Identity Governance and Administration (IGA) - Wer darf was und warum?
Identity Governance and Administration (IGA) manages digital identities, access rights, and their lifecycles: Joiner/Mover/Leaver processes, Role-Based Access Control (RBAC), access reviews (regular revalidation of permissions), Segregation of Duties (SoD) – dual-control principle at the system level, recertification campaigns, audit trail for compliance. Products: SailPoint IdentityNow, Saviynt, One Identity, Microsoft Entra ID Governance.
Identity Governance answers every company’s most critical questions: Who has access to what? Why does this person have this access? And is it still needed? Without IGA, “permission ghost towns” emerge—rights accumulated over years that no one checks anymore.
Joiner-Mover-Leaver Process
The identity lifecycle covers three critical events:
Joiner (New Hire)
When HR reports a new hire, an IGA trigger is automatically activated. Template-based role assignments ensure that a new “Sales Trainee” immediately receives standard permissions on their first day of work: email, Teams, CRM read access, and other role-specific access rights. An approval workflow ensures that the manager confirms the access request.
Mover (Transfer/Role Change)
When an employee changes departments, an HR action triggers an IGA trigger again. Old permissions from the previous role are revoked, and new permissions for the new role are granted. A short transition period of up to one to two weeks is acceptable in this case.
Common Mistake – Privilege Creep: In practice, the mover often retains all old permissions in addition to the new ones. After three transfers, the person has accumulated the permissions of all departments involved. This creeping accumulation of permissions is one of the most common security issues in mature IT environments.
Leaver (Departure)
Upon termination, an IGA trigger must be activated immediately. On the last day of employment, the account is deactivated—not deleted, as the audit trail and archived emails must be retained. Final deletion occurs after 30, 60, or 90 days, in accordance with policy.
The offboarding checklist includes:
- AD account deactivated
- Exchange mailbox switched to shared mailbox
- VPN access blocked
- MFA token revoked
- SSH keys removed
- PAM accounts deactivated
- External SaaS access (Salesforce, GitHub, etc.) removed
Role-Based Access Control (RBAC) and Role Mining
RBAC Hierarchy
RBAC follows the principle: User → Role → Permission. A structured example for Sales:
"Junior Sales" role:
- CRM: Read and Write (own deals)
- ERP: Create quotes
- Email and Teams: Standard
"Senior Sales" role:
- All of Junior’s permissions
- CRM: Read all deals (not just their own)
- ERP: Approve discounts up to 15%
"Sales Manager" role:
- All of Senior’s permissions
- CRM: Reports and Admin
- ERP: Approve discounts up to 30%
- Read personnel files (own employees)
Role Mining
Role Mining analyzes existing permissions and derives new roles from common patterns. An IGA tool automatically detects: “These 50 users all have the same 10 rights—that’s a new role.” Role Mining is the starting point for implementing RBAC in mature environments.
Segregation of Duties (SoD)
SoD prohibits critical permission combinations that would undermine the dual-control principle:
| Incorrect | Correct |
|---|---|
| Same user creates and approves an order | Request (User A) → Approval (User B) |
Typical SoD conflicts that IGA must automatically detect and prevent:
- Accounting: Create payment and approve payment
- Purchasing: Create supplier and approve order
- IT: Create admin account and audit security
IGA automatically enforces SoD: A detected conflict blocks the second permission. An override is only possible with additional approval and a documented justification.
Access Reviews (Revalidation)
Why Access Reviews?
- Continuously prevent privilege creep
- Meet compliance requirements: ISO 27001 A-8.2, SOX, GDPR, NIS2
- Maintain least privilege during ongoing operations
Review Types
Manager Reviews (most common form): The manager reviews the access rights of all direct reports. The key question: “Does this employee still need this right?” Frequency: semi-annually; quarterly for critical systems. Actions: confirm, revoke, or delegate.
Owner Reviews: The application owner reviews all users of their application. The question: “Why does this user have this right in my app?” Particularly suitable for application-specific reviews.
Role Reviews: Reviewing who is in a privileged group (domain admins, Exchange admins, etc.). Frequency: monthly for privileged roles.
Automated Reviews: Automatic detection of locked-out users who still have rights, as well as users with "Leaver" status.
Review Process in the IGA Tool
- Campaign created: "Q3 2026 Access Review"
- Reviewer receives email: "You need to review 23 access rights"
- Self-service portal: confirm, revoke, or comment
- Escalation: after 7 days without action → automatic reminder
- No action after 14 days → auto-revoke (fail-safe!)
- Final report: e.g., 98% of rights confirmed, 23 revoked
IGA Products at a Glance
| Product | Positioning | Strengths |
|---|---|---|
| SailPoint IdentityNow (Cloud) / IdentityIQ (On-Prem) | Market leader (Gartner MQ), for 2,000+ employees | AI-based role mining, very comprehensive |
| Saviynt Security Manager | Mid-market and enterprise | Cloud-native, combines IGA and PAM, good application governance |
| One Identity Manager | Microsoft-centric environments | German (Frankfurt), GDPR-native, strong AD/Azure AD integration |
| Microsoft Entra ID Governance | Microsoft shops (in the P2 bundle) | Native in Azure AD/M365, cost-effective, but Azure/M365 only |
Microsoft Entra ID Governance in Detail
Entra natively offers Access Packages (Entitlement Management), direct access reviews in Entra ID, PIM (Privileged Identity Management) for just-in-time access, and access expiration dates:
A sample access package called “Finance Access” bundles the SharePoint Finance site, Power BI workspace, and SAP Finance app into a single package that the manager must approve. After 90 days, access automatically expires and requires a new request.
Compliance Evidence with IGA
IGA provides concrete, auditable documents for audits:
ISO 27001 A-8.2 (Privileged Access Rights):
- Evidence of who has privileged rights (IGA report)
- Access reviews: Documentation of the last four quarters
- SoD: Which conflicts were prevented or handled?
SOX (for publicly traded companies):
- Complete audit trail for financial system access
- Separation of Financial Duties fully verifiable
- 100% auditable, zero exceptions without documentation
GDPR:
- Data minimization: only necessary rights to personal data
- Access reviews demonstrate the removal of unnecessary access rights
- Justification: why does User X have access to customer data?
NIS2 (Art. 21):
- Access management explicitly named as a mandatory measure
- IGA documentation for security-critical systems and privileged rights
Typical Audit Questions and IGA Answers
Question: “Who had access to customer data in January 2026?” IGA Answer: Export of all access rights plus usage log for the period.
Question: “Do former employees still have active accounts?” IGA response: “Leavers with Active Accounts” report—empty means compliant.
Question: “Were rights revoked after a department transfer?” IGA response: Mover log: old rights X removed, new rights Y assigned on date Y.
