I'm curious about how others are managing the issue of access request approvals just being rubberstamped. In our process, both the supervisor and the application/data owner need to sign off on access requests, but we're noticing that many just approve them without much thought. When we try to educate them on making more informed decisions, we often hear that they don't really understand what they're approving, so they just go with trust.
The requests come from our access management tool, SailPoint, which tries to be clear, but can still be quite technical. For example, it might look like this: "Application = LAN; Operation = Add; Access Level = Read and Write; LAN Folders = \servernamesharename" or "Add: PowerBI-Peopletools-Accounts-Payable, 'provides view access to the accounts payable Power BI peopletools workspace.'"
I believe that the owners of these systems need a better grasp of basic concepts, like what a LAN folder is. They should understand the systems they oversee and how their staff uses them, so they can judge whether a request makes sense. It can be frustrating; while we're suggesting that approvers use the request tool to ask for more info, many prefer the simple 'approve' option and avoid back-and-forth clarification.
With thousands of groups to navigate, how can we make things more straightforward for approvers so they truly understand what they're approving? Any tips or strategies would be greatly appreciated!
5 Answers
It's definitely a tricky situation! That request format sounds complicated, and it makes sense that approvers would feel overwhelmed if it’s geared towards IT staff instead of the general user. I try to frame requests in simple language, imagining if someone completely non-technical, like my mom, were reading it. Keeping it clear might help them understand better.
Haha, reminds me of a sales manager I worked with who approved everything without question. I once asked why a request was made for an apple watch, hoping for some business justification, and all I got was an 'approved.' My boss shot that down immediately.
Honestly, I just stopped getting involved. It's not our job to be the gatekeepers for data that we don’t own. If business units decide on approvals, we simply act on that. We do provide annual audits to those approvers to check for any missed changes, but it's their call at the end of the day.
Exactly! This isn't just a tech issue—it's about human responsibility and security. Maybe HR should oversee the approvals?
The crux is understanding what value these approvals bring. If it's to reduce costs, maybe finance should handle it. If record-keeping is the goal, the request management system might suffice on its own. When approvals turn into mere formality, it indicates that the process needs a serious overhaul.
This issue should really fall on the requester. SailPoint allows for comments on requests, so I think they should be required to explain why they need high-level access in the first place. That way, approvers can make informed decisions.
Absolutely! If approvers push back for clarification, it’ll help everyone in the long run.
I totally get that! Making technical language more user-friendly would be a game changer.