How to automate user access reviews in your ITSM system

Using software to automate user access reviews can cut down review time by up to 90%. At the same time automation tools can improve the accuracy and consistency of your reviews by reducing the scope for human error.

In this article, we’ll look at how you can automate user access reviews in your IT service management (ITSM) system. That way, automation can handle routine tasks while your IT team focuses on the aspects that require human judgment, like evaluating risks or deciding on the right levels of access.

‍

What is a user access review?

A user access review, also known as access certification, is when an IT team regularly checks and verifies the credentials and privileges of their organization’s users. This includes employees, contractors, and business partners.

The goal is to make sure users only have the permissions they need for their role, and to identify and revoke any access that is no longer necessary, justified, or compliant with your security policies. It’s not uncommon to find that employees who have long moved on, or contractors who have finished their work for the company, still have access to critical systems.

It’s also not uncommon to find users who have excessive permissions, going beyond what they actually need to do their job. Companies need to certify access in line with the principle of least privilege, which ensures that users only have the minimum level of access required to do their jobs.

Why are user access reviews so important?

User access reviews are an integral part of an organization's information security program. They help enhance your security posture and reduce the risk of insider threats, data breaches, and cyberattacks.

The user access review process helps alleviate a number of data issues, such as:

Privilege creep: when an employee changes role within the company and receives new privileges, but their old privileges remain, even though they no longer need them. The longer they stay with the company the more systems they get access to, expanding the number of entry points that a cyberattacker could exploit.
Privilege misuse: when a user with elevated access rights intentionally or unintentionally mishandles data or performs an unauthorized action like installing unapproved hardware or software. Privilege misuse can be accidental, malicious, or the result of policies being wilfully ignored.

The importance of access certification goes beyond security, too. The process helps you improve your governance and compliance with various laws, standards, and frameworks that apply to your industry. By conducting user access reviews, you can demonstrate that your organization has a robust access management process, and that you respect data protection principles and the rights of your employees and partners.

User access reviews also increase the efficiency and productivity of your end users, by ensuring that they have the right level of access to the data and systems they need. This reduces access-related delays like being blocked by unnecessary access restrictions or waiting on approvals.

They increase the efficiency and productivity of your IT staff, too. Regular reviews reduce time spent managing access requests, cut down on excess permissions and redundant licenses that lead to system clutter, and simplify the auditing process.

The problem with manual access reviews

Here’s what a manual access review process typically looks like:

The IT team gathers user reports from administrators and compiles them into a master spreadsheet of all the company’s users, their managers, their access privileges across various applications, and their user activity.
The IT team sends the spreadsheet to managers/reviewers to approve access privileges or suggest changes.
The IT team (probably) reminds the manager several times to do their review.
When the manager comes to do their review, they have to use a macro to filter down the spreadsheet so that only their users are displayed.
The manager evaluates the user activity to look for any unusual access patterns.
The manager decides whether the current permissions are appropriate, and chooses to approve or revoke access.
The manager records their decision by typing “yes/no” or “approve/deny” or by clicking and selecting a field from a dropdown.
The manager sends the spreadsheet back to the IT team.
The IT team acts on managers' responses and updates the spreadsheet to reflect the new privileges.
The IT team deprovisions any users who no longer need access.
The IT team pulls data from the spreadsheet to compile an audit report.
When it comes time for the next user access review, the IT team has to make sure the users listed in the spreadsheet are still active, and the identity of their manager is up to date.

As you can see, this is a labor-intensive and mind-numbing process, especially for organizations with complex permission structures or a large number of users. It can also lead to errors, potentially culminating in privilege creep or privilege misuse and leaving you exposed to cyberattacks.

If you automate your user access reviews, you can speed up the whole process and minimize the risk of security breaches.

Which parts of the access review process should be automated?

Let’s look at that gruelling 12-step manual access review process again, and look at the parts where you can leverage automation.

Manual process	Can this be automated?
Compiling user reports into a master spreadsheet of users, managers, privileges, and user activity	✅ You want your user access review software to automatically pull user and user activity data for all your apps from your single sign-on (SSO) provider, e.g. Azure AD, Okta, or Google Workspace.
Sending the spreadsheet to managers/reviewers	✅
Reminding the manager to do their review	✅
Filtering down the spreadsheet so that only the users and permissions relevant to the manager are displayed	✅ Your user access review software should only send reviewers details of the users they need to assess, so that no filtering is needed.
Evaluating user activity	✅ and ❌ An automation tool can flag unusual access patterns and provide warnings or recommendations. But evaluating the risk is one of the parts of the process where human judgment is required.
Deciding whether to approve or deny access	❌ This is the other part of the process where human judgment is required.
Clicking dropdowns or typing out decisions on approval	✅ Your software should let reviewers click a button.
Sending the review back to the IT team	✅
Updating list of user accounts and associated privileges	✅
Deprovisioning any users who no longer need access	✅ As soon as the reviewer makes their decision, your software should automatically deprovision access if necessary.
Compiling audit report	✅
Keeping list of user accounts and privileges up to date	✅

Automating user access reviews in Jira Service Management

Since your IT team spends most of their time working in an ITSM tool like Jira Service Management (JSM), it makes sense to manage user access reviews from within that tool.

Jira Service Management doesn’t come with any user access review functionality out of the box. You can use Jira automation rules to automate some parts of the process, such as an approval workflow, but that’s about it. Native JSM doesn’t help with generating lists of users and access privileges, deprovisioning users, or compiling audit reports.

For that you need the Jira Service Management add-on, Multiplier. Multiplier is an identity governance and user access review tool built especially for JSM. It connects to identity providers like Okta and Jumpcloud to automatically generate up-to-date lists of users and access information for reviews. This saves you from having to manually compile and maintain spreadsheets.

Then, Multiplier automatically sends a list of specific users and their associated privileges and user activity to the appropriate reviewer. You can configure the tool to send automated reminders to the reviewer as well, to make sure your reviews are completed on time.

In the review document, Multiplier will flag users who haven’t logged in for a while, and recommend any licenses that could be reclaimed.

A manager can complete their review simply by clicking ✅ or for each user. Once they have submitted their review, Multiplier will automatically deprovision users who no longer need access, or kick off a revocation workflow in Jira.

Finally, Multiplier will automatically generate audit-ready reports for system and organization controls (SOC) audits, International Organization for Standardization (ISO) audits, and Sarbanes-Oxley Act 2002 (SOX) compliance audits.

Conclusion

You can automate nearly all of the traditionally manual tasks involved in conducting user access reviews. Everything from generating and sending the list of users to deprovisioning privileges to compiling reports can be automated with user access review software.

The only part that can’t be automated is the bit in the middle, where the manager evaluates the user activity and makes the decision to approve or deny. But even then, your software can flag unusual access patterns and make recommendations.

Like Multiplier does. Multiplier allows your access review process to happen in Jira Service Management, so that your IT team can track access in the tool they’re already using for everything IT-related. And better still, it allows the process in JSM to be automated, so that teams don’t waste time tinkering with spreadsheets, sending reminders, or building access reports.

Learn more about how Multiplier can automate user access reviews in your ITSM system, or try the app for free for one month.