User Access Lifecycle¶
Step-by-step procedures for managing the full user access lifecycle within the GRC-ITSM platform, from initial onboarding through offboarding.
Overview
Every change to user access within the authorization boundary follows a formal request and approval process. The GRC-ITSM platform manages this through User Access Request (UAR) tickets with a configurable approval workflow that produces the audit trail required by FedRAMP AC-2 (Account Management), AC-3 (Access Enforcement), AC-6 (Least Privilege), and CMMC AC.L2-3.1.1 / AC.L2-3.1.5. By default, this is a two-stage process (internal CAB review followed by organizational sign-off), but approval processes are highly customizable to suit your organization's needs.
1. Submit the User Access Request¶
User access requests are submitted through the Request Services page under the User Access Requests category.
Select the Access Track¶
Choose between the two access tracks based on the level of access being requested:
| Track | When to Use |
|---|---|
| Standard User Access | Regular user accounts with baseline permissions for day-to-day operations |
| Privileged User Access | Elevated or administrative accounts that carry additional risk and scrutiny under the principle of least privilege |
Select the Request Type¶
| Request Type | When to Use |
|---|---|
| New User Onboarding | A new user needs access to the environment. Provide the user's details, the access they need, and the justification for granting it |
| User Modification | An existing user's permissions, roles, or access scope needs to change. Document what is changing and why |
| User Offboarding | A user is departing or no longer requires access. All access must be revoked or disabled promptly |
Required Information¶
At minimum, the UAR should capture:
| Field | What to Provide |
|---|---|
| User Details | Name, role, and department of the user |
| Access Requested / Revoked | Specific systems, applications, or permissions being granted, modified, or removed |
| Justification | Why this access is needed, or why it is being changed or revoked |
| Access Level | Whether this is standard or privileged access |
Privileged Access Requires Extra Justification
Requests for privileged or administrative access are subject to stricter review. The justification should clearly explain why elevated access is necessary and why standard access is insufficient. This aligns with FedRAMP AC-6 and CMMC AC.L2-3.1.5 (Least Privilege).
For detailed portal screenshots, see the User Access Requests end-user guide.
2. Request Approval¶
Once the UAR is submitted, it enters the approval workflow. By default, this is a two-stage process:
Stage 1: CAB Review¶
The Change Advise Board (CAB) reviews the request from a technical and compliance perspective:
- Is the requested access appropriate for the user's role?
- Does it follow the principle of least privilege?
- Are there any security concerns with granting this access?
CAB members can approve or reject via the platform or email notification.
Stage 2: Organizational Approval¶
After CAB approval, the request is forwarded to the designated end user with the Access Approver role. This is a user role (not an agent role) assigned to the appropriate point of contact who has authority to authorize access changes.
The Access Approver reviews and approves through the self-service portal or email, confirming that management authorizes the access change. Note that approval processes are highly customizable; see the Approval Processes admin guide for configuration details.
Access Approver Role
The Access Approver role is configured in the platform and should be assigned to the POC who has authority to approve access decisions - typically a manager, ISSO, or similar role. See Approval Processes for configuration details.
3. Fulfill the Request¶
After both approval stages are complete, the agent fulfills the request:
New User Onboarding¶
- Provision the user account according to the approved request
- Configure permissions and roles as specified
- Document what was provisioned via private notes on the UAR ticket
- Verify the user can access the systems and applications listed in the request
User Modification¶
- Adjust the user's permissions, roles, or access scope as approved
- Document what was changed via private notes on the UAR ticket
- Verify the modifications are in effect
User Offboarding¶
- Disable or remove the user's access across all systems listed in the request
- Revoke any privileged access immediately
- Document the actions taken via private notes on the UAR ticket
- Verify the user can no longer access any previously granted systems
Offboarding Timeliness
Access revocation for departing users must be completed promptly to satisfy FedRAMP PS-4 (Personnel Termination). Delays in revoking access create compliance gaps and security risk. Prioritize offboarding requests accordingly.
4. Close the Request¶
Once fulfillment is complete and verified:
- Record the outcome on the UAR ticket (access granted, modified, or revoked as requested)
- Add any relevant evidence (screenshots of provisioned access, confirmation of account deactivation, etc.)
- Close the ticket
The closed UAR becomes the audit evidence that the access change was formally requested, justified, approved through both stages, and executed.
Periodic Access Reviews¶
Beyond individual UAR tickets, the platform supports periodic access reviews to ensure ongoing compliance with access control requirements.
The User Access Area area in the agent application provides a centralized view of all UARs across the organization, organized by status:
- New Requests - newly submitted UARs awaiting action
- Account Creation - onboarding requests in progress
- Account Modification - modification requests in progress
- Account Termination/Disable - offboarding requests in progress
- Privileged Access - requests involving elevated access
SLA tracking surfaces UARs that are breached, past due, or approaching their target date, ensuring requests don't stall in the pipeline.
Compliance Context
Periodic access reviews satisfy the review requirements within FedRAMP AC-2 (Account Management), which requires periodic review of accounts for compliance with account management requirements. For CMMC, this supports AC.L2-3.1.1 (Authorized Access Control) by ensuring ongoing validation that only authorized users retain access.
See the User Access Area area overview for details on managing UARs as an agent.
Compliance Mapping¶
The user access lifecycle workflow satisfies the following control requirements:
| Control | What This Playbook Satisfies |
|---|---|
| FedRAMP AC-2 (Account Management) | Formal process for creating, enabling, modifying, disabling, and removing accounts with documented approval |
| FedRAMP AC-3 / CMMC AC.L2-3.1.1 (Access Enforcement) | Access granted only through an approved, documented process |
| FedRAMP AC-6 / CMMC AC.L2-3.1.5 (Least Privilege) | Users receive only the minimum access necessary; privileged access carries additional justification and review |
| FedRAMP PS-4 (Personnel Termination) | Timely revocation of access upon separation, documented through the offboarding UAR |
| FedRAMP PS-5 (Personnel Transfer) | Access reviewed and adjusted when users change roles, documented through the modification UAR |
| FedRAMP AC-2(7) (Privileged User Accounts) | Privileged access managed through a separate track with role-based justification and stricter review; periodic access reviews support monitoring of privileged role assignments |