Employees are typically added to a standard set of groups based on their job role and department when they first join an organization. As they gain more responsibility, are assigned to more projects, or transfer departments, they are added to additional groups to give them the access they need to do their work. Over time, these group memberships – and the corresponding access grows, and administrators must proactively examine group membership to determine if the access is still appropriate and necessary.
The first step in a Group Governance program is to take a full inventory of all groups and their memberships and to determine the group owners. Stale groups or groups with no members should be cleaned up or archived.
Next, confirm ownership with the group owner. Responsibilities shift over time as projects and groups evolve. Confirming ownership is an important step to guarantee that the right business owners review group membership. Occasionally group ownership is difficult to determine, so checking with a business manager or department head may be required. Occasionally, you will find groups that are no longer needed. In this case, delete or archive the group and document the change.
The designated group owner should now closely examine all group members to determine if they should continue to be in the group. Special care should be used when examining security group membership as these groups often have elevated or admin-level privileges, and if used maliciously, represent a significant risk to the organization. Group owners should document all requested changes and communicate the adjustments to the AD team.
The AD team should now make any requested adjustments to group membership. Group members should be added or removed as recommended by the business owner, and all changes should be documented.