Enterprise-scale organizations employ large numbers of internal users, with different access requirements spanning large numbers of systems, directories and applications. The dynamic nature of modern enterprises demand that organizations efﬁciently and securely provision and deactivate systems access to reﬂect rapidly changing user responsibilities.
This document introduces a strategy for large-scale enterprise user administration. This strategy complements the traditional role-based approach with user-issued security requests combined with periodic audits.
Using this approach, new privileges are granted to users in response to user-entered requests, rather than
being predicted by an automatic privilege model. Excessive user privileges are periodically identiﬁed and cleaned up using a distributed, interactive user rights review and certiﬁcation process.