Governance, Lifecycle & Audit
Approvals, reviews, lifecycle control, audit visibility, and policy-driven access change.
Audience: Security, compliance, and operating leadsFocus: Access governance and reviewabilityStatus: Public manual
What this area covers
Portal is not only a sign-in surface. It is also where lifecycle control, governed change, and access visibility become sustainable as a company grows.
Operational areas in scope
| Area | What operators need from it | Why it matters |
|---|---|---|
| Birthright access | A baseline access model that follows role or employment context | Normal onboarding should not depend on manual access triage |
| Access requests and approvals | A governed path for non-birthright or elevated access | Exceptions need to be deliberate, reviewable, and bounded |
| Lifecycle control | Joiner, mover, and leaver handling that keeps access current | Lifecycle failures create some of the most expensive identity risk |
| Reviews and recertification | Periodic validation of sensitive or changing access | Reviewability matters to both internal governance and external audit work |
| Guest and delegated administration | Controlled handling of non-standard access paths | Governance breaks quickly when guest access or admin delegation stays informal |
| Audit visibility | A legible trail of who granted, changed, or removed access | Access change needs to remain explainable long after the original request |
What operators are actually managing
- Establish how access is requested, approved, changed, and removed.
- Define birthright access so baseline access follows role or employment context without turning normal onboarding into a ticket queue.
- Run periodic review and lifecycle checks without losing the underlying identity context.
- Keep audit visibility attached to real access events and real operating decisions.
- Decide which roles, bundles, and access paths should require explicit approval and which should remain policy-driven.
- Keep guest, delegated, and elevated access from becoming a shadow governance model.
What this public manual area includes
- Birthright access and access-bundle design.
- Request, approval, and review flows for governed access.
- Joiner-mover-leaver control and delegated access administration.
- Audit visibility around access change and governed collaboration.
What healthy operation looks like
- Privileged or sensitive access changes are reviewable after the fact.
- Joiner, mover, and leaver activity follows a defined operating path rather than tribal knowledge.
- Baseline access is granted predictably through birthright policy instead of repetitive manual provisioning.
- Audit visibility supports Meridian and broader governance work without duplicate manual evidence collection.
Questions to pressure-test during evaluation
- Can the product distinguish clearly between birthright access and approval-driven access?
- Can a team explain how access reviews, bundle design, and lifecycle control fit together operationally?
- Will auditors, security leads, and platform operators all see the same access story after a quarter of real change?
- Can guest and delegated access be governed without inventing a second operating model outside Portal?
Where this connects inside Cadres
- Meridian uses Portal context to support access evidence, review state, and control validation.
- Keystone benefits from clear operator identity and governed business-system access.
- RMM can rely on governed operator access when service or endpoint control requires tighter boundaries.