can you confidently answer it? 

“Who at the company could have seen those social security numbers?” What about its follow-up question: “Who actually did see that number?” In other words, who theoretically had access to that information, but also, who actually accessed it?

Often, employees will have access they may not need for their job (over provisioning), and risk is increased because your breach surface just got that much bigger. But that’s the nightmare scenario. 

What about the day-to-day activities? The ones where someone in marketing requests access to a production customer database—do you know if that person really needs access to it?

A critical part of embracing zero trust and implementing privileged access management (PAM) is ensuring that each employee’s access to technical tools is as close as possible to what’s needed for their specific role. But creating unique roles for every individual can be expensive, time-consuming, and difficult to do. 

For example, data scientists may need access to sensitive data, but because of the complexity associated with access management, many companies simply provide that access to the entire engineering department—even though 80% of the department doesn’t need that access. Suddenly, you have audit and security issues as well, especially if you ever have to determine how an infrastructure breach occurred.

The good news is that there’s a way to avoid the pitfalls of providing too much or too little access—and it all starts with role and access discovery. 

Why Access Management Is Hard

Imagine you’re building a house, but instead of having a floor plan or starting with the foundation, you just build it as you go, adding room after room. Over time, you’ll likely end up with a nice house, but not necessarily a functional home (real life example: the Winchester Mystery House in San Jose).

Why Access Management is Hard
Sure it looks cool, but is it functional?

Access can fall into the same trap. Over time, your organization will add new people, new teams, new roles, and new systems. And before you know it, you have no source of truth for who has access to which systems, much less who needs access to them. This inevitably leads to over- and under-provisioning, not to mention that it's now extremely difficult to audit what is happening in each system. 

It usually takes a major financial event, like an initial public offering, or a compliance event, such as achieving SOC 2 compliance, to drive these types of projects. But for any team that doesn’t have those compelling events, you’ll likely be forced to deal with the accumulated frustration of multiple teams who just want the access they need.

Enter Role & Access Discovery

To put it simply, if you start without a plan for infrastructure access, you're going to regret it—and yet, many companies are inclined to skip this step. The result is a hodgepodge of access across multiple roles and systems that becomes impossible to manage. Organizations need to shift their mindsets and behavior to proactively think about who needs access to what, document it, and standardize it. That’s where Role and Access Discovery comes in. 

Role and access discovery is a collaborative process that defines:

  • The structure of the company
  • The structure of the teams
  • Which roles need access to which systems

The task of role and access discovery and planning often gets assigned to technical staff, like the IT team or infrastructure team. And as discussed above, organizations that don’t take the time to think about their end goals or plan access upfront may end up haphazardly providing too little or too much access to individual employees.

Starting the Access Conversation

Even if you have a list of names of employees and systems, tracking and controlling access needs to be granular. That means collaborating across teams—IT, DevOps, HR, Security—to determine how roles should be categorized and how access should be managed for each role. The output should be a readable document that you can share with internal teams and with anyone involved in building your company’s technical infrastructure.

The good news is that you can get started with some simple questions:

  • “Who works here, toward what ends, and how are we all organized?”
  • “How do we solve for the human part of access? Who actually needs access to what?” 
  • “How does access management fit into Active Directory or our existing framework?”

The plan should be reevaluated at a consistent cadence, at least every year, if not quarterly or more, based on your needs. 

Getting Started

Curious about how to get started? We have a few resources to help you down the path: 

  • Download the Role & Access Discovery Workbook - an interactive tool that will help drive the process forward
  • Check out our webinar series on Getting Started with Access Management. The first session is focused on Role and Access Discovery—you can register here

About the Author

, Co-founder / CTO, originally developed empathy for Operations as a founding and pager-carrying member of many operations and data teams. As an Executive, he has led Engineering and Product in high-throughput and high-stakes e-Commerce, financial, and AI products. Justin is the original author of strongDM's core protocol-aware proxy technology. To contact Justin, visit him on Twitter.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

What Is Fine-Grained Access Control? Challenges, Benefits & More
What Is Fine-Grained Access Control? Challenges, Benefits & More
Fine-grained access control systems determine a user’s access rights—to infrastructure, data, or resources, for example—once past initial authentication. Unlike coarse-grained access control (CGAC), which relies on a single factor, such as role, to grant access, FGAC relies on multiple factors. For example, it may consider policies (policy-based access control, or PBAC), attributes (attribute-based access control, or RBAC), or a user’s behavior in a certain context (behavior-based access control, or BBAC).
Fine-Grained vs. Coarse-Grained Access Control Explained
Fine-Grained vs. Coarse-Grained Access Control Explained
If credentials fall into the wrong hands, intruders may enter a network and launch a disastrous attack. In fact, 46% of cybersecurity incidents involve authentication credentials, according to the Verizon 2022 Data Breach Investigations Report. Organizations have two general ways to determine someone’s access rights once past initial authentication: Coarse-grained access control (CGAC), which relies on a single factor, and fine-grained access control (FGAC), which relies on multiple factors. Traditionally, CGAC has been the easier option, while FGAC offers superior security at the cost of more complex implementation.
3 Types of Access Control: IT Security Models Explained
3 Types of Access Control: IT Security Models Explained
In this article, we will look at three important types of access control in security. You’ll learn about the different types of access control, how they work, and their pros and cons. By the end of this article, you’ll understand what type of access control will work best for your organization and meet your security needs.
SSH and Kubernetes Remote Identities
Supercharge Your SSH and Kubernetes Resources with Remote Identities
Learn how Remote Identities helps you leverage SSH and k8s capabilities to capitalize on infrastructure workflow investments you’ve already made.
strongdm program gif with animated title flashing onto the image
StrongDM kicks it into overdrive
With the release of tighter integrations with Okta and Azure AD (or any SCIM-based directory service for that matter), you now have the ability to manage just-in-time, least-privilege access to your critical infrastructure right from your preferred identity provider (IdP), dramatically reducing the time needed to approve requests and grant access.