Attribute-Bound EDW Access

Situation
Current state

  • Users are provisioned with access to specific EDW (Enterprise Data Warehouse) domains by identity (identity-bound).

  • Access is authorized by business data steward, processed by security and implemented by DBAs.

  • Access provisioning & deprovisioning requires substantial management.

Future state

  • Convert from identity-bound access to attribute-bound access.

  • Access authorizations are bound to attribute and attribute combinations rather than identities.

  • Triggers provision and deprovision access daily, based on attribute-binding table, without human intervention.

Slideshow (PDF)

Objectives

  1. Streamline and automate access request process.

  2. Strengthen binding between business rules and controls.

  3. Automate provisioning and deprovisioning for commonly-held access.

 

Results

  • Removal of at least 37% labor, benefiting requestors, data stewards, Security and DBAs.

  • Employees with authorized attribute bindings receive day one access without a request.

  • Access is automatically deprovisioned when employee attributes change.

  • Assured connection of business objectives and access provision.

  • Reduced process variability.