Application entitlements are commonly driven by group membership. Groups can be split across data sources, nested, or even built dynamically. Without a common view of entitlements in a flattened structure consumable by IGA systems, the process of attestation becomes significantly more complex.
Groups split across multiple repositories need to be consolidated along with a correlated view of the user identities. The view can be structured with changes to the underlying identity repositories, ensuring that entitlements can be easily unified for importing into IGA systems. The associated global profile of the user also ensures that the IGA system is operating off a common set of user attributes.
Nested groups pose a complex challenge for IGA systems. A nested structure does not reflect all users associated with a specific entitlement in a single list. The nested structure may also be many levels deep, causing a high processing cost for multiple levels of recursion.
Once the groups are flattened into a unified list, IGA systems can determine entitlements based upon a single group without needing manual or complex work to identity all members in the nested structure.
In situations where groups representing unified entitlements across identity repositories do not exist, groups need to be built dynamically from the underlying sources—without requiring changes to the data or the creation of other repositories of manually synchronized data.