Overview
This article discusses the value of setting up access governance policies, and what capabilities Torii provides in this area. To read about how to set up these policies, click here.
In many organizations, access decisions happen across many systems and over time. People join teams, change roles, take on temporary responsibilities, or keep access they no longer need. As a result, access can drift away from what the organization intended.
This creates two common problems:
Some users end up with more access than they should have.
Some users are missing access they should have in order to do their jobs.
Torii's Access Governance feature is designed to solve both. This gives admins a structured way to define access intent per app and account, and then surface deviations when actual access no longer matches that intent.
What is access governance? Why is it important?
Access Governance is the act of defining who should have access to which apps and roles, then continuously monitor for gaps between that intended access and what users actually have.
Access governance policies help teams improve security, strengthen compliance, and reduce manual overhead. They provide value in three main areas:
Clear access expectations
Admins can define which groups of users should automatically have access, are allowed to have access, or should not have access to a given app role.
Continuous visibility
Torii continuously checks enabled policies and identifies users whose access is out of policy, so teams do not need to rely only on periodic reviews.
Faster investigation and remediation
When a deviation is found, Torii shows what happened and why, making it easier to understand the issue and decide what to do next.
Access Governance in Torii
Access Governance in Torii provides a new way to govern access continuously instead of relying only on manual review.
A central place to create and manage access governance policies
A centralized view of policy deviations across your organization
You can use the feature to:
Define intended access for key apps and roles
Monitor for over-privileged and under-privileged users
Investigate deviations from one central place
Manage mover user cases requiring delayed privilege removal.
Automatically assign tasks for app owners to fix policy deviations and follow up on them.
Build a stronger access governance process over time
Access Policies are especially useful for teams that want clearer access standards, better visibility into access drift, and a more proactive security and compliance posture.
How Access Governance Policies work
An access governance policy defines the intended access for a specific app and account combination.
When creating a policy, you choose:
The app and account the policy applies to
The role(s) or access level(s) you want to govern
The user group(s) the policy applies to
The access type for each group
The available access types are:
Allowed
Users in the selected group are permitted to have this access.
Birthright
Users in the selected group should automatically have this access.
Denied
Users in the selected group should not have this access.
Once a policy is enabled, Torii continuously checks whether actual app access matches the policy definition. If Torii finds a mismatch, it records a policy deviation.
Access governance policies can cover apps with a connected integration at the app role level, or apps governed via an IDP group (including non-integrated apps discovered via IDP).
Please note that access requests and app catalog behavior are not governed by Access Governance at this stage, aside from shared groups.
How Access Governance Supports Mover Use Cases
With Access Governance policies, you can easily set what the correct state is for each user's position. This sets the standard from which Torii detects any deviations.
Additionally, you can define Torii access governance policies to include a grace period: a configurable time frame that starts when a user no longer meets an access policy due to a change in their attributes (a “mover” event).
Instead of immediately marking the user as out of policy, Torii keeps them temporarily in policy for a defined period of time. This allows employees who transition between roles, departments or projects to retain their previous access levels and finish, clean up or pass on tasks they are currently engaged with, while also immediately receiving required access based on their new position. You can read more about Torii's grace period here.