Continuing the Journey to Least Privilege: Introducing Access Requests


Least privilege access can feel completely out of reach. Here’s what we’ve heard:

You have a ton of different SaaS applications running your business, your infrastructure is in the cloud, you have multiple IdPs, employee details in your HR system, contractors somewhere else, and each application owner oversees user access to the apps they own. Provisioning and deprovisioning users is complicated and a high-cost effort. Your engineering team owns granting and reviewing access for your infrastructure, SalesOps owns your CRM, finance owns your financial tools, and so on. Not to mention the custom, backoffice applications you built specifically for your business.

The sheer volume of users, levels of access, and different ways to audit and manage user access within each application has made it near impossible for security teams to govern and IT teams to manage. Security is now more opaque within the bounds of the application and the IT helpdesk has very little context on who should and shouldn’t have a specific type of access to a certain application. Helpdesk tickets pile up, audit trails of access changes are nonexistent, and, unfortunately, security incidents still happen.

The ideal world

In the ideal world, you would understand exactly who needs access to what, how they can get it, why they need it, and you’d continuously monitor the reasons to remove it, e.g. compliance, security, usage, cost, and so on.

Getting to this ideal world, enforcing least privilege for user access by removing privileges, requires that you KNOW where your user access privileges stand and that you can give and take in a way that doesn’t affect employee productivity. It’s an old problem that requires a modern solution.

Announcing our newest product, Access Requests

Today we’re excited to officially announce our Access Request product. A solution that provides self-service access requests to your employees via Slack or a web catalog, automatic approval routing, and zero-touch provisioning. We see this as the modern solution to these problems because it provides our customers a centralized way to automate access management and provide just-in-time access to critical infrastructure, back office systems, and any business application.

By bringing in user access data and privileges from any app, our customers’ IT and security teams are able to understand what’s happening, set fine-grained policies to govern access, and automatically enforce said policies with automation. While policies are centrally managed and enforced, each app owner makes the informed decision on the permission levels and users. When requests are approved, IT doesn’t have to go through complex provisioning scenarios, the Access Request product handles provisioning directly to the application, via SCIM, or through a workflow. If the access granted is time-bound, we also automate deprovisioning.

Continuing the journey

At ConductorOne, we started with user access reviews – automating and orchestrating another old problem with a modern solution so our customers could achieve their compliance goals. But helping customers move to zero trust requires more than a point-in-time audit, and from the beginning we built ConductorOne with the notion that identity needs to shift left. Our customer, Paul Yoo at Ramp, says it best, “User access reviews give us a retroactive look, but just-in-time access requests help us shift left and get ahead of the problem by controlling how access is granted.”

Learn more about the product here or reach out to us for a demo!