IT Management / Access Control
Granular, duty-level access control — group duties into profiles, grant or revoke them per user, route access requests for approval, and recertify on a schedule.
Instead of one blunt "admin" switch, access is built from individual duties — each tied to a module, object, and action, and flagged for sensitivity. Bundle duties into reusable profiles, assign them to people, handle one-off grant requests through an approval chain, and prove who has what with periodic recertification campaigns.
What you can do
Build access profiles
Group duties — picked from a per-module checklist, with high-sensitivity ones flagged — into a named profile like "Finance Clerk," then assign it to users.
Grant & revoke per user
Look up any user's effective access, then grant or revoke individual duties or whole modules — with an optional reason and expiry.
Process access requests
An inbox of requests for a duty, module, or profile — each with a business justification — that you approve, provision, or deny with a reason.
Route for sign-off
Requests move through states — requested, department-head approved, provisioned — so access is granted only after the right person signs off.
Run access reviews
Open a recertification campaign with a due date; reviewers go user-by-user and either certify or revoke each grant before the campaign closes.
Time-box access
Profile assignments and individual grants can carry an expiry, so temporary access doesn't quietly become permanent.
181-duty access catalog
Grant or revoke every module × function — 181 duties in all — by group or individual, so access maps exactly to what each role does.
Offboard & reassign
Disable a departing user's login and reassign their records to a successor in one step, so nothing is orphaned when someone leaves.
A typical workflow
- Define a profile — create one (e.g. "Finance Clerk") and tick the duties it needs from the per-module checklist.
- Assign it — give a user the profile, optionally with an expiry date.
- Handle exceptions — when someone needs one extra duty, they submit a request with a justification; it lands in the inbox.
- Approve & provision — a department head approves; an admin provisions, and the grant takes effect (or it's denied with a reason).
- Recertify periodically — open a campaign, review each user's duties and modules, and certify or revoke before closing it.
A closer look
An IT admin builds a "Finance Clerk" profile, leaving high-sensitivity duties unchecked, and assigns it to new hires. When a clerk needs the one extra duty to certify funds, they file a request with justification; the department head approves and the admin provisions it with a 90-day expiry. Each quarter a recertification campaign forces a fresh look, and anything no longer needed gets revoked. The catalog spans 181 duties across every module and function, so grants can be as broad as a profile or as narrow as one function; per-tenant strict-mode tightens the default to deny-by-default, and offboarding disables a leaver's login while reassigning their records to a named successor.
Staff:
/dashboard/itmanagement. Four tabs — Profiles, Users & Grants, Requests, and Recertification — sit on one page, sharing the tenant's duty catalog.Works with
IT Help Desk for the tickets that often trigger an access change · Documents for the policies and approvals behind each grant.