Idea ID: 2780498

Review/Compare permissions provisioned by IDM with actual/current permissions from the application

Status: Accepted

IG integrated with IDM "knows" the permissions provisioned by IDM to a connected system like ADS down to the entitltment value. If the connected system is also an application source in IG, it should be possible to compare the permissions granted by IDM with the actual/current state in the application (including manually granted permissions or the ones granted before the IDM system was in place).


  • I would even design a more generic feature in IDG where:

    1. The catalog can be fed with the real (effective) permissions being granted in each app (this is already part of IDG) --> "AS-IS" situation

    2. The catalog (or a second catalog) can be fed with desired permissions to grant in each app (output of role model etc...) --> "SHOULD-BE" situation

    3. A comparison tool would list all discrepancies and offer capabilities in:

    - reporting any difference between AS-IS and SHOULD-BE

    - orchestrate review campaigns focused on such differences

    - propose to add missing permissions to roles (add-on to the role-mining capability)

    - add an indicator to the dashboard showing the %age of assigned permissions that are effective but not (yet) part of the SHOULD-BE 

     (this KPI typically starts high, e.g. 60%, and should go down to less than 1% as maturity grows and IDM/IG deployment takes control of applications)

    My 2 cents...

    Jacques Forster (IGA architect)