Attribute-Bound EDW Access
Situation
Current state
-
Users are provisioned with access to specific EDW (Enterprise Data Warehouse) domains by identity (identity-bound).
-
Access is authorized by business data steward, processed by security and implemented by DBAs.
-
Access provisioning & deprovisioning requires substantial management.
​
Future state
-
Convert from identity-bound access to attribute-bound access.
-
Access authorizations are bound to attribute and attribute combinations rather than identities.
-
Triggers provision and deprovision access daily, based on attribute-binding table, without human intervention.
​​
​
Objectives
-
Streamline and automate access request process.
-
Strengthen binding between business rules and controls.
-
Automate provisioning and deprovisioning for commonly-held access.
Results
-
Removal of at least 37% labor, benefiting requestors, data stewards, Security and DBAs.
-
Employees with authorized attribute bindings receive day one access without a request.
-
Access is automatically deprovisioned when employee attributes change.
-
Assured connection of business objectives and access provision.
-
Reduced process variability.
Tom Deaderick