With this user access data assembled and mapped properly, the gatekeeper should work with the data profiler to discuss the criteria and any specific validation logic needed for the profiling activity. Creating mock-up examples of the type of reports or views the gatekeeper would like to see will be very helpful for the profiler. Expect that the gatekeeper and the profiler may run through a few iterations before getting the logic and views to the desired end result. From the profiling, you are looking to produce a relatively simple output that can provide the following types of user access insight:
- Validate the type of privileges the users and groups actually have.
- Are these privileges correctly aligned to their access requirements and allowed capabilities? Are there any unexpected privileges?
- Are there any broader access issues or trends with certain individuals or groups that need to be addressed? It may be that an individual or group was initially assigned the incorrect privileges, or that someone changed roles and their prior privileges are still active, or perhaps that another gatekeeper who controls, for example, the order management privileges, is broadly approving those requests without realizing this also allows access to customer master data.
There could also be other scenarios that can cause inappropriate access assignments, but the point here is to create a process that allows user access assignments to be regularly monitored and audited. These types of views also allow the gatekeeper to fully understand who the users and groups are, where they exist, with what business functions they are associated, and ultimately, to provide the insight needed to make decisions that are necessary to tightly control access to the customer master data.
Table 7.4 provides an example of the type of user access report that can be produced from the profiled data. This type of report can be used to regularly monitor individual and group access capabilities in alignment with their access requirements and allowed capabilities, or can reveal where inappropriate capabilities exist that will need corrective action. In Table 7.4, the darker highlighted cells are used to indicate cases where an individual or group has an access capability that is unexpected or inappropriate. Upon seeing this, the gatekeeper can review the case with the user, manager, or process area data steward to decide what actions to take.
Table 7.4 User Access Report.
The underlying logic and scripts used to generate this type of report should be reusable and should require only minor ongoing maintenance. Make sure that this type of report provides sufficient detail to act on but is still simple enough that the information can be easily shared as needed with the user groups, data stewards, or the governance council.