Discovery questions

Identity Governance and Administration (IGA) Project Discovery Questions

Workforce IAM / Identity Governance projects require an equal blend of technical and business skills. Before embarking on a project, it's important to define the business requirements and objectives in sufficient detail for the implementation team. Failure to do so can result in project overruns and failure. The sections below and related topics provides a framework to initiate the requirements definition and planning of your project.

IAM projects are not trivial undertakings. They require time and sufficient planning. This framework represents a place to start. The requirements process should be iterative and involve the appropriate team members. As the process evolves, questions not listed here will arise. These should be explored if they are relevant to the business.

Document Information

Project Name: Date Prepared: Document Version: 1.0

Project Drivers

Indicate the primary drivers for this project

DriverY/NComments
Automate user life cycle management
Compliance or regulatory requirements
Reduce operational costs
Improved security
Improved end-user experience and responsiveness
Replace current IAM solution
Other:

Organization Information

Company Information
Company Name:
Address:
City:
State/Province:
Zip/Postal Code:
Country:
Industry:
Company Size:
Primary Contact Details
Name:
Title:
Phone:
Email:
Department:
Project Stakeholders
Executive Sponsor:
IT Leader:
Security Leader:
Business Owners:
Other Stakeholders:

Project Overview

Project Background
What are the primary business objectives for this IGA implementation?
What are the key pain points with the current identity management processes?
Are there any specific compliance requirements driving this project?
What is your desired timeline for implementation?
Is this a new implementation or a replacement for an existing solution?
If replacing, what is the current solution and why is it being replaced?
What is the expected scope of the initial implementation phase?
Are there any constraints that might affect the implementation (budget, resources, integration limitations)?

OpenIAM-Specific Considerations

QuestionResponse
Will you be using OpenIAM's hosted solution or on-premises deployment?
Do you have requirements for high availability or disaster recovery?
What is your database preference for the OpenIAM repository?
Do you plan to use the OpenIAM connector framework or will custom connectors be required?

User Population Assessment

User DemographicsCount
Total number of employees:
Number of contractors/temporary workers:
Number of B2B/B2C users:
Number of concurrent users:
Total number of identities to be managed:
Geographical distribution of users:
Projected annual growth rate:
Peak user load expectations:
Average number of applications per user:
Expected number of daily provisioning transactions:
Expected number of daily authentication events:

User Types Definition

Please provide detailed information about each user type that will be managed in the IGA system. User types impact certain IAM process and can also impact the attributes that the IAM system needs to capture.

User TypeDescriptionAuthoritative sourceCustom attributes
Employees
Contractors
Temporary Workers
Service Accounts
Privileged Accounts
Partners
Customers
Other (specify):

Identity Lifecycle Management

Authoritative Sources

For each authoritative source, provide a list of attributes and their meaning. Later, we will map these attributes to attributes in the OpenIAM data model.

Application Name: _

Field NameField Type / DescriptionMaps to OpenIAM Attribute
Example: FirstNameString - Person's first nameUser.First_Name

Joiner Process

QuestionResponse
How are new users currently onboarded?
What is the desired process for onboarding employees?
What is the desired process for onboarding contractors?
What is the desired process for onboarding other user types?
What are the criteria for granting birthright access? (User type, Persona, etc)
Are self-registration capabilities required? If yes, for which user types?
What approval workflows are needed for user creation?
Is identity proofing required and if so how should it function for each type of user?
How should emergency/temporary access be handled?

Account/Attribute Generation Rules

AttributeGeneration RuleExample
Account ID/Username
Email Address
Display Name
Other

Credential Delivery

User TypeCredential Delivery MethodNotes
Employees
Contractors
Other

Future Hire Processing

QuestionResponse
For employees with future hire dates, when should accounts be provisioned?
When should accounts become active for future hires?
What notifications should be sent and to whom?

Joiner Process Flow

Please provide a high-level description of the desired joiner workflow:

Mover Process

QuestionResponse
How are user transfers/role changes currently handled?
What events should trigger access modifications (department change, manager change, etc.)?
What approval workflows are required for role/permission changes?
How should access reconciliation be handled during transfers? (retain old access, replace access, etc.)
How are promotions handled with regard to access?
How are demotions handled with regard to access?
How should temporary role assignments be managed?
How are additional responsibilities handled (e.g., acting manager during absence)?

Position Change Attributes

AttributeShould Monitor for Changes?Notes
Job Title
Department
Manager
Location
Cost Center
Other

Special Cases

ScenarioHandling Process
Employee with no manager for a period
Multiple position changes in short succession
Temporary assignments

Mover Process Flow

Please provide a high-level description of the desired mover workflow:

Leaver Process

QuestionResponse
How are terminations currently processed?
What are the different termination scenarios to support? (voluntary, involuntary, retirement, etc.)
What approval workflows are needed for different termination types?
What is the desired timeline for access revocation for each termination type?
How should emergency terminations be handled?
What is the process for handling legal holds on terminated accounts?
How should leaves of absence be handled?
How should account retention/archiving be handled after termination?
What is the policy regarding account deletion vs. disablement?

Termination Types

Termination TypeProcessTimelineSpecial Considerations
Voluntary resignation
Involuntary termination
Retirement
Leave of absence
Legal hold
Other

Account Disposition

System/ApplicationAction on TerminationRetention PeriodNotes
Active Directory
Email
HR System
Business Applications

Reuse Policies

ItemCan be Reused?Conditions/Timeframe
Account IDs
Email Addresses
Other

Leaver Process Flow

Please provide a high-level description of the desired leaver workflow:

Account Management

QuestionResponse
What is the desired account naming convention?
What are the requirements for shared accounts?
How should dormant/inactive accounts be handled?
Are there any requirements for account expiration?
How should orphaned accounts be identified and remediated?

Birthright Access Definition

User Type/CategoryApplicationRole/EntitlementCriteria

Access Request and Approval

QuestionResponse
How are access requests currently submitted and processed?
What is the desired process for requesting access?
Should access request capabilities be role-based, application-based, or both?
What approval workflows are required for access requests?
Should there be different approval paths based on risk level or sensitivity?
What is the desired SLA for access request processing?
Is delegation of approval authority required?
How should emergency/break-glass access requests be handled?

Service Catalog Structure

Define how the service catalog should be organized:

Top-Level CategorySub-CategoriesApplications/Services

Application-Specific Approval Workflows

Application/ServiceApprover(s)Approval LevelsSLASpecial Requirements

Role Management

QuestionResponse
Is role-based access control (RBAC) currently implemented?
What types of roles are needed? (business roles, IT roles, application roles)
How many roles are anticipated?
How should role hierarchies be structured?
What attributes should drive role assignment? (department, location, job title, etc.)
How should role conflicts and segregation of duties be managed?
What process should be used for role creation and maintenance?
How frequently should roles be reviewed?
Do you require role mining capabilities to identify common access patterns?
Do you need to implement attribute-based access control (ABAC)?
What organizational metadata will be used for dynamic role assignment?
Do you require time-bound or temporary role assignments?
Do you need to implement the principle of least privilege? If so, how?

Business Role Definitions

Role NameDescriptionMembership CriteriaApplications/EntitlementsApprover

Role Hierarchy

Please describe or diagram the desired role hierarchy structure:

User Access Certification and Review

QuestionResponse
Are access reviews/certifications currently performed? If yes, describe the process.
What is the desired frequency of access certifications?
Who should be responsible for certifying access? (managers, application owners, etc.)
Should different certification schedules exist for different systems or risk levels?
What remediation process should be followed for inappropriate access?
How should certification exceptions be handled?
What certification metrics should be tracked?

Certification Campaigns

Campaign TypeScopeFrequencyReviewerRemediation ProcessSpecial Requirements
User-based
Application-based
Role-based
Privileged access

Access Review Manager

Campaign TypeUAR ManagerResponsibilities

Segregation of Duties (SoD)

QuestionResponse
Are SoD controls currently implemented? If yes, describe them.
What critical business processes require SoD controls?
What specific role or permission combinations should be restricted?
Should SoD controls be preventive, detective, or both?
How should SoD violations be remediated?
Are there regulatory requirements for SoD?

Authentication and Credentials

Authentication Methods

QuestionResponse
What authentication methods are currently in use?
What authentication methods are desired? (password, MFA, biometrics, etc.)
Are different authentication methods required for different user types or risk levels?
What multi-factor authentication solutions are currently in use or desired?
Are there any special authentication requirements for privileged users?
Is adaptive/risk-based authentication desired?

Password Management

QuestionResponse
What are the current password policies?
What are the desired password complexity requirements?
What should be the password expiration policy?
How should password history be managed?
What self-service password reset capabilities are needed?
How should forgotten passwords be handled?
What identity verification is required for password resets?
Do you need to synchronize passwords across multiple systems?
Are there different password policies for different user types or systems?
Do you require password-less authentication options?
What are your requirements for privileged account password management?
Do you need one-time password capabilities?
What notifications are required for password-related events?

Password Policy Details

Policy ElementRequirementNotes
Minimum length
Character composition
Password history
Password age/expiration
Account lockout threshold
Lockout duration

Self-Service Password Reset Options

Verification MethodEnabled?Configuration Details
Challenge questions
Email verification
SMS verification
Mobile app verification
Other

Single Sign-On and Federation

QuestionResponse
Is SSO currently implemented? If yes, describe the solution.
What is the desired scope of SSO?
What federation protocols are required? (SAML, OAuth, OpenID Connect, etc.)
Will the IGA solution be the Identity Provider (IdP) or Service Provider (SP)?

SSO Application Requirements

Application NameSSO ProtocolWho Can AccessAttributes to be PassedSpecial Requirements

Federation Count by Protocol

ProtocolNumber of Applications
SAML 2.0
OAuth 2.0
OpenID Connect
WS-Federation
Form Fill
Proprietary

External Federation Requirements

External EntityRole (IdP/SP)ProtocolTrust RequirementsAttributes Exchanged

System Integrations

Authoritative Sources

System NameTypePurposeIntegration MethodData to be SynchronizedFrequency

Target Systems

Please provide details for all systems that need to be integrated with the IGA solution:

System NameType# of InstancesUser PopulationIntegration MethodProvisioning RequirementsDe-provisioning RequirementsMigrate Existing Users?Migrate Groups/Roles?
Directory Services
Active Directory
Azure AD
Okta
Other LDAP
Cloud Applications
Microsoft 365
Google Workspace
Salesforce
ServiceNow
Workday
SAP
Oracle
Other (specify)
Infrastructure Systems
Windows Servers
Linux/Unix Servers
Database Systems
AWS
Azure
GCP
Other (specify)
Custom Applications
Internal App 1
Internal App 2
Internal App 3

Integration Challenges

QuestionResponse
Are there any systems with special integration requirements or limitations?
Are there any legacy systems that may present integration challenges?
Are there any disconnected/air-gapped systems that need to be considered?
How should failed provisioning/de-provisioning operations be handled?

Governance and Compliance

Regulatory Requirements

QuestionResponse
What regulatory frameworks must be supported? (SOX, GDPR, HIPAA, PCI-DSS, NIST, etc.)
What are the specific identity management requirements for each applicable regulation?
Are there industry-specific compliance requirements?
What is the frequency of compliance audits?

Reporting and Audit

QuestionResponse
What standard reports are required?
What custom reports are required?
Who are the primary consumers of reports?
What audit log retention requirements exist?
What alerting and notification requirements exist?
Are there requirements for real-time monitoring?
What compliance metrics need to be tracked?

Specific Report Requirements

Report TypeDescriptionAudienceFrequencyFormatDelivery Method
User Access Reports
Orphaned Account Reports
Access Certification Reports
SoD Violation Reports
Authentication Reports
Provisioning Activity Reports
System Health & Performance
Custom Reports (specify)

Audit Requirements

Audit TypeRetention PeriodStorage LocationAccess Controls
User activity
Admin activity
Authentication events
Access changes
Policy changes

Risk Management

QuestionResponse
How should high-risk access be identified and managed?
Are there requirements for risk scoring of users or access?
How should risk exceptions be managed?
What controls are needed for privileged access?
How should anomalous access patterns be detected and handled?

User Experience and Self-Service

QuestionResponse
What self-service capabilities are required? (access requests, password reset, profile management, etc.)
What is the desired user experience for the IGA portal?
Are there any accessibility requirements?
Are there any language/localization requirements?
What mobile/responsive design requirements exist?
What level of customization is desired for the user interface?
Do you require a customized shopping cart experience for access requests?
Do you need a mobile application for self-service functions?
What self-service capabilities should be available for managers and application owners?
Do you need delegation capabilities for approvals and administrative functions?
What authentication options should be available for the self-service portal?
What notifications do users need to receive about their access?

Self-Service Capabilities by User Type

CapabilityEmployeesManagersContractorsExternal UsersAdmin Users
Password Reset
Profile Management
Access Requests
Account Unlock
Approvals
Delegation
Reports
Other

Notification Requirements

EventRecipientsDelivery MethodContentFrequency

OpenIAM Implementation Considerations

QuestionResponse
Do you prefer to use OpenIAM's standard connectors or develop custom connectors?
Will you use OpenIAM's workflow engine or integrate with an external workflow system?
Do you need data migration tools for moving from legacy systems to OpenIAM?
What level of customization is anticipated for the OpenIAM solution?
Will you need integration with OpenIAM's mobile application?
Do you require any specific OpenIAM add-on modules?

Operational Requirements

Deployment Model

QuestionResponse
What is the preferred deployment model? (on-premises, cloud, hybrid)
What are the scalability requirements?
What are the availability/uptime requirements?
What are the disaster recovery requirements?
What are the performance requirements?

Support and Maintenance

QuestionResponse
What level of internal support is available for the IGA solution?
What vendor support requirements exist?
How should system updates and patches be managed?
What change management processes must be followed?
What is the expected system lifecycle?
What is the backup and recovery strategy?
How will configuration changes be managed across environments?
What are the monitoring requirements for the solution?

Environment Requirements

EnvironmentPurposeSizingAvailabilityData Refreshes
Development
Test/QA
Staging/Pre-Prod
Production

Implementation Approach

QuestionResponse
How should the transition from existing systems be managed?
What data migration requirements exist?
What are the key success criteria for the implementation?
What are the training requirements for administrators and end users?
What is your preferred order of application onboarding?
What testing approach will be used (unit testing, integration testing, UAT)?
Will you require a pre-production/staging environment?
What is the change management strategy for the organization?
What resources will your organization provide for the implementation?
What post-implementation support arrangements are required?

Implementation Roles and Responsibilities

RoleResponsibilitiesProvided By
Project Manager
Business Analyst
IGA Architect
IGA Developer
System Administrator
Change Manager
Tester
Trainer

Additional Requirements

QuestionResponse
Are there any additional requirements not covered in previous sections?
Are there any known constraints (budget, resources, timeline, technology)?
Are there any organizational change management considerations?
What future IGA capabilities should be considered for later phases?

Special Use Cases

Use CaseRequirementsPriority
Temporary/Seasonal Workers
Mergers & Acquisitions
Contractors and Third Parties
Privileged Access Management
Emergency Access/Break Glass
Data Access Governance
Cloud Infrastructure Access

API and Integration Requirements

QuestionResponse
Do you need to expose identity data or functions via APIs?
What systems will consume these APIs?
Do you need to integrate with existing enterprise service bus or middleware?
Do you require webhook capabilities for event notifications?
What integration patterns are preferred (real-time, batch, event-driven)?
Are there any specific API security requirements?

Appendix: Current State Assessment

Please provide information about your current identity management environment:

ItemDescription
Current identity management tools/systems:
Current directory services:
Current authentication systems:
Known identity management pain points:
Current provisioning processes:
Current access request processes:
Current access review processes:
Current challenges with compliance:
Documentation of current state (attach if available):