Access governance
Access governance: knowing who has access to what
In the digital age, where data breaches and compliance violations are increasingly prevalent,Access governancehas emerged as a critical component of organizational security strategies. This strategic framework is essential for managing and securing digital identities, ensuring that the right individuals have the right access to the right resources at the right time, and for the right reasons. This article explores the facets of Access Governance, its implementation, challenges, and the best practices that ensure a secure and compliant IT environment.
Access governance, security, and compliance evidence
Access governance is about answering one question with certainty: who has access to what, and why. ServiceChanger automates group and role memberships in Microsoft Entra ID and on-prem Active Directory using a deterministic attribute model. A single attribute value, such as department, job title, or location, maps to a defined set of groups and roles. Every assignment is recorded, so you keep a clear audit trail that links each attribute to the access it granted. This page explains how that model supports your security and compliance work without overpromising what software can deliver.
How attribute-to-group mapping works
ServiceChanger drives memberships from your user attributes across your hybrid directory:
- Attribute as the source of truth:One attribute value, for example department equals Finance, defines which groups and roles a user should hold. You define the mapping once and it applies to everyone who matches.
- Entra ID and on-prem Active Directory:Memberships are kept in sync across both directories using Entra ID dynamic groups, Entra Connect, and a PowerShell runbook on a hybrid worker for on-prem groups.
- Deterministic, not predictive:Access is granted by explicit mappings you control. There is no scoring, no machine learning, and no guesswork. The same input always produces the same memberships.
- Out of scope by design:ServiceChanger is not a privileged access management tool. By default it reacts to the attributes already in your directory and focuses on group and role membership. If you want to connect your HR system for onboarding and offboarding, we build that as custom work using automation accounts and runbooks in Azure.
Who has access to what: the access governance audit trail
The most common audit question is also the hardest to answer by hand: who has access to what, and which decision put them there. ServiceChanger records every membership change against the attribute value that triggered it, so you can reconstruct who had what access at any point in time. When an auditor asks why a user is in a group, you can show the mapping and the attribute that granted it rather than guessing. This who-had-what-when history is the practical core of access governance, and it removes the manual spreadsheet work that usually surrounds an access review.
Compliance frameworks: evidence, not a certificate
ServiceChanger does not make you compliant. It produces evidence that supports the access-control parts of common frameworks:
- GDPR / AVG least privilege:The audit trail shows that access to personal data follows a documented mapping and the principle of least privilege, which supports access-control accountability under the regulation.
- ISO 27001 access control:Membership records help you evidence controls A.5.15 access control and A.5.18 access rights, by showing how rights are granted, reviewed, and removed against attributes.
- NIS2 access obligations:For organisations in scope of NIS2, the who-had-what-when history supports access-control and accountability obligations during an assessment.
- What this is not:ServiceChanger is not an access-certification or recertification suite, and using it is not itself a compliance certification. It gives your auditors and security team verifiable records to work from.
Why attribute-driven memberships strengthen security
Manual group management drifts. People change roles, leave the team, or get one-off access that nobody remembers to revoke, and that drift is where security gaps appear. Because ServiceChanger drives memberships from attributes, a change to a user's department or job title automatically adjusts their groups and roles in Entra ID and on-prem Active Directory. Least privilege becomes the default state rather than a periodic cleanup project. The license module tracks usage so you can see assigned licenses against actual need, though it does not itself govern access. Together this gives a tighter, more consistent access posture that you can prove with the audit trail.
FAQs on access governance, security, and compliance
Does ServiceChanger make my organisation compliant?
No software makes you compliant, and ServiceChanger does not claim to. What it does is automate group and role memberships from attributes and keep a complete audit trail of which attribute granted which access. That who-had-what-when record is evidence your auditors and security team can use to demonstrate access controls under frameworks such as GDPR/AVG, ISO 27001, and NIS2. Compliance remains your organisation's responsibility; ServiceChanger removes the manual work of producing the access evidence behind it.
How does ServiceChanger decide who gets which access?
It uses a deterministic model, not scoring or prediction. You map an attribute value to a set of groups and roles, for example department equals Finance grants a defined list of memberships. Everyone whose attribute matches receives exactly that access, and the mapping is applied the same way every time.
- Attribute-driven:One attribute value, such as department, job title, or location, maps to a set of group and role memberships.
- Hybrid coverage:Memberships are kept in sync across Entra ID and on-prem Active Directory using dynamic groups, Entra Connect, and a PowerShell runbook on a hybrid worker.
- Fully auditable:Every change is recorded against the attribute that caused it, so you can always show why a user holds a given group or role.
Is ServiceChanger a PAM or identity lifecycle tool?
Privileged access management is an adjacent area that ServiceChanger does not cover, and it works alongside whatever PAM tooling you already run. It focuses on automating group and role memberships and the audit trail behind them. By default it reacts to the attributes already in your directory. If you want to connect your HR system for onboarding and offboarding, we build that as custom work using automation accounts and runbooks in Azure.
What evidence does ServiceChanger produce for an access review?
It produces a history of memberships tied to the attribute values that granted them, which answers the central access-review question directly:
- Who has access to what:A current view of which users hold which groups and roles across Entra ID and on-prem Active Directory.
- Why they have it:The mapping and attribute value that granted each membership, so access is explainable rather than assumed.
- Who had what, when:A point-in-time history so you can reconstruct access as it stood on any given date for an audit or investigation.
Related
Put these models into practice
ServiceChanger turns one attribute value into the right set of groups and roles in Microsoft Entra ID and on-prem Active Directory. See how it works or read the deep dive.