Identity and Access Management Programme

Last updated: April 29, 2026

An NCR pharmaceutical company spent ₹2.4 crore on a Saviynt IAM rollout. Two years later, the access-review reports were 600 pages long, managers signed off without reading, and a quarterly audit revealed 312 ex-employees still had AD accounts — including one terminated developer who had accessed source-code repositories the previous month. IAM isn’t a tool problem, it’s a process problem with a tool layer. This module covers IAM as a programme: identity sources, lifecycle, access governance, and the operational discipline to keep it real.

What IAM actually covers

• Identity — who is this person/service/device? Stored in an identity provider (IdP)
• Authentication — proving the identity (covered separately)
• Authorisation — what is this identity allowed to do?
• Lifecycle — joiner, mover, leaver (JML) — the part that actually fails
• Access governance — periodic review, certification, attestation
• Privileged access management (PAM) — separate module; for admin / break-glass identities

Identity sources — the architecture decision

For a typical Indian enterprise:

• HRIS (Workday / SAP SuccessFactors / Darwinbox) — system of record for employees
• Active Directory / Entra ID — identity store + auth target
• SaaS apps — get identities via SCIM provisioning from IdP
• Customer / partner identities — separate B2B/CIAM IdP (often Auth0, Okta CIC, or Entra External ID)

The single non-negotiable principle: HRIS is the source of truth for employee state. A termination in HRIS must propagate within minutes to AD, every SaaS, VPN, and any system holding access. The 312 ex-employees existed because Saviynt was watching AD, but AD wasn’t synced from HRIS — manual de-provisioning was being skipped.

Joiner / mover / leaver (JML)

Joiner

• Manager request → HRIS record → IdP account → birth-right access (email, intranet, baseline SaaS)
• Role-based access pack provisioned automatically (not manual ticket-per-app)
• Day-1 readiness: laptop encrypted, MFA enrolled, conditional-access tested

Mover

• Department transfer → re-evaluate role-based access; old access removed (often skipped)
• Project changes → time-bound access grants, not permanent
• This is where access accumulates (“entitlement creep”) — the leading IAM debt source

Leaver

• Termination event in HRIS → IdP account disabled within 15 minutes (target: real-time)
• SaaS de-provisioning via SCIM
• Mailbox forwarding for 90 days; data archived
• Service accounts associated with the leaver — re-owner
• Hardware tokens, smart cards, badges — recovered

Role-based access at scale

Roles are how you scale access without per-user decisions:

• Birthright role — every employee gets it (email, intranet, baseline)
• Job-function roles — Engineering, Sales, Finance, etc.
• Department roles — narrower, e.g., “AP Clerk” gets specific SAP T-codes
• Project / time-bound roles — auto-expiring

The mistake: starting with too many roles. Begin with 30-50 broad roles covering 80% of needs. Refine over 12-18 months. A “role explosion” with 2000 micro-roles is unmaintainable and indistinguishable from per-user provisioning.

Access reviews / certification

Quarterly access reviews are the auditor-visible part. They are usually theatre. Make them real:

• Manager certifies the team’s access — not 600-page batch dumps but per-person access lists with risk-flagging
• Risk-prioritised — privileged accounts and toxic combinations reviewed monthly; standard access quarterly
• Toxic-combination detection — e.g., a person with both “create vendor” and “approve invoice” SAP transactions = SoD violation
• Attestation with consequences — non-completion blocks access for the manager too

The pharmaceutical remediation

After the audit:

• HRIS-to-AD real-time sync via Saviynt connector — termination propagates in <15 min
• Quarterly review redesigned: per-manager dashboard with 20-50 reviews max, risk-scored
• Toxic SoD combinations defined; violations blocked at provisioning
• Quarterly orphan-account hunt — accounts with no HRIS owner = automatic disable
• Service-account inventory built; each service account has a named human owner

Subsequent audit: zero ex-employee active accounts. Quarterly review completion: 96% on-time. Toxic-combination violations: 4 (down from 41).

Service / non-human identities

Service accounts outnumber human accounts 10:1 in mature environments. Each must have:

• Named human owner (not a team mailbox)
• Documented purpose
• Rotation cadence for any static credentials (or workload-identity, no static credential)
• Quarterly review of usage — unused = decommission

Indian compliance mapping

• RBI Cyber Framework — IAM controls including JML, periodic review, segregation of duties explicit
• SEBI CSCRF — IAM and PAM mandatory for Q-RE / MII
• DPDP §8(5) — reasonable security includes IAM controls
• ISO 27001:2022 A.5.15-A.5.18, A.8.2-A.8.5 — IAM control family
• SOX-like requirements for Indian listed companies — SoD violations in financial systems flagged by auditor

Common pitfalls

• Buying an IAM tool and treating the rollout as IT-led without HR + business engagement
• Skipping role design; making the IAM tool replicate per-user chaos
• Reviews that go to overloaded managers who rubber-stamp
• Service accounts owned by “[email protected]” that has rotated humans 5 times
• No metrics — number of orphans, time-to-deprovision, review completion rate, SoD violations

Try this in your environment

1. Pull every account in your IdP. Cross-check against HRIS. How many orphans?
2. Time the last 5 employee terminations. From HRIS termination to AD-disabled — how many minutes / hours / days?
3. Pick a leaver from 6 months ago. Are they still in any SaaS? (Search Slack, GitHub, Salesforce, etc.)
4. Inventory service accounts. How many have no living human owner?
5. Review the last quarterly access certification. How many were completed in <30 seconds per user? (That’s rubber-stamping.)

IAM done well makes the difference between “we knew the moment they left” and “we found out 14 months later from an auditor.” The tool is necessary; the programme is what works.