Modernizing identity governance: How PriceSmart streamlined access reviews across legacy and cloud systems

About PriceSmart

PriceSmart, a subsidiary of retail giant Costco, operates membership-based warehouse clubs across 13 countries in Latin America and the Caribbean. With a business model centered on delivering value through operational efficiency, PriceSmart manages a complex IT environment, blending customized legacy systems with a growing suite of modern, cloud-native technologies.

The challenge: governance across a hybrid infrastructure

Before ConductorOne, PriceSmart struggled to manage access governance across a sprawling IT landscape. As Roberto Mateo, VP of IT Business Operations, explained: “The biggest challenge for us was the complete chaos of our systems. We have an IBM iSeries running JD Edwards, a 30-year-old system that is the backbone of our operation. But we also have AWS, Azure, and other tools. We needed a solution that would allow us to modernize reviews for both the new  systems and the legacy systems that basically give you reports in PDFs.”

User access reviews, especially for their JD Edwards environment, were extremely manual. Exporting data, combining it with HR information via spreadsheets, figuring out who to route reviews to, and then managing reviews by email often consumed months—finishing just in time to start the next cycle. “Before ConductorOne, preparing the main file for our JD Edward system would take one to two weeks, distribution another week, and following up even longer. All in all, a quarterly business-critical access review might take a whole quarter.”

This tedious, reactive process left little time for proactive security work and exposed the organization to increased risk from outdated or inappropriate access.

The solution: bridging legacy and cloud systems with ConductorOne

After evaluating several identity governance solutions, PriceSmart selected ConductorOne for its ability to meet three core requirements:

• Hybrid integration: The ability to connect to both modern cloud applications and highly customized legacy systems that lacked APIs.
• Fast time to value: An agile deployment process that could meet their fiscal year-end deadlines.
• User-friendly experience: A intuitive, efficient review process for business managers. Mateo emphasized the importance of flexibility: “We needed something that would work across different systems—30-year-old systems, new systems, internally developed systems, and off-the-shelf systems.”

Implementation speed was a major success:

“From the moment we signed to the moment we were already playing with the first configuration was two weeks, and the first user access review went out the month later.”

Roberto Mateo

VP of IT Business Operations

Despite the complexity of PriceSmart’s environment, ConductorOne enabled them to modernize access governance without overhauling their infrastructure.

The impact: major time savings, improved security, and operational efficiency

The transformation was immediate.

Access reviews from a full quarter to under three weeks

What once took an entire quarter is now completed in under three weeks, often closer to two. Reviews are prepped in a few clicks—it’s simply a matter of selecting the applications and permissions in scope. ConductorOne takes care of the rest, including automatically routing reviews to the appropriate reviewers based on PriceSmart’s internal review policies.  In fact, the ability to configure flexible multistep review policies within ConductorOne has further improved PriceSmart’s overall review outcomes. In the past, system experts had to work together to ensure policies had been properly followed after the fact, manually checking for compliance at the end of a review. As Roberto explained: “Policies were not implementable in such a way that they were part of the process. They were just what we measured the process against at the end.”

Now, because PriceSmart can create sophisticated policy rules within ConductorOne that route reviews to managers, application owners, or other reviewers based on user attributes like role and location, they’re able to build better efficiency and security directly into the review process. “With ConductorOne, we’ve reduced user access reviews to easily two or three weeks,” Mateo shared. “And that’s even with the realities of a large retail operation competing for business time.”

Manager review time reduced from hours to minutes

ConductorOne regularly notifies reviewers of their outstanding tasks to keep reviews on track. The platform also provides an intuitive interface and contextual, risk-based insights about the access under review to help reviewers make quick, informed decisions. This accelerates review completion time while simultaneously reducing rubber-stamping. Managers now complete reviews in a fraction of the time, minimizing disruption to daily operations. “In terms of hours used by the manager to review, it has gone down from multiple hours to less than 30 minutes.”

And that reduced time translates into direct business value to report to their leadership team.

“The biggest ROI we have seen is in time. We have communicated to leadership and management our estimates and I'm very confident that the tool pays for itself.”

Roberto Mateo

VP of IT Business Operations

Unified visibility across systems

ConductorOne brought together access data across PriceSmart’s hybrid environment (spanning JD Edwards, AWS, Azure, and more) into a single streamlined process. Legacy system limitations like static PDF reports no longer blocked modernization efforts.

Improved security posture

By eliminating manual steps and increasing review frequency, PriceSmart now proactively identifies and addresses potential security risks that previously went unnoticed. “Now we spend less time building reports and more time reviewing results. We’re able to spot real risk vectors like inappropriate profile assignments,” Mateo noted.

This shift from reactive audit preparation to proactive risk mitigation has strengthened their overall security and compliance capabilities.

Looking ahead: scaling with confidence

With access reviews for their most critical systems successfully streamlined, PriceSmart is expanding its use of ConductorOne across more platforms, including Okta, to future-proof their identity security as the business continues to grow. Reflecting on the journey, Mateo offered this advice to other companies facing similar challenges:

“If you’re still using spreadsheets and emails for access reviews—invest in automation. Beyond just saving time, you’ll discover new ways to improve your overall security engagement.”

Roberto Mateo

VP of IT Business Operations