AUTOMATING ACCESS GOVERNANCE FOR SECURE COMPLIANCE
OVERVIEW
A global enterprise managing a custom real estate platform faced significant risks due to inconsistent user access reviews. With both internal employees and external vendors (e.g., brokers, consultants) accessing sensitive data, manual reviews created compliance gaps and security concerns. Fiduciary Tech implemented an automated governance framework, drastically reducing dormant accounts, ensuring regular access reviews, and giving managers clear accountability over external users.
THE CHALLENGE
The platform supported a diverse user base, including internal employees and external partners, each with distinct access needs and security risks:
Inactive Internal Accounts: Employees who changed roles or ceased using the system retained access indefinitely, creating potential security gaps and cluttered licenses.
Unmonitored External Access: External vendors, granted access for specific projects, often retained their credentials long after contracts ended, posing both compliance and security challenges.
Audit Difficulties: Without a systematic way to track and review permissions, the client struggled to meet SOX compliance and pass internal security audits.
OUR SOLUTION
Fiduciary Tech designed an automated governance model with a two-tier approach—addressing the distinct lifecycle of internal and external users:
1. Automated Inactivity Sweep (Internal)
A daily batch process scans the user base to deactivate accounts that have been inactive for 60 days (configurable). To accommodate senior leaders with infrequent logins, an executive exemption flag allows specific users to bypass inactivity deactivation.
2. Vendor Recertification Portal (External)
External users are assigned to internal managers for periodic review. Every 90 days (configurable), the system flags external users for access review, giving managers a simple dashboard to either extend or expire access. Automated notifications remind managers ahead of time, ensuring timely action.
KEY FEATURES
- • Automated Inactivity Deactivation: Automatically deactivates inactive internal accounts after a configurable period.
• Executive Exemptions: Allows senior roles to retain access despite low login frequency.
• Vendor Recertification Portal: Provides managers with an easy-to-use dashboard to review and manage external user access.
• Configurable Notifications: Automated reminders help managers stay ahead of upcoming access expirations, reducing risk.
GLOBAL IMPACT/RESULTS
- • Enhanced Security: Reduced the number of dormant accounts, ensuring only active users retained access.
• Streamlined Compliance: Built-in access reviews made it easier to meet SOX and other compliance standards.
• Improved Efficiency: Shifted user access validation to managers, reducing IT support tickets and manual intervention.
• Scalability: The solution can be extended across other platforms and user groups, providing a flexible governance framework for long-term growth.
TECHNOLOGIES & SERVICES
Salesforce Platform: Core user and access management.
Apex (Batch Classes): Automated logic for inactivity checks and access reviews.
Visualforce Pages: Custom manager review dashboard.
Custom Metadata: Configurable review and notification schedules.
CONCLUSION
By automating user lifecycle management, Fiduciary Tech helped the client transform from reactive user cleanup to proactive, scalable access governance. The solution significantly enhanced security, simplified compliance audits, and empowered managers to take ownership of external access. This proactive governance framework positioned the platform for long-term growth and audit-readiness.