Access Control - Account Deactivation Timeliness¶

Description¶

This metric tracks the percentage of terminated user accounts that are disabled within defined timeframes, ensuring that departing employees or contractors do not retain unauthorized access to enterprise systems and data.

How we measure it¶

Monitor Okta user deactivation events and compare against HR termination data to measure access revocation timeliness. Accounts are considered compliant if they are disabled within the required timeframe (typically same day or within 24 hours of termination).

Meta Data¶

Attribute	Value
Metric id	`ac_access_revoking`
Category	Access Control
SLO	98.00% - 99.00%
Weight	0.9
Type

References¶

Framework	Ref	Domain	Control
ISO 27001:2022	A.5.17	5 Organizational controls	Authentication information
CIS 8.1	6.2	Access Control Management	Establish an Access Revoking Process
NIST CSF v2.0	PR.AA-05	Identity Management, Authentication, and Access Control (PR.AA)	PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

Code¶

SELECT
  users.profile.login AS resource,
  'user' AS resource_type,
  users.status || ' - ' || 
  (CURRENT_DATE - CAST(users.status_changed AS DATE)) || ' days since status change' AS detail,
  CASE
    WHEN users.status = 'DEPROVISIONED' 
         AND CURRENT_DATE - CAST(users.status_changed AS DATE) <= 1 THEN 1
    WHEN users.status = 'SUSPENDED' 
         AND CURRENT_DATE - CAST(users.status_changed AS DATE) <= 1 THEN 1
    WHEN users.status = 'ACTIVE' THEN 1
    ELSE 0
  END AS compliance
FROM
  {{ ref('okta_users') }} AS users
WHERE
  users.status IN ('DEPROVISIONED', 'SUSPENDED', 'ACTIVE')
  AND CURRENT_DATE - CAST(users.status_changed AS DATE) < 30