Identity Governance and Administration (IGA) Project Discovery Questions
Workforce IAM / Identity Governance projects require an equal blend of technical and business skills. Before embarking on a project, it's important to define the business requirements and objectives in sufficient detail for the implementation team. Failure to do so can result in project overruns and failure. The sections below and related topics provides a framework to initiate the requirements definition and planning of your project.
IAM projects are not trivial undertakings. They require time and sufficient planning. This framework represents a place to start. The requirements process should be iterative and involve the appropriate team members. As the process evolves, questions not listed here will arise. These should be explored if they are relevant to the business.
Project Name:
Date Prepared:
Document Version: 1.0
Project Drivers
Indicate the primary drivers for this project
| Driver | Y/N | Comments |
|---|
| Automate user life cycle management | | |
| Compliance or regulatory requirements | | |
| Reduce operational costs | | |
| Improved security | | |
| Improved end-user experience and responsiveness | | |
| Replace current IAM solution | | |
| Other: | | |
| Company Information | |
|---|
| Company Name: | |
| Address: | |
| City: | |
| State/Province: | |
| Zip/Postal Code: | |
| Country: | |
| Industry: | |
| Company Size: | |
| Primary Contact Details | |
|---|
| Name: | |
| Title: | |
| Phone: | |
| Email: | |
| Department: | |
| Project Stakeholders | |
|---|
| Executive Sponsor: | |
| IT Leader: | |
| Security Leader: | |
| Business Owners: | |
| Other Stakeholders: | |
Project Overview
| Project Background | |
|---|
| What are the primary business objectives for this IGA implementation? | |
| What are the key pain points with the current identity management processes? | |
| Are there any specific compliance requirements driving this project? | |
| What is your desired timeline for implementation? | |
| Is this a new implementation or a replacement for an existing solution? | |
| If replacing, what is the current solution and why is it being replaced? | |
| What is the expected scope of the initial implementation phase? | |
| Are there any constraints that might affect the implementation (budget, resources, integration limitations)? | |
OpenIAM-Specific Considerations
| Question | Response |
|---|
| Will you be using OpenIAM's hosted solution or on-premises deployment? | |
| Do you have requirements for high availability or disaster recovery? | |
| What is your database preference for the OpenIAM repository? | |
| Do you plan to use the OpenIAM connector framework or will custom connectors be required? | |
User Population Assessment
| User Demographics | Count |
|---|
| Total number of employees: | |
| Number of contractors/temporary workers: | |
| Number of B2B/B2C users: | |
| Number of concurrent users: | |
| Total number of identities to be managed: | |
| Geographical distribution of users: | |
| Projected annual growth rate: | |
| Peak user load expectations: | |
| Average number of applications per user: | |
| Expected number of daily provisioning transactions: | |
| Expected number of daily authentication events: | |
User Types Definition
Please provide detailed information about each user type that will be managed in the IGA system. User types impact certain IAM process and can also impact the attributes that the IAM system needs to capture.
| User Type | Description | Authoritative source | Custom attributes |
|---|
| Employees | | | |
| Contractors | | | |
| Temporary Workers | | | |
| Service Accounts | | | |
| Privileged Accounts | | | |
| Partners | | | |
| Customers | | | |
| Other (specify): | | | |
Identity Lifecycle Management
Authoritative Sources
For each authoritative source, provide a list of attributes and their meaning. Later, we will map these attributes to attributes in the OpenIAM data model.
Application Name: _
| Field Name | Field Type / Description | Maps to OpenIAM Attribute |
|---|
| Example: FirstName | String - Person's first name | User.First_Name |
| | |
| | |
Joiner Process
| Question | Response |
|---|
| How are new users currently onboarded? | |
| What is the desired process for onboarding employees? | |
| What is the desired process for onboarding contractors? | |
| What is the desired process for onboarding other user types? | |
| What are the criteria for granting birthright access? (User type, Persona, etc) | |
| Are self-registration capabilities required? If yes, for which user types? | |
| What approval workflows are needed for user creation? | |
| Is identity proofing required and if so how should it function for each type of user? | |
| How should emergency/temporary access be handled? | |
Account/Attribute Generation Rules
| Attribute | Generation Rule | Example |
|---|
| Account ID/Username | | |
| Email Address | | |
| Display Name | | |
| Other | | |
Credential Delivery
| User Type | Credential Delivery Method | Notes |
|---|
| Employees | | |
| Contractors | | |
| Other | | |
Future Hire Processing
| Question | Response |
|---|
| For employees with future hire dates, when should accounts be provisioned? | |
| When should accounts become active for future hires? | |
| What notifications should be sent and to whom? | |
Joiner Process Flow
Please provide a high-level description of the desired joiner workflow:
Mover Process
| Question | Response |
|---|
| How are user transfers/role changes currently handled? | |
| What events should trigger access modifications (department change, manager change, etc.)? | |
| What approval workflows are required for role/permission changes? | |
| How should access reconciliation be handled during transfers? (retain old access, replace access, etc.) | |
| How are promotions handled with regard to access? | |
| How are demotions handled with regard to access? | |
| How should temporary role assignments be managed? | |
| How are additional responsibilities handled (e.g., acting manager during absence)? | |
Position Change Attributes
| Attribute | Should Monitor for Changes? | Notes |
|---|
| Job Title | | |
| Department | | |
| Manager | | |
| Location | | |
| Cost Center | | |
| Other | | |
Special Cases
| Scenario | Handling Process |
|---|
| Employee with no manager for a period | |
| Multiple position changes in short succession | |
| Temporary assignments | |
Mover Process Flow
Please provide a high-level description of the desired mover workflow:
Leaver Process
| Question | Response |
|---|
| How are terminations currently processed? | |
| What are the different termination scenarios to support? (voluntary, involuntary, retirement, etc.) | |
| What approval workflows are needed for different termination types? | |
| What is the desired timeline for access revocation for each termination type? | |
| How should emergency terminations be handled? | |
| What is the process for handling legal holds on terminated accounts? | |
| How should leaves of absence be handled? | |
| How should account retention/archiving be handled after termination? | |
| What is the policy regarding account deletion vs. disablement? | |
Termination Types
| Termination Type | Process | Timeline | Special Considerations |
|---|
| Voluntary resignation | | | |
| Involuntary termination | | | |
| Retirement | | | |
| Leave of absence | | | |
| Legal hold | | | |
| Other | | | |
Account Disposition
| System/Application | Action on Termination | Retention Period | Notes |
|---|
| Active Directory | | | |
| Email | | | |
| HR System | | | |
| Business Applications | | | |
Reuse Policies
| Item | Can be Reused? | Conditions/Timeframe |
|---|
| Account IDs | | |
| Email Addresses | | |
| Other | | |
Leaver Process Flow
Please provide a high-level description of the desired leaver workflow:
Account Management
| Question | Response |
|---|
| What is the desired account naming convention? | |
| What are the requirements for shared accounts? | |
| How should dormant/inactive accounts be handled? | |
| Are there any requirements for account expiration? | |
| How should orphaned accounts be identified and remediated? | |
Birthright Access Definition
| User Type/Category | Application | Role/Entitlement | Criteria |
|---|
| | | |
| | | |
| | | |
Access Request and Approval
| Question | Response |
|---|
| How are access requests currently submitted and processed? | |
| What is the desired process for requesting access? | |
| Should access request capabilities be role-based, application-based, or both? | |
| What approval workflows are required for access requests? | |
| Should there be different approval paths based on risk level or sensitivity? | |
| What is the desired SLA for access request processing? | |
| Is delegation of approval authority required? | |
| How should emergency/break-glass access requests be handled? | |
Service Catalog Structure
Define how the service catalog should be organized:
| Top-Level Category | Sub-Categories | Applications/Services |
|---|
| | |
| | |
| | |
Application-Specific Approval Workflows
| Application/Service | Approver(s) | Approval Levels | SLA | Special Requirements |
|---|
| | | | |
| | | | |
| | | | |
Role Management
| Question | Response |
|---|
| Is role-based access control (RBAC) currently implemented? | |
| What types of roles are needed? (business roles, IT roles, application roles) | |
| How many roles are anticipated? | |
| How should role hierarchies be structured? | |
| What attributes should drive role assignment? (department, location, job title, etc.) | |
| How should role conflicts and segregation of duties be managed? | |
| What process should be used for role creation and maintenance? | |
| How frequently should roles be reviewed? | |
| Do you require role mining capabilities to identify common access patterns? | |
| Do you need to implement attribute-based access control (ABAC)? | |
| What organizational metadata will be used for dynamic role assignment? | |
| Do you require time-bound or temporary role assignments? | |
| Do you need to implement the principle of least privilege? If so, how? | |
Business Role Definitions
| Role Name | Description | Membership Criteria | Applications/Entitlements | Approver |
|---|
| | | | |
| | | | |
| | | | |
Role Hierarchy
Please describe or diagram the desired role hierarchy structure:
User Access Certification and Review
| Question | Response |
|---|
| Are access reviews/certifications currently performed? If yes, describe the process. | |
| What is the desired frequency of access certifications? | |
| Who should be responsible for certifying access? (managers, application owners, etc.) | |
| Should different certification schedules exist for different systems or risk levels? | |
| What remediation process should be followed for inappropriate access? | |
| How should certification exceptions be handled? | |
| What certification metrics should be tracked? | |
Certification Campaigns
| Campaign Type | Scope | Frequency | Reviewer | Remediation Process | Special Requirements |
|---|
| User-based | | | | | |
| Application-based | | | | | |
| Role-based | | | | | |
| Privileged access | | | | | |
Access Review Manager
| Campaign Type | UAR Manager | Responsibilities |
|---|
| | |
| | |
| | |
Segregation of Duties (SoD)
| Question | Response |
|---|
| Are SoD controls currently implemented? If yes, describe them. | |
| What critical business processes require SoD controls? | |
| What specific role or permission combinations should be restricted? | |
| Should SoD controls be preventive, detective, or both? | |
| How should SoD violations be remediated? | |
| Are there regulatory requirements for SoD? | |
Authentication and Credentials
Authentication Methods
| Question | Response |
|---|
| What authentication methods are currently in use? | |
| What authentication methods are desired? (password, MFA, biometrics, etc.) | |
| Are different authentication methods required for different user types or risk levels? | |
| What multi-factor authentication solutions are currently in use or desired? | |
| Are there any special authentication requirements for privileged users? | |
| Is adaptive/risk-based authentication desired? | |
Password Management
| Question | Response |
|---|
| What are the current password policies? | |
| What are the desired password complexity requirements? | |
| What should be the password expiration policy? | |
| How should password history be managed? | |
| What self-service password reset capabilities are needed? | |
| How should forgotten passwords be handled? | |
| What identity verification is required for password resets? | |
| Do you need to synchronize passwords across multiple systems? | |
| Are there different password policies for different user types or systems? | |
| Do you require password-less authentication options? | |
| What are your requirements for privileged account password management? | |
| Do you need one-time password capabilities? | |
| What notifications are required for password-related events? | |
Password Policy Details
| Policy Element | Requirement | Notes |
|---|
| Minimum length | | |
| Character composition | | |
| Password history | | |
| Password age/expiration | | |
| Account lockout threshold | | |
| Lockout duration | | |
Self-Service Password Reset Options
| Verification Method | Enabled? | Configuration Details |
|---|
| Challenge questions | | |
| Email verification | | |
| SMS verification | | |
| Mobile app verification | | |
| Other | | |
Single Sign-On and Federation
| Question | Response |
|---|
| Is SSO currently implemented? If yes, describe the solution. | |
| What is the desired scope of SSO? | |
| What federation protocols are required? (SAML, OAuth, OpenID Connect, etc.) | |
| Will the IGA solution be the Identity Provider (IdP) or Service Provider (SP)? | |
SSO Application Requirements
| Application Name | SSO Protocol | Who Can Access | Attributes to be Passed | Special Requirements |
|---|
| | | | |
| | | | |
| | | | |
Federation Count by Protocol
| Protocol | Number of Applications |
|---|
| SAML 2.0 | |
| OAuth 2.0 | |
| OpenID Connect | |
| WS-Federation | |
| Form Fill | |
| Proprietary | |
External Federation Requirements
| External Entity | Role (IdP/SP) | Protocol | Trust Requirements | Attributes Exchanged |
|---|
| | | | |
| | | | |
System Integrations
Authoritative Sources
| System Name | Type | Purpose | Integration Method | Data to be Synchronized | Frequency |
|---|
| | | | | |
| | | | | |
| | | | | |
Target Systems
Please provide details for all systems that need to be integrated with the IGA solution:
| System Name | Type | # of Instances | User Population | Integration Method | Provisioning Requirements | De-provisioning Requirements | Migrate Existing Users? | Migrate Groups/Roles? |
|---|
| Directory Services | | | | | | | | |
| Active Directory | | | | | | | | |
| Azure AD | | | | | | | | |
| Okta | | | | | | | | |
| Other LDAP | | | | | | | | |
| Cloud Applications | | | | | | | | |
| Microsoft 365 | | | | | | | | |
| Google Workspace | | | | | | | | |
| Salesforce | | | | | | | | |
| ServiceNow | | | | | | | | |
| Workday | | | | | | | | |
| SAP | | | | | | | | |
| Oracle | | | | | | | | |
| Other (specify) | | | | | | | | |
| Infrastructure Systems | | | | | | | | |
| Windows Servers | | | | | | | | |
| Linux/Unix Servers | | | | | | | | |
| Database Systems | | | | | | | | |
| AWS | | | | | | | | |
| Azure | | | | | | | | |
| GCP | | | | | | | | |
| Other (specify) | | | | | | | | |
| Custom Applications | | | | | | | | |
| Internal App 1 | | | | | | | | |
| Internal App 2 | | | | | | | | |
| Internal App 3 | | | | | | | | |
Integration Challenges
| Question | Response |
|---|
| Are there any systems with special integration requirements or limitations? | |
| Are there any legacy systems that may present integration challenges? | |
| Are there any disconnected/air-gapped systems that need to be considered? | |
| How should failed provisioning/de-provisioning operations be handled? | |
Governance and Compliance
Regulatory Requirements
| Question | Response |
|---|
| What regulatory frameworks must be supported? (SOX, GDPR, HIPAA, PCI-DSS, NIST, etc.) | |
| What are the specific identity management requirements for each applicable regulation? | |
| Are there industry-specific compliance requirements? | |
| What is the frequency of compliance audits? | |
Reporting and Audit
| Question | Response |
|---|
| What standard reports are required? | |
| What custom reports are required? | |
| Who are the primary consumers of reports? | |
| What audit log retention requirements exist? | |
| What alerting and notification requirements exist? | |
| Are there requirements for real-time monitoring? | |
| What compliance metrics need to be tracked? | |
Specific Report Requirements
| Report Type | Description | Audience | Frequency | Format | Delivery Method |
|---|
| User Access Reports | | | | | |
| Orphaned Account Reports | | | | | |
| Access Certification Reports | | | | | |
| SoD Violation Reports | | | | | |
| Authentication Reports | | | | | |
| Provisioning Activity Reports | | | | | |
| System Health & Performance | | | | | |
| Custom Reports (specify) | | | | | |
Audit Requirements
| Audit Type | Retention Period | Storage Location | Access Controls |
|---|
| User activity | | | |
| Admin activity | | | |
| Authentication events | | | |
| Access changes | | | |
| Policy changes | | | |
Risk Management
| Question | Response |
|---|
| How should high-risk access be identified and managed? | |
| Are there requirements for risk scoring of users or access? | |
| How should risk exceptions be managed? | |
| What controls are needed for privileged access? | |
| How should anomalous access patterns be detected and handled? | |
User Experience and Self-Service
| Question | Response |
|---|
| What self-service capabilities are required? (access requests, password reset, profile management, etc.) | |
| What is the desired user experience for the IGA portal? | |
| Are there any accessibility requirements? | |
| Are there any language/localization requirements? | |
| What mobile/responsive design requirements exist? | |
| What level of customization is desired for the user interface? | |
| Do you require a customized shopping cart experience for access requests? | |
| Do you need a mobile application for self-service functions? | |
| What self-service capabilities should be available for managers and application owners? | |
| Do you need delegation capabilities for approvals and administrative functions? | |
| What authentication options should be available for the self-service portal? | |
| What notifications do users need to receive about their access? | |
Self-Service Capabilities by User Type
| Capability | Employees | Managers | Contractors | External Users | Admin Users |
|---|
| Password Reset | | | | | |
| Profile Management | | | | | |
| Access Requests | | | | | |
| Account Unlock | | | | | |
| Approvals | | | | | |
| Delegation | | | | | |
| Reports | | | | | |
| Other | | | | | |
Notification Requirements
| Event | Recipients | Delivery Method | Content | Frequency |
|---|
| | | | |
| | | | |
| | | | |
OpenIAM Implementation Considerations
| Question | Response |
|---|
| Do you prefer to use OpenIAM's standard connectors or develop custom connectors? | |
| Will you use OpenIAM's workflow engine or integrate with an external workflow system? | |
| Do you need data migration tools for moving from legacy systems to OpenIAM? | |
| What level of customization is anticipated for the OpenIAM solution? | |
| Will you need integration with OpenIAM's mobile application? | |
| Do you require any specific OpenIAM add-on modules? | |
Operational Requirements
Deployment Model
| Question | Response |
|---|
| What is the preferred deployment model? (on-premises, cloud, hybrid) | |
| What are the scalability requirements? | |
| What are the availability/uptime requirements? | |
| What are the disaster recovery requirements? | |
| What are the performance requirements? | |
Support and Maintenance
| Question | Response |
|---|
| What level of internal support is available for the IGA solution? | |
| What vendor support requirements exist? | |
| How should system updates and patches be managed? | |
| What change management processes must be followed? | |
| What is the expected system lifecycle? | |
| What is the backup and recovery strategy? | |
| How will configuration changes be managed across environments? | |
| What are the monitoring requirements for the solution? | |
Environment Requirements
| Environment | Purpose | Sizing | Availability | Data Refreshes |
|---|
| Development | | | | |
| Test/QA | | | | |
| Staging/Pre-Prod | | | | |
| Production | | | | |
Implementation Approach
| Question | Response |
|---|
| How should the transition from existing systems be managed? | |
| What data migration requirements exist? | |
| What are the key success criteria for the implementation? | |
| What are the training requirements for administrators and end users? | |
| What is your preferred order of application onboarding? | |
| What testing approach will be used (unit testing, integration testing, UAT)? | |
| Will you require a pre-production/staging environment? | |
| What is the change management strategy for the organization? | |
| What resources will your organization provide for the implementation? | |
| What post-implementation support arrangements are required? | |
Implementation Roles and Responsibilities
| Role | Responsibilities | Provided By |
|---|
| Project Manager | | |
| Business Analyst | | |
| IGA Architect | | |
| IGA Developer | | |
| System Administrator | | |
| Change Manager | | |
| Tester | | |
| Trainer | | |
Additional Requirements
| Question | Response |
|---|
| Are there any additional requirements not covered in previous sections? | |
| Are there any known constraints (budget, resources, timeline, technology)? | |
| Are there any organizational change management considerations? | |
| What future IGA capabilities should be considered for later phases? | |
Special Use Cases
| Use Case | Requirements | Priority |
|---|
| Temporary/Seasonal Workers | | |
| Mergers & Acquisitions | | |
| Contractors and Third Parties | | |
| Privileged Access Management | | |
| Emergency Access/Break Glass | | |
| Data Access Governance | | |
| Cloud Infrastructure Access | | |
API and Integration Requirements
| Question | Response |
|---|
| Do you need to expose identity data or functions via APIs? | |
| What systems will consume these APIs? | |
| Do you need to integrate with existing enterprise service bus or middleware? | |
| Do you require webhook capabilities for event notifications? | |
| What integration patterns are preferred (real-time, batch, event-driven)? | |
| Are there any specific API security requirements? | |
Appendix: Current State Assessment
Please provide information about your current identity management environment:
| Item | Description |
|---|
| Current identity management tools/systems: | |
| Current directory services: | |
| Current authentication systems: | |
| Known identity management pain points: | |
| Current provisioning processes: | |
| Current access request processes: | |
| Current access review processes: | |
| Current challenges with compliance: | |
| Documentation of current state (attach if available): | |