Identity and access management welcome to the identity of the center podcast I'm Jeff and that's Jim. Hey Jim hey Jeff, how you doing? I'm good yourself living. The dream baby. I can't believe it's already the middle of June. I know we had weather in the 70s this week. It was fantastic. Yeah, that was an in see Georgia, right? So and I'm in Chicago, are we had some fantastic weather too so it's been quite nice. Yeah. You don't get this every year. So you got to enjoy a volunteer.
Plus we're home because they're not really traveling right now. So, you know, that's even better, I guess. And I spent the last, you know, 15 of the last 20 years complaining about I'm going to traveling I do, and now I'm starting to really miss it. The heart wanders and yearns for the airlines in the delicious airline food, thickener stake, I will go with chicken. So today for a topic we have one that's actually listener submitted, our friend Andrew.
See he writes as I was listening to your podcast and my current everyday work. I was wondering if you guys would do a podcast on lessons learned from past role mining engagements. Craziest request. For example, have to Figure out how to consolidate up to 400,000 role. Entitlement combinations, things you could have done differently and tips for analysts like myself and what to look for or approaches to take, which I think sounds like an awesome topic.
What do you think? I think it's a great topic. I mean, every client we work with, they want to achieve this vision of our back. A couple ways to get there. It's a lot of work. There's a lot of foundational elements but eventually you end up in this place called roll - Which we're going to get into pretty heavily today. Yeah, and they helped us with that conversation. We've brought in another member of the crack I'd entropy. I am team. He's Helio Gomez.
I am architect extraordinaire. Welcome Helio a gym, Jeff. Thank you for having me. Thanks for joining us. Yeah, thank you very much. Hey, Leah, where are you? Okay, right now you're in Florida. I am in Tampa, Florida, just got back here. Okay, so we're wondering the guest house in the spike in cases. Now we know Jim has been going around licking doorknobs.
Well, I'm glad you're able to join us because, you know, you've been working on this stuff for a long time and I think your insights going to be very valuable and hopefully, Andrew gets But I, this and other people are listening as well. But before we dive into that topic, just want to make a note that identifier started this week. I should be. Let's see, today's Thursday actually.
So I was supposed to be flying to London today, because I was going to cut short the trip because I was supposed to go watch, cago Cubs, play the st. Louis Cardinals in London Stadium in London, but that has obviously been canceled. So quite disappointed about that this point, but I would have been in Denver otherwise for the attend a conference. But now it's all virtual. So it started this week.
Listen to a few of the different presentations so far, it's going pretty well, Jim Have. You listened to any yet? I'm tuned in anything yet but definitely planning to mean, you know it, I love conferences not just for the sessions but for the rubbing elbows this is we're not rubbing elbows with people anymore. I guess we still have the session so I'm gonna get in there and dive in.
Soon as possible. Yeah so check out Ian Glaser had one earlier this week and his big pronouncement was that Samuel was dead and I don't want to go into it because I want to steal his Thunder but you made some good points around it and give that a little tease in case someone wants to check that out. On the adenovirus website sounds like we have a topic for a feel
so yeah. I mean I wish he had made that pronouncement right before our last episode which was with Eve and we're talking about sam'l and kind of why it's So important. Well, that's why it's such an interesting topic because it's a little of a quick baby headline. So maybe we should have like a versus episode and get even Ian on. Same time. They can just you know duke it out.
Isn't there to are too much friends with each other to Duke it out though, but it would be would be an interesting dialogue. I think I'd like to do something like yeah. Like a versus you know defend your position. May be a debate or something like that. I Be cool. I think if, you know, maybe we'll put that out there for you have a, some somebody who's listed in and wants to take part in some like that or has an idea, you know, maybe we can put
something together. So like that, with maybe some help from the listeners. And you know, if that's something that you find interesting, email us at questions at identity at the center.com and, you know, we'll see what comes out of it. Speaking of emailing us, they got a really nice note from Craig and New Zealand from the future. So you Don't say he's a listener. He's been listening for you know, the last year or so which is great.
And we're coming up on our year anniversary and that was a nice thing to her to receive especially when it comes from the future - yeah I'm sure you meant it was time stamp June 19th when he sent it from his home. Yeah. And as it traveled the microseconds to a different time zone. It landed in June 18th. Yes, I don't know if what happened mean. I read it. What happens to me? Do I like is this a Back to the
Future? Do I disappear from the picture or you've broken the space-time Continuum? That's it. All right. Well why don't we get into don't bindle? Yeah I'm ready man let's just an exciting topic so I think we probably ought to start and get Helios started here.
We get him talking a little bit. So always start with just what is roll my knee Helio. So I think of roll, Miley has really analyzing the entitlements that you have within your Or identity system across all of your applications analyzing those getting a combination of what may possibly be connected based on different features about the user different attributes sets and what possibly could be a role.
And then once we take the output of that, we very simply can build our rolls off of what we see from the mining help. Yes, absolutely. So much kind of analytic driven, you know, the the During the process to kind of come up with hey this these combination of entitlements are held by people who have this and comment. So maybe these seven accounts, entitlements along to 95% of the people who are in the HR
department. Would you like to turn this into a roll and then you can apply your human evaluation toward Or not. That's a good idea. Is that what you would say? Absolutely. Yeah. And what I'd like to do is contrast that with what I call roll engineering. And so this is kind of a, so I consider role mining to be kind of Bob's up using the data to determine a result.
And when I think of tops down, roll engineering, it's hey, we know that people fit a grouping of, they work in HR, and we know that everybody who works in h.r. needs access to these. You systems and needs this level of access.
So let's create a role that when somebody new joins HR we automatically give them that role or we start to say that you know there are five different types of users that use this application or these sets of applications and let's bundle as create a role that bundles all that access together so that the business users don't have to pick out all the individual entitlements that they need to do their job.
They can. Just pick one role or two roles that kind of the way you think of it as well. Yeah absolutely. And one of the interesting things about roll mining as well as those roles that you've engineered when you go and do your role mining analysis, you may find that what you thought was a role that you should engineer really isn't, or what you thought wasn't should say. It's really taking those to wait, like you said, taking your human element and applying that to the output of your role
mining. That's really going to be the most beneficial, right? Actually, our back as a discipline is more of an art than a science. Or maybe it's just the combination of the two that, you know, I think between roll Mining and roll engineering, the way that I like to describe it is, it's a technical way to create a logical construct technical in the mining aspects, logical in the engineering of how that would look at a
constant level. Absolutely. So, Andrew asked us to point out kind of Crazy examples and he said you know you looking for role mining to actually consolidate 400,000 entitlement so I guess I'll throw it back to Helio. Is that how roll mining works? Is that actually consolidate entitlements, it does to an extent. Really what? I like to think of how roles are going to function in my system. It's not so much. Consolidating the underlying
entitlements. It's obfuscating the so you take those groups of entitlements that are they might be D groups or some field in a column in a database or something along those lines and permission sets of whatever applications. Your typical end user is not going to have any understanding
of what that means. So building your roles is really going to give you that end user facing like verbiage that's going to be helpful to them to really understand what they're dealing with what they're requesting. What they're approving, what their certifying. So building those As is really help you in that aspect more than anything else I find. And consolidation, of course, is one of the things that we're going to get from. That is we're going to have 400,000 entitlements it.
We're going to maybe put those into maybe a hundred thousand rolls or maybe 50 rolls, or maybe 500 rolls. But really what you're trying to do is make it data that can be consumed by your end user that can then be used in the other processes that we're going to have in our I am system, that's really important. I think, you know, an important part of that is wrapping metadata around rolls.
So in other words, defining information, friendly, business name, or friendly business description around the role or defining an owner of roll. Who gets to decide, you know, be part of the approval process or part of the review, process for who gets that role. Went to make a another point about roles because this is kind of one of the The internal debates that I have in my head, a lot of our clients, one of the first things we like to do is take a look at their information
security policies. And a lot of times, those clients have, the principle of least privilege as one of their security policies and if taken literally, that means that you don't give somebody access that they don't need. Now if the system does analysis and tells me that 95% of The people in h.r. have these all these accesses you want to give it to the other five percent of people say, if I follow least privilege the answer's, no real Essence 100%.
I don't want to do it because they don't need it or they would have already asked for it doing their job without it. So part of me says if you're following least privilege, don't do that. But then I also the counter argument to that is, well, should they follow least privilege for Every type of access or is it a burden on the business now to manage access and really least privilege is more applicable when it comes to privileged access or, you know,
powerful access. However, we wanted to find that. And I think that's, you know, I guess where I'm coming down recently is that I think is a more appropriate use of the principle of least privilege has to apply it only for privileged access or administrative access. In Jeff? What are you? What are your thoughts there? Yeah I think it's a risk decision, right? If if the person doesn't have access to the cafeteria menu and you know it's part of the role consolidation great.
If it's somebody who has you know admin access to the AWS console. Okay. That's totally different. Right? So right I feel the second way there that you were talking about Jim it's more of a risk decision you know. Don't waste time fighting a battle over something silly. And inconsequential and focus instead on the stuff that makes makes you either more secure and you know reduces risk or greatly improves the user experience or ideally all of them, right?
So Hélio would do organizations that you've worked with, how common is it for them to use? Roll mining as a tool and and how, how is that approach to the usually, like a whole project around a, we're going to do roll Mining and it's going to several months, or is it something that Just kind of get ingrained in the operations of things will roll. My name's really more part of your program than it is like a
simple process. So you can't just jump right into roll Mining and say hey we're going to do roll mining. You have to lay the foundation there. So on my projects where we're implementing a new solution, we have nothing to begin with. We're all my name's, not usually even on the table for those kind of projects, it's the more mature identity systems that are in place.
They've connected to A majority of their applications at least they're heavy use applications and they're trying to understand just move to that next level with identity. I with their identity process. That's really where we want to get and that's where we're going to get the role mining type projects. Now, with as far as how many of my projects at least at least 75 80 percent have that on their road map for part of their? There's now are we there yet
with all of them. No, but we know that that's where we want to get. So once we get all of our applications in we're definitely looking down that path. So it is a common thing. We all want to get to that. Perfect are back world where we have everything going through roles but it's not something you're going to get two on the
right. Yeah. And you know, I feel like sometimes when we when we have these conversations, you take such an identity and access Management Consultant perspective to these things. So actually, as you're talking, I was like, we might need to even take a step back and talk about what our roles. Because to me, this is one of those terms that we Jeff and I conduct a lot of workshops together. We get into these conversations in the word role is used so differently in different organization.
I think this is one of the topics we discussed in a past podcasts, but terms of our back and what we're talking about with roles now is kind of the I think that the modern idea And governance and administration review of a role which is that it's a bundle of accounts and entitlements that can span across applications if you have. You know, there's a if you took like a an application Centric Focus. So in other words, you have a centralized I am system.
That term role still gets used that I get a role to an application. That's really what we're talking about with role. Mining is By combining those roll, those those types of roles or groups or I think we've been referring to as accounts and entitlements and bundling those into a role within the IGA or I am system. It's kind of a grouping of a council entitlements and do a bundle. I guess we use the term bundle of kind of making that up and that's still that's the role
that we're talking about, right. Jeff. Do you have anything to add to that? Now I mean I think it's, you know, this is nomenclature right? You have to make sure there was speaking the same language so role could be an entitlement, you know, within a system. It could also be a collection of
entitlements within a system. It can also be a collection of entitlements across different systems and I don't think there's any right answer because every organization has a different number of rolls a different number of entitlements and different number of applications. It's you know I like to think about it to make it easier to start at a top-down type of approach. Where, you know, the question becomes much simpler to ask is the person an employee or as a person not an employee.
That's usually a lot easier to answer to me from a role perspective than to say is this person a level one programmer, or a little to print programmer, right or something along those lines. So I like approaching it from two different angles because I feel like there are attribute-based rolls Is attribute, based access control or a back and then there's role-based Access Control,
right? Our back, which is typically assigned more at the job function or, you know, job family or job group type, and I like, kind of combined the both. I'm an employee as an attribute, who works in Chicago as another attribute who works in it, as part of security, right? And the combination of those four different things.
Between those give me a collection of entitlements, some based on roles because I have an employee in some based on roles because I'm in Chicago and some because I'm part of maybe information security, right? So I think it's important that when you're constructing these. You think about it from what makes sense of the organization. You know, a huge organization with a ton of different departments locations and, you know, user types, meaning employee contractor Intern
student. You know, however, that you know, that you make all the different types of people within the organization will drive. A lot of how complex or not complex, Your Role structure needs to be. If you need a lot of granularity, a lot of flex, the flexibility you're going to need to drive it to be more, you know, attribute-based along those lines. And then, you start to look at the applications on the bottom, up to say, okay, we had this new application and this is the
specific. Emissions or entitlement that go for this specific role and then you start to do that across applications Etc. So I like to tackle from both sides but to me it's easier to start from the top down and figure out what's Birthright. What do all employees get, do not immune. Not employees or contractors? They get the same thing. No, okay let's move on to the
next one. Speaking to the nomenclature thing, one thing I found in a lot of projects is the word role as mentioned means different things to different people, but when you start talking to Ministers, using the sap as an example, what we call an entitlement and in the identity management systems in sap, that is what they call a roll. So, in sap role is an entitlement and I, in and identity management systems for the most part. So you really need to set down that this is the jargon.
We're going to use in this conversation at the beginning. Otherwise everybody will be on a different page than to be able to explain the concept. Right, here's here's what we're going for. Are we all on the same page here? Yeah, I think that's why I was kind of even pointing out, you know, we're using that term. So from a nomenclature standpoint, we're using that
term. How it's typically used in the IGA space, Jeff mentioned you know a my employee or my program level 1 program level to do, I work in the Austin office or in the New York office? Well, What I can have multiple, I have different angles of things of where I work. And what role I do within the company, I'm going to pull your contractor, I have multiple roles as well. I think what we're talking about here is, you know, kind of provisioning of access roles that that's kind of how I think
within the governance faces. Bundling, it counts in a times that I can be provisioned that access to the end systems that are To access to this is something that I wanted to kick back to Helio because you know, you've been spending the last. I don't know how long you don't. Normally, we ask all of our guests, you live, how they got into, I am and maybe we should ask that of you, but also I wanted to point out that, you know, you've been focused on this El Point technology for
what, the last decade. I've been working with sale point for about six, seven years now, okay. And You know, one of the things that I wanted to point out run into a lot is what? Well, first move, maybe you can do for me real quick. Would be to Define. I think they use the terms. It roles and business rules. Were the difference between those two? Yeah. So an IT role is a collection of
entitlements. So you have your various adgroups your sap roles privileges from all of your other applications all combined into an IT role. Where, as a Business role is more of a collection of identities, so that could be based off of. To use Jeff's example, you have employees business role, you have contractors, they're a business role, you have people with the location of Chicago. That's a business role in Atlanta and Tampa and wherever else.
So your business roles are collections of people. Your, it roles are collections of entitlements, you can assign the, it roles to the business roles. You're going to sign the business roles the Identities. And then people write things about I am, is that there's so many different ways to take all these words, right? That's the way that sale Point, does it absolutely another idea of under does it who know figure it out right now? It's there is no standard. I don't think when it comes that
kind of thing, right? So you have to be able to understand the construct. Glee of what it is you're trying to do. And then how was the technology going to help you get there? Write whatever they call it. This, you know, the end goal is to provide access to the right person at the right time. You know, for the right systems and if you do it more efficiently through groupings, right? That's another, you know, sometimes it's a group, it's used is the terminology.
That's, that's really kind of the end goal. So so here's one thing, I wanted to point out, so I want to stay on this airplane example, because I'm sure that it works. I know that it works this way. So one thing is, let's say we take that role mining example. We talked about for Andrew where, you know, runs a data analysis and minds and says you know, 95% of the people in h.r. Have these three adgroups would you like to just give that to a hundred percent of you?
Say yes. So now all the people in h.r. have these three adgroups and Southpoint considers that and I tiro Alright, those three groups now, wouldn't it also be true that if I was assigned those three adgroups that sell point would Mal? Think I'm in that role? Even if I can use those groups by other methods. Yeah, so point will detect that you have those three adgroups and that you are assigned to that role, which is actually
quite helpful. When you come to do, say a certification is instead of Showing the certifier. Hey, they have these three adgroups that you have no idea what they actually do. They show. Hey, they have this role. Does that make sense? Now, you can also get to the entitlement level 2 in a certification if you wanted to so you could see those. But yes, absolutely. We will in sale Point detect
that you have the real. Even if you were not directly assigned the role through like a request or through a Birthright, nice hot one, one client who actually if that was the A case they collected, those three the bundled. Those three roles they would add a fourth element, fourth entitlement, which was kind of like, what we call it a fake entitlement. So that it wouldn't be detected in that it wouldn't be, you know, somebody who got those
other three. My, some other method, not by assignment of the roll, it wouldn't be detected by cell Point as them having that role. Have you ever seen that before? I have not But I'd be interested in looking at that system, okay? We have a little bit of homework to go into because that makes a lot of sense or as a terrible idea. I'm not sure what are the things I'll say is, we get all kinds of different requirements and sometimes we have to do a little
bit differently. Yeah. So Helio um when's it to shift the conversation to roll governance, you know? Surf. Occation of the, what a, what a role gives somebody and then who is in their role, what have you seen? What are the typical processes you see with your clients in terms of, you know, what role governance routines are in place? Well, so in using the sale Point example as well. So one of the things that we're going to want to do is to your point maintain that role.
Like I build this roll through roll mining today. That doesn't mean that in Months that role is still going to be valid. And in three years, it's probably not going to be valid. So there are tools to allow us to do that. We can continue to run the role modeling analysis has analyses. It's go with analyses. So we can continue to run the role mining analyses so that we can validate our roles that way. But we also have the ability to certify the contents of the Roll.
So we could do it. What's called a roll. Ian certification which is typically performed by the roll owner will get a list of all the roles that we own and the contents of those roles and say, hey, yeah, we don't need this ad group in this role anymore because whatever reason we don't need it. Yet that application is no longer a thing. It could be that we don't want to give that access to people in h.r. anymore, but we want to maintain those roles so that we're not proliferating
incorrect. Idle moments to everybody. So that's a very important concept. Yeah, I think that is key part, right? Is roles change over time. So you need some way in some process to make sure that the contents of that role are still accurate. Especially if you're relying on roles to Grant access to, right? Otherwise now, the mistakes you make are ones you choose. He's there macro in nature, right? Oh great, 4,000 people right
now. Have accident thing that they shouldn't have access to any more because nobody was seeing the roll itself and the construction or composition of it. So I think that's a really important thing. This was the reason that I say that, that your identity system is not a one-off. It's a program. It's a process. You have to keep maintaining it. You need to get that That Never
Dies preach on brother. Yeah, there's one thing that I think that's important is when you're going to, you know, speaking kind of the governance of roles is that it's a lot easier to not only create but mandrels is Or cleaning up data. As you're going along, right? Getting rid of things that you don't need anymore. Adgroups that I have no members, you know, roles that don't have any members things like that. So that's another way to help kind of streamline.
The system itself not only from performance perspective, but from a just a reducing, the quantity of things to manage is take a look at the data itself and make sure that you're keeping it clean as you go along or even before you even get into rule doing a cleanup exercise first before you start building out. Out roles for things that don't exist, right? I'll tell a lot of my customers.
Hey, we don't want to do roll mining until we've done at least one certification campaign to know that the entitlements they users have now are the right ones. Nope, there's no point to mining the entitlements that the entitlement to the wrong entitlements. Yeah, great Point. Yeah, the thing I was going to add, you know, I think that you guys just moved made the point of garbage in garbage out, that's spot-on. I think the other thing is, you know, The business has got to be
a part of this. So if you think that roll, roll Mining and roll, engineering, can be an it only job or it lead and the business isn't really taking ownership. It's only going to go so far. I think you can you know, provision basic Access VPN email stuff like that. Based on, you know, very simple roll patterns. However if you want to get into Do you know what people do in the business and really making access management more
efficient? You got to get the business involved and then you've got to get the metadata on the rolls, right? You've got to have good descriptions, you've got to have owners for roles and it's it's not a once and done thing. It's something that's going to have to be Revisited pretty often so it requires a little investment upfront, it's like changing the oil in your car, you know, you Have to all the maintenance on your car. You do the maintenance so that the car doesn't blow up.
And I think that kind of the same principle with with roll governance. We made the point earlier that you really want the names of the roles, you really want the descriptions of the Rope to be right? Because those are going to be and user-facing, that we'd be correct. That people understand what they're doing. No good saying, hey, can you approve access to this? If when I look at it I go I don't know what that is. Okay, approved. I think this is really weird. We're a good.
I am program manager steps in because it's the business. It's their data, right? And the technology and the roles and all the stuff that goes around, it is typically provided by it or an IT person when, you know, maybe even with them. But there needs to be structure and order to the way things are
done. You know, when I've done roll catalogs in the past, for example, you know, I would develop here is here is the minimum acceptable level of quality that I will take you know for a roll named a role description you know anything like that and if it didn't meet at least you know that minimum level of quality then it would
get sent back right either. I would work directly with the business and say, hey we need a better name for this or, you know, are you sure your users will understand what this means, right? Things like that rather than just kind of taking the easy way out where you dump all the 80 user, all the ad group names, you know? Are probably not reader-friendly. We don't want to play. We don't want fqdn is in there, right? Yeah, exactly. So it gets important because this is part of this.
The opposite is just better. If you just call a roll the accounting role or the Accounting Group like times, do you see that the Accounting Group in AV and then it gets used for so many things that you know you're afraid to or maybe it's called you know, accounting finance and like it was basically set up For some project, nobody remembers exactly what it was originally intended for.
But been used so many times and now they can't delete it or clean it up or identify an owner because it's just, it's just a mess. So it's been really all it. Does is give you access to do your time card. Well, maybe that's what it was originally and now it's like
everybody. If you don't the structure and order, I mean, you have to think about how do you want to present the data to your users and then tackle it backwards from there and say, okay, you know what are the capabilities of the IJ platform that we're using to present this? Or, you know, it could even be in your itsm tool, right? A lot of organizations may use service. Now, for example, to present the request to the user. So you need to take into account what can the Technology support
and then design access catalog? That is user-friendly off of that. But I still feel the business is part of that. Italy. They own the roles. They should be part of the sign-off process, as part of here's what's going to be named. Here's the description. Here are the specific permissions associated with that and then periodically, they should be asked to review that to make sure that still accurate, you know, maybe it's yearly, you know, maybe it's
shorter. If it's something that may be privileged access or sometimes, but I don't feel like this is something that to do it, right? Is fair to just toss it over the it wall. And say here, itu deal with it. The business needs to be part of this process for it to be successful. Yeah, absolutely. That's right, when everybody agrees. It's also important to it, you know, I think a lot of organizations want to get to our back 100%.
It's really hard, right? If it wasn't hard, everyone would be doing it. So I think it's a goal to get there but I don't think that you should shoot for 100 percent. I think you should shoot for something far more attainable, you know. However you want to define success and maybe it is at the macro level like employee or not employed Yeah, and maybe that's is as good as you think that is realistic and the first year or maybe even two years, right?
And then from there as your I am program develops, becomes more mature and you're getting all this data back from tools that you've been working on implementing. If you didn't have an IJ system before, you can start to, you know, do some more rolls off that or even attribute-based, you know, will actually cough that. But I don't think 100% is a realistic goal. I think shooting for somewhere on the lines of, you know, 80%
Percent is good. Enough is a good Target to hit because you what you don't want to do is spend an inordinate amount of time trying to, you know, address a 5% problem, right? Or even, well, I think it's a program manager. My attitude would be all right for the it rolls. I need to, I need to get this,
right? I need to have this, be the gold, the gold standard, and then I have to create a capability so that the business can also You know, come up the level of gold standard, but I'm not going to drag them Kicking and Screaming into the are back future. If they're satisfied with, you know, doing entitlements are going through. The Grog don't want to invest the time. Then you know, my My Philosophy
at all. This is that I tease responsibility is to provide the tools and provide the processes so that business can manage access. I think by having to go Center having the tools and having a process for, you know creating roles and assigning roles. And recertifying roles you're doing, your job is and I am a program manager. Drying, people, kicking screaming is not going to work or not going.
If they're not taking us seriously, you're fighting a losing battle and you're going to get into that area where they just think of somebody else's job. And it's not like I say it's a lot easier to dance with two. Dance Partners than just one. Yeah, the other thing that you don't want to do to go back to Andrew sees question, we had 400,000 entitlements. We don't want to get so granular with our roles that we end up having five hundred thousand
rolls to maintain. Yeah, that's a great point. There has to be some level of. Hey, this is, this is what we want to maintain, and if we get to to granular with it, that we're going to have a role for every entitlement. And then some roles for every other thing, And then you end up with 500. 600 700 thousand rolls to maintain and you just made a bigger mess for yourself. Yes.
I don't believe that but it's so many of the organizations that we work with and I go in and ask them how many 80 groups they have? It's more than the number of users that they have really what? That tells it and I'm trying to security groups not just distribution lists. That tells me that they've got a lot of groups that somebody created. Nobody loves. Nobody cares about Emily's. Keeping them know. You feels like they own them and
that's a problem. If you get in the same position with rolls, you just going to create another nightmare scenario and that's where our cleanup campaigns come into place, whether it's through access certifications or whether it's through. Just looking at the groups and say Hey, Nobody's in these groups do we actually need our is really going to help Nets hurt. You got to do that up front. Gotta get that, gotta put in the legwork, to get to where you want to get.
I kind of always felt to that with cleanup campaigns. There's some cleanup that you should just do even before you put in, I am system and then there's other clean up that the IM system through the certification campaigns. For example, can really help you out with, but some of the things like just cleaning up, all the empty adgroups doesn't seem like you need an expensive. I am system to do that. You can just go through and clean them up. Yep. Yet. Here's a script to go, pull back.
All the groups that have no members and, and if you have an attribute on the ad group, for owner, And half of them are empty. You know go through and start filling them in otherwise we can even send the kid. Who you gonna send the recertification campaign to? Yeah, absolutely. Having that ownership level whether it's just for certification campaigns or it's for Access reviewer. Access request having an owner
up front in a river. Whatever other application we're talking about is very, very helpful. Yeah. It's usually one of the first things that, you know, gets asked, as you know. Okay, who owns this This right, and no time like the present to figure out who owns it because you're gonna need it down the road anyway. So it's a, it's a cheap easy way to get started. Might not be, maybe not be easy,
if you have a lot of them. But you know, it's a cheap way to get started right look through, figure out who owns it, you know, assigned, de-facto ownership, if there isn't any historical record, maybe it's based off a ticket, whoever requested it, you know, becomes the owner.
And then everything to is maintaining that ownership to over the over the group, for example, if someone leaves your organization, You know, I had a role in the past where if an owner left their manager would receive would become ownership inherit it automatically, until they decided to, you know, who they wanted to go out, get it to that way. We always had an owner and for a given group or given entitlement, and if we can't figure out who the owner is, it's Jim. That's right.
Senate Senator Jim, we'll figure it out. First in the Mailroom, just pick the person who runs the mailroom and assign it to them. All right. Did we cover everything that that we Want to cover today. Feel like they covered a lot of ground. I hope we answered Andrews question. Yeah, I hope that Andrew feels that way so I'm sure he'll let us know if not. It will be happy to tackle it again. Absolutely. All right, well I think we're going to go ahead and leave it
there for now. Is there any final words of wisdom that Helio you? Or Jim wanna bring up before we wrap up? I'm not a very wise person. No, just thanks to everybody. Who's been listening is sending out. Mel, you know that likes the show or questions and keep them coming, because it makes it really easy to figure out what to talk about when we get these types of notes, really appreciate it and it's more interesting for you because we're talking about what you
want to talk about. So rather than, you know, Jim and I put our heads together, you know, we'd rather talk about things that are important to folks out there. So be sure to take advantage of that email questions at identity at the center.com, or look, Jim or II.
Up on LinkedIn and she just a note there, you know, we're happy to engage and, you know, we're in the I am world just like a hope most of the folks listening, you know, here are so we appreciate it and I think with that, we're going to go ahead and call it a wrap and hope everyone stays happy and healthy and we'll talk with you all in the next one. You've been listening to the identity of the center podcast for more episodes of visit identity at the center.com.