Brown M&Ms and Periodic User Access Reviews

March 3, 2015


Many of my clients repeatedly struggle with conducting effective user access reviews.  Assuming that the reviews provide the right information, business users either don’t complete the review in a timely fashion or complete it so fast that IT questions whether it was reviewed at all.  So, what can you do about it.

First, establish a consequence for non-compliance.  I have a few clients that will disable unreviewed accounts after the deadline has past and will only re-enable the access once the appropriate manager has completed the review.  Unfortunately, this process has the side effect of having the reviewers approving the access without adequately reviewing it.

That is where the brown M&Ms comes in.  As part of concert tours, bands contracts with their promoters include detailed “riders” which are specific instructions about how to prepare the venue for the concert in a way that maximizes the bands resources and minimizes risks to the band, crew, and audience.  Back in the 70s, rock band Van Halen had a requirement in their rider that many saw as an example of excess but actually served an important purpose.  The rider required that a big bowl of M&M candies be present backstage and it also banned all brown M&Ms from backstage.  Seems ridiculous, right?  In actuality, the brown M&Ms were Van Halen’s canary in the coal mine.  If they saw brown M&Ms in the bowl backstage, they knew that the promoter hadn’t thoroughly reviewed the rider and that other (much more dangerous) things could be wrong and the band would immediately check everything else in the rider or worse, cancel the concert.  ( has even more insights, read the full story here.)

If your IT department has issues with reviews being performed incompletely, consider adding a brown M&M or two to each user’s listing: add the name of terminated employee or your favorite film start to each reviewers listings.  (Be sure to keep track of what names/access you’re adding to the list for audit purposes).  When you get the listing back, check to see if the reviewer caught the brown M&M.  If they didn’t, you know that they didn’t review the access thoroughly and you can circle back for additional follow-up.

How about your organizations?  What do you do to make sure your access reviews are complete and accurate?