Tello
Tello

Auditing Access Requirements Before Implementing IAM

Jul 14, 2026

Implementing Identity and Access Management (IAM) requires organizational planning, user lifecycle management, access control and governance, application integration, and operational management.

Today’s blog post details four critical user provisioning and access requirements you need to audit and understand before implementing an IAM environment such as Tello. Use this information as a starter guide for migrating manual user provisioning and access systems to an automated IAM solution.

Related reading: What is Manual User Provisioning Costing You?

Getting Started with IAM Implementation

To build a foundation for an automated identity and access management migration, your organization must first define, map, and set clear parameters for IAM implementation. Do this by auditing, preparing, and documenting the following items for migrating manual user access and provisioning to IAM.

  1. Scope of your IAM environment: The prioritized systems, applications, and data that will be managed in your IAM solution.
  2. IAM stakeholders and access requirements: The key personnel and requirements for meeting user provisioning and access needs
  3. User auditing, access controls, and source ID providers: User lifecycle triggers and user roles for automated IAM processing.
  4. Measurable IAM metrics and targets: Metrics for measuring the success of your IAM implementation.

Further details for each implementation requirement are listed below.

 

Scope of your IAM environment

Compile a list of the critical resources (systems, apps, data) whose user provisioning and access will be managed from your IAM environment. This list will define the scope of your IAM solution. Most in-scope resources can be discovered through your current manual user provisioning system.

It is also important to include any shadow IT apps and cloud storage services that are being used without organizational controls. Shadow IT apps and cloud storage usage can be discovered using several tools, including monitoring browser activity, network traffic analysis, endpoint monitoring, and configuration management database (CMDB) software.

Once compiled, your in-scope list can be prioritized for implementation in your identity and access management environment. Because new applications frequently come on-line and users will always access shadow IT apps and cloud storage, the in-scope list should be regularly updated and applied to your IAM solution.

 

IAM Stakeholders and Access Requirements

Each resource on the in-scope list should also be identified as to who its primary IAM stakeholders are. This stakeholder list will be used to determine what roles each stakeholder has in administering user and access provisioning. Possible IAM roles for each stakeholder and their duties include:

  • IT administrator: IAM administration, configuration, security.
  • Support: User support, provisioning, deprovisioning, and access management role assignment.
  • Manager: Approve resource access requests, changes, and terminations.
  • Audit and compliance: Approving and review access changes to satisfy regulatory mandates and for audit report generation.
  • Transition user access provisioning to role-based access control (RBAC) and attribute-based access control (ABAC) rather than assigning individual user account permissions: Use existing access permissions to compile permission lists for pre-defined roles or attributes. RBAC and ABAC assignments can act as baseline permissions for different classes of users.
  • Identify a baseline principle-of-least-privilege (PoLP) access for common users: Define the baseline access for all users for resources being migrated. This is the default access list users will receive for each resource unless they are assigned elevated access rights.
  • Use lifecycle triggers to provision new users and to deprovision existing users: Define IAM capabilities to automate user provisioning and deprovisioning from source identity providers (IdP), including HR systems, directory synchronization, and other services).

Stakeholders should designate the regulatory mandates and other requirements to satisfy the legal, financial, personally identifiable information, security, and other requirements for each resource. This information can be used for designating user access assignments for IAM stakeholders.

 

User auditing, access controls, and source ID providers

As you migrate user provisioning and access management to an IAM solution, audit each resources’ user accounts and document the following items for migration to your IAM environment.

Related: Avoiding Identity Access Drift with IAM

 

Measurable IAM metrics and targets

Relevant metrics help cost-justify an IAM system migration. They can also demonstrate how effective your IAM implementation is and to flag areas that need further improvement.

Consider gathering metrics before you start your migration and at critical junctures during and after the migration. Metrics can be used for evaluation and continuous improvement. IAM metrics can be gathered on a resource-by-resource basis or an accumulated basis for all migrated resources. Each metric should also contain a target value based on IAM stakeholder and access requirements.

Here are some important user access provisioning and deprovisioning metrics for IAM implementation and evaluation.

  1. Time to provision/time to deprovision: The average time to create a new user identity or revoke access for terminated users.
  2. Orphaned account ratio: The percentage of dormant accounts no longer associated with a verifiable user identity.
  3. User access review completion rate: The percentage of assigned user access reviews that are completed within defined deadlines, especially for high-risk roles and other roles with access to sensitive data.
  4. Segregation of Duties (SoD) violations: The number of user accounts where an employee was discovered to possess enough access permissions to circumvent business controls and perform fraudulent transactions (i.e., an accounting user who can create a ghost employee and authorize payroll disbursements).

Coordinate with your IAM stakeholders to determine which IAM metrics should be tracked.

 

Learn more about auditing and implementing IAM requirements

Contact Seasoft Security for more information on preparing and implementing an advanced Identity and Access Management solution like Tello. Our IAM experts can perform an organization-specific assessment to help modernize your user access and provisioning environment.