Fortra
Access Assurance Suite (AAS)
Identity Governance and Administration · Category 2. IAM · Tier 2
CL Listed — Visible
Methodology v3.5 · OLIR Schema
Avril 2026
Evaluation Tier:
Visible (Listed)
→
Verified (CAE)
→
Enterprise (EEE)
Layer 1-2 only · Documentary assessment · All capabilities vendor-claimed
⚡ Executive Summary 30 seconds
What it is
Access Assurance Suite (AAS) is an enterprise-grade Identity Governance and Administration (IGA) platform. It centralizes the management of user identities and access rights across hybrid environments, providing automated provisioning, self-service access requests, and continuous compliance reporting.
Best for
Identity Lifecycle Management (Joiner-Mover-Leaver), Separation of Duties (SoD) analysis, and Access Certification. Ideal for highly regulated industries like finance and healthcare requiring strict control over 'who has access to what'.
What it does NOT do
Not a Privileged Access Management (PAM) tool for session recording, not a Web Application Firewall (WAF), not an SSO/IDP provider (though it integrates with them). Focuses on Governance (IGA) rather than the technical layer of authentication (IAM/SSO).
CL Recommendation
AAS is a mature and stable IGA choice for organizations moving away from manual spreadsheets to automated identity governance. Critical for SOX audits and PCI DSS Req. 7. Combine with a PAM tool (Cat. 3) and an IDP (Cat. 1) for a complete Zero Trust identity architecture.
⚖ Regulatory Fit Per regulation verdict
SOX
~25% of internal controls
✔ Strong — Section 404 (Access controls & Separation of Duties)
PCI DSS v4.0
~15% of requirements
✔ Strong — Req. 7.1, 7.2, 7.3 (Access based on business need)
DORA
~15% of obligations
● Moderate — Art. 9 (ICT Access rights & Identity management)
NIS2
~12% of Art. 21
● Moderate — Art. 21(2)(g) Cryptography and access control
GDPR
~12% of articles
● Moderate — Art. 32 (Security of processing & Access restriction)
HIPAA
~20% of provisions
✔ Strong — §164.308(a)(4) Information Access Management
PCI DSS v4.0 (PROPRIETARY)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Req. 7.2.1 | Define access needs for each role | Direct | AC-2 / PR.AC-01 | Functional |
| Req. 7.2.2 | Restrict access to least privilege | Direct | AC-6 / PR.AC-03 | Functional |
| Req. 7.3.1 | Review user access at least every six months | Direct | AC-2(3) / PR.AC-04 | Functional |
DORA (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Art. 9(2) | Control of physical and logical access | Direct | AC-3 / PR.AC-01 | Functional |
| Art. 9(4) | Identity management and lifecycle | Direct | AC-2 / PR.AC-01 | Functional |
ISO 27001:2022 (PROPRIETARY)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| A.5.15 | Identity management | Direct | AC-2 / PR.AC-01 | Functional |
| A.5.18 | Access rights management | Direct | AC-5 / PR.AC-01 | Functional |
Articles without contribution omitted. Full OLIR mapping available in Audit Pack export.
🎯 Buyer Guidance Decision support
✔ Consider When
- + Requirement for SOX compliance and formal Separation of Duties (SoD) reporting
- + Manual access reviews are becoming unmanageable and prone to error
- + High volume of 'Joiner-Mover-Leaver' requests requiring automation
- + Need to consolidate identity visibility across legacy on-prem and cloud apps
- + Requirement for a risk-based approach to access certification
- + Audit findings related to over-privileged accounts or orphaned identities
❌ Avoid When
- − Primary need is SSO or MFA (Access Management vs Governance)
- − Small organization with simple identity needs (<200 employees)
- − Organization lacks a clear directory structure (LDAP/AD) to build upon
- − Budget-constrained teams looking for lightweight open-source tools
- − Looking for a tool focused purely on Privileged Users (PAM is better)
- − Requirement for deep Just-In-Time (JIT) access without full governance
⚙ Capabilities 6 claimed · 2 groups · DR-2 Quality Tiers + Config Modifiers
Identity Governance 3✓ 0● 0✗▼
✓Access Certification
Automated workflow for managers to review and sign-off on user access
Specific Obl.Out-of-Box
✓SoD Policy Enforcement
Detects and prevents toxic combinations of access rights
Specific Obl.Config Change
✓Risk-based Analysis
Prioritizes access reviews based on the sensitivity of the resource
Control FamilyConfig Change
Lifecycle Management 3✓ 0● 0✗▼
✓Automated Provisioning
Creation and removal of accounts across connected systems based on triggers
Specific Obl.Config Change
✓Self-Service Access Request
User portal for requesting new applications or permissions with approval flows
Generic ControlOut-of-Box
✓Password Management
Self-service password reset and synchronization across platforms
Generic ControlOut-of-Box
🛡 MITRE ATT&CK Mapping Layer 4 — Derived via SP 800-53
M1026
Privileged Account Management
Partial (claimed)
M1018
User Account Management
Full (claimed)
M1017
User Training
Partial (claimed)
Score: 3.8 / 5.0 (76%) — Focuses on preventing Privilege Escalation and Account Creation techniques through governance.
▼ Show ATT&CK techniques detail| Technique | Name | How Addressed | Provenance |
|---|
| T1078 | Valid Accounts | IGA identifies orphaned accounts and removes stale access, reducing the attack surface for valid account abuse. | DERIVED via M1018 |
| T1098 | Account Manipulation | Monitors and alerts on unauthorized changes to account permissions and group memberships. | DERIVED via M1018 |
📄 Evidence Pack DR-2 §5.1 — Proof of value
✔Access Review Reports
Historical logs of certifications with timestamps and approver details.
✔SoD Violation Logs
Audit trails of detected and mitigated policy violations.
✔Provisioning Audit Logs
Detailed records of account creation, modification, and deletion events.
Evidence level: Documentary review only (CL Listed). For verified evidence, upgrade to CAE (Examine + Interview) or EEE (+ Test).
⏱ Operational Metrics & Anti-Hype DR-2 §5.1 + §9.2
| Metric | Standard Governance | Full Enterprise IGA |
|---|
| Implementation | 3-6 months | 6-12 months |
| FTE Required | 0.5-1 FTE | 1.5-3 FTE |
| Time to first value | Week 4-8 (Initial identity discovery and manual review automation) |
| Time to production | Month 6-9 (Full automation of top 10 core applications and SoD rules) |
Anti-Hype: Marketing vs. Reality
Full identity automation in days
Connectivity to complex legacy systems requires custom connectors and deep data cleansing. Rapid value is possible only for standard AD/SaaS apps.
Misleading
Eliminate identity risk entirely
Governance tools manage the 'known' world. Shadow IT and unmanaged accounts remain outside its scope without proper discovery processes.
Partial
AI-Driven Role Mining
AI helps suggest roles, but human verification is essential to avoid 'rubber-stamping' bad existing permissions into new roles.
Partial
⚖ Strengths & Cautions
✔ Strengths
- + Deep history in IGA with mature features for compliance-heavy environments
- + Strong SoD (Separation of Duties) engine with cross-platform analysis
- + Comprehensive connectors for both mainframe (Legacy) and cloud environments
- + Risk-based governance that focuses auditor attention on critical assets
- + User-friendly self-service portal for business users to request access
- + Integrated password management and identity lifecycle automation
⚠ Cautions
- ! Implementation complexity can be high for heavily customized environments
- ! On-premise deployment requires significant infrastructure management
- ! Reporting engine may require training to build custom complex audit views
- ! Less focus on 'modern' lightweight IGA (not a SaaS-only player)
- ! Requires high quality source data (HR files) to be effective
- ! All capabilities VENDOR-CLAIMED (no CL independent testing)
📈 Competitive Positioning Category 2 — IAM
| Capability | Access Assurance Suite (AAS) | SailPoint | Saviynt | One Identity |
|---|
| Governance & Certification | ✔ | ✔ | ✔ | ✔ |
| SoD Analysis | ✔ | ✔ | ✔ | ✔ |
| Cloud-Native (SaaS) | ● | ✔ | ✔ | ● |
| Legacy Connectors | ✔ | ✔ | ● | ✔ |
Competitive data based on public information. CL has not evaluated these alternatives — for detailed assessment, see individual CL Listings.
📑 Framework Views Hub: CSF 2.0 + 800-53r5 + ISO 27001
▼ Show NIST SP 800-53, CSF 2.0, ISO 27001 mapping tablesNIST CSF 2.0
| Control | Name | Contribution | Provenance |
|---|
| PROTECT | PR.AC-01 Identity Management | direct | DERIVED via DORA Art. 9 |
| PROTECT | PR.AC-03 Access Control | direct | DERIVED via PCI Req 7.2 |
| SSDF ID | Practice | Status |
|---|
| PW.1 | Risk-based secure design | Claimed |
| RV.1 | Vulnerability disclosure program | Claimed |
Compliance Labs · Software Listing v3.5 · OLIR Schema
Hub: CSF 2.0 ↔ 800-53r5 ↔ ISO 27001 · Avril 2026
