--- title: Key considerations description: To get started with Identity Governance, evaluate several key areas to ensure a successful implementation. A successful strategy involves defining your goals, understanding your environment, and planning for automation and continuous improvement. component: pingoneaic page_id: pingoneaic:identity-governance:administration/getting-started-key-considerations canonical_url: https://docs.pingidentity.com/pingoneaic/identity-governance/administration/getting-started-key-considerations.html keywords: ["IGA", "identity governance", "getting started", "planning", "deployment"] --- # Key considerations To get started with Identity Governance, evaluate several key areas to ensure a successful implementation. A successful strategy involves defining your goals, understanding your environment, and planning for automation and continuous improvement. As you begin your identity governance journey, assess the following considerations: 1. **Define your Identity Governance objectives** Before you implement any governance process, ask these questions: * Are you aiming for regulatory compliance, such as General Data Protection Regulation(GDPR), Health Insurance Portability and Accountability Act (HIPAA), or Sarbanes-Oxley Act (SOX)? * Is security your top concern, such as reducing over-privileged accounts or preventing insider threats? * Do you want to automate onboarding and offboarding for more efficient operations? * Do you want to achieve all of the above? 2. **Make an inventory your identities and resources** Create a complete and accurate inventory of all identities and resources in your environment: * Determine if you are using governance for the whole company or for specific organizations. * Determine all users, including full-time employees, contractors, and service accounts. * Determine all external users, such as suppliers and partners. * Identify which applications, systems, and resources these identities can access and the permissions they have. 3. **Plan integrations with authoritative sources and target systems** Determine how to connect IGA with your data sources: * Determine your authoritative applications and how to connect to them. An authoritative application is the source of truth that defines a person, such as an HR system like Workday. * Determine your target applications and systems, including cloud and on-premises systems. Target applications are where you provision accounts and permissions based on data from the authoritative source. For example, if a user joins the Finance department (per Workday), they get access to the SAP or Active Directory target application. * Plan for data imports and syncing between systems, and determine if the data flow is one-way or two-way. * Determine and assign your application owners. These are the end users who manage access to applications and their entitlements. 4. **Plan how to use roles to define entitlements** Group permissions using roles instead of managing individual entitlements: * Determine roles based on job functions, such as for managers, contractors, or support personnel. * Consider how to map entitlements within each application. * Define which systems and permissions each role should have. * Identify sensitive roles that require special permissions. * Assign entitlement owners to manage access to specific entitlements. * Assign role owners to manage access to specific roles. 5. **Plan how you'll automate processes with workflows** In IGA, you can use workflows to automate identity lifecycle events that would otherwise be manual and time-consuming. * **New employees**: Determine how to provision accounts and assign access when someone joins your company. * **Job changes**: Consider how to adjust access when employees change job roles within the company to ensure they get the required permissions and lose access privileges they no longer need. * **Employee turnover**: Plan how to revoke all access when someone leaves the company to minimize security risks. 6. **Plan how to implement self-service access requests and approval workflows** Identity Governance enables end users to request new access through a self-service portal that has controlled approval workflows. Consider which employees you'll need to perform the following jobs: * Build a self-service portal where users can request access to applications, roles, or entitlements. * Create online forms for users to submit access requests, and build dynamic and interactive forms that respond to user input in real time. * Route access requests to the appropriate approvers, such as managers, application owners, and entitlement owners. * Capture an audit trail of every request, approval, and denial. 7. **Plan how to conduct access certification campaigns** Plan how to conduct access review certification campaigns at regular intervals: * Assign certifiers, such as managers, application owners, role owners, or entitlement owners. * Require certifiers to determine whether each user still needs their assigned access. * Automate the revocation of access that's no longer needed. * Escalate incomplete certifications by forwarding them to the appropriate reviewers. 8. **Define and configure policies and controls** Define rules that monitor or block risky access: * **Separation of Duties (SoD)**: Your policies should ensure that no single individual can grant entitlements or roles to another user that could result in a conflict of interest or fraud, such as payroll and payroll auditing. * **Least privilege**: Your policies should ensure that users have only the minimum access privileges required to do their jobs. * **Bad combinations**: Identify dangerous combinations of permissions across systems that could lead to security breaches. 9. **Establish reporting, metrics, and audit readiness** IGA provides visibility into governance activities with dashboards and reports. Consider which activities you'll want to monitor. * Monitor dashboards that show who has access to what, who granted access, and whether anyone reviewed the access. * Create reports to track governance activities. * Maintain a record of all access approvals, revocations, escalations, and policy violations. * Generate audit reports when required. 10. **Plan for continuous improvement** A key consideration is to recognize that identity governance is a long-term ongoing process, not a one-time project: * Determine when to review your entitlements, roles, policies, and integrations throughout the year. * Determine how to adapt to organizational changes, such as promotions, mergers, and layoffs. * Consider how to adjust processes based on feedback from stakeholders, such as end users, managers, and auditors.