Episode 158 - GluuFederation/identerati-office-hours GitHub Wiki

Title: What Is Declarative IGA?

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Brian Iverson, Identity analyst
• Guest: Manoj Kumar, Director, Pax Identity

Channels

• Linkedin Event
• Youtube Video

Description

In this episode we’ll explore the shift from legacy role-based IGA toward a “what do we want done” mindset as proposed in the Declarative IGA Manifesto, and unpack what it really means to declare access outcomes rather than assign static roles. We’ll then dig into why relying on roles alone has been a flawed shortcut—drawing on the “I Was Wrong About Roles in IGA” critique—to show how policy-first thinking can yield clearer, faster governance. Finally we’ll map out practical steps to design a governance layer that handles dynamic context, multi-token inputs, and declarative policy enforcement rather than “role drift.”

Homework

• Declarative IGA Manifesto
• I Was Wrong About Roles In IGA
• Entitlements, Permissions and Authorization Constructs
• The vanishing contour of the IGA Business case

Takeaways

• ⚡ Imperative programming specifies how to perform a computation--the sequence of operations. Declarative programming specifies what the result should be, not the step-by-step method to achieve it. The runtime system determines how to compute the result. Brian asserts that today's IGAs are imperative, which seem like an easier approach at first, but then becomes harder to maintain in the long term as exceptions start to degrade the initial simplicity.

• ⚡ Access reviews of static entitlements is a foundational weakness of IGA. Post-interview, Brian asserted 80% of of decisions could be made according to policies. We need to more efficiently prioritize what needs manual human review.

• ⚡ It's time to question the utility of Join-Mover-Leaver (J-M-L). Systems should be smart enough to know that a person with a certain status should not have access. If policies were correct, you wouldn't need to do anything when a person leaves.

• ⚡ Modern IGA is particularly bad at deriving risk (which is not surprising because IGA was built for compliance, before a time when cybersecurity risk was existential). One of the challenges with risk calculation is IGA's focus on entitlements, an abstraction which can obscure the enterprise capability being accessed.

Livestream Audio Archive

here