Gartner Blog Network

Performing an entitlement lobotomy on the enterprise

by Ian Glazer  |  June 8, 2010  |  2 Comments

As a part of its data center consolidation efforts, HP is going to be letting going 9000 IT workers. As this Computerworld article points out, although not confirmed, it highly likely that at least some of these terminated employees are system administrators. And as those admins walk out the door so too will walk an understand of how applications actually work and what the entitlements in them actually do. The loss of this kind of institutional knowledge will make it harder for compliance teams at HP to answer the question, “who has access to what.”

I am just wrapping up some research on how enterprises gather and catalog entitlements. With a decent entitlement management process in place, understanding what an entitlement grants in an application is next to impossible. Why? Because the people who know what permissions an entitlement grants, keep this information in their heads. And when they leave the enterprise, so too does that knowledge.

From there, the management of access becomes an exercise in cargo cult IdM. You start to see a lot of “model after” access (mis)management. You get a lot of wasted effort trying to figure out which dataset a group provides access to in the midst of a compliance exercise.

Without a means of capturing the meaning of entitlements enterprises put themselves at risk. Letting go a of a huge number of system administrators, who likely have some crucial understanding of what their systems’ entitlements do, compounds that risk.

Category: identity-and-access-governance  

Tags: access-certification  entitlement-management  iag  provisioning  role-management  

Ian Glazer
Research Vice President and Agenda Manager
4 years at Gartner
16 years IT industry

Ian Glazer is a research vice president and agenda manager on the Identity and Privacy Strategies team. He leads IdPS' coverage for authorization and privacy. Topics within these two main areas include externalized authorization management, XACML, federated authorization, privacy by design, and privacy programs. Read Full Bio

Thoughts on Performing an entitlement lobotomy on the enterprise

  1. […] This post was mentioned on Twitter by BurtonGroupIT, Ian Glazer. Ian Glazer said: Blog Post: Performing an entitlement lobotomy on the enterprise #idm #iag […]

  2. Darran Rolls says:


    Great topic! I think you have the nail AND the hammer right there! I completely agree with your statement about capturing the meaning of entitlements as being the key. Until we understand what an entitlement means, how can you ever hope to truly “manage it”? Unless we are able to express in business terms, how access & entitlement is defined, requested, approved, tracked, audited and then later reviewed by the business, we’ll never get identity or the wider security model right.

    I’d like to point your readers to a recent blog posting I made on this very subject. Might make an interesting supporting read.


Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.