I've noticed a frustrating trend with access request approvals in my organization. While we require supervisors and data owners to sign off on requests, many simply approve without truly considering the implications. It seems like they automatically trust the requestor without understanding what they're saying 'yes' to. We've tried to educate them on making better decisions, but they often reply that the requests are too technical or confusing, which leads to them rubberstamping approvals without insight.
For context, our access management tool (SailPoint) generates requests that look something like this:
- Application = LAN; Operation = Add; Access Level = Read and Write; LAN Folders = \\servername\sharename
- Add: PowerBI-Peopletools-Accounts-Payable, "provides view access to the accounts payable Power BI peopletools workspace"
Many approvers aren't familiar with basic concepts like LAN folders or specific system functionalities. When requests come in that may not be relevant to their team's role, supervisors should ideally have enough knowledge to judge the appropriateness of those requests. We do have a feature that allows approvers to ask for more details from requestors, but they often prefer to avoid the back-and-forth and want instant clarity. With thousands of groups and various applications, simplifying approval messaging while ensuring understanding seems nearly impossible.
How have others handled this issue effectively? What strategies or tools have you used to ensure that approvers engage meaningfully with the requests?
7 Answers
That approval format can definitely feel overwhelming, especially for those who aren't tech-savvy. It seems to cater more to IT admins than general users. I try to simplify things by imagining how I'd explain it to someone outside tech. If my mom can get it, then it's good enough!
I just got tired of pushing back on this issue. At the end of the day, we're not the gatekeepers for data we don’t own. All we can do is act on what the business delegates to us and run regular audits to review access rights.
Right? It should be someone else's responsibility to ensure that approvers do their jobs correctly. Maybe HR or the security team should take charge of that.
Could I get domain admin access just like that?
Haha, this happens a lot! We have a firewall with geoblocking. If someone gets blocked, we just unblock them immediately—what's the point really?
I once had a sales manager who would sign 'approved' on every request without question. A guy even asked for an Apple Watch just because. I pushed back saying no, while his supervisor was just hitting 'approve' blindly!
You have to wonder what value there is in having someone sign off if they’re just going to rubberstamp it anyway. If it's just to maintain records, then maybe the request should be enough without a sign-off. Clearly, there's a process issue here that needs fixing.
I believe the onus should be on the requestor. If SailPoint allows comments justifying requests, requires them to clearly explain their need for access. Maybe you can enforce that so approvers get all the context they need before hitting 'approve'.
Agreed! Having requestors provide justification would really help the approvers understand the requests better.
Absolutely! Simplifying the language can make a huge difference. We need to bridge the gap for non-tech folks.