How Roku trimmed admin access to all apps while cutting time-to-access by 98%

As Roku scaled, it faced a familiar challenge: managing sprawling SaaS applications and access across a growing workforce. With thousands of employees and a diverse app stack, the IT and security teams were struggling with visibility into permissions and app use.

For Tristan Cary, Senior Manager of IT at Roku, answering “who has access to what” was not just difficult—it was nearly impossible. Vendors often obscure usage data, pressuring companies to buy more licenses without revealing true utilization. Even with 95% of licenses provisioned, real utilization might be closer to 40%, but that data was hard to access.

Roku also needed a clear framework for managing admin privileges. The company adopted a North Star policy of allowing only two global admins per application, a security measure crucial for maintaining SOX compliance and preventing unnecessary access. But enforcing this standard proved difficult.

Automation was another area of concern. While processes existed for access provisioning, they were clunky and unreliable, sometimes involving email chains that accidentally routed approvals to the CEO. This bottleneck led to long wait times—on average, 79 hours—for users to get access to the tools they needed.

1. Complete Visibility

With Lumos, Roku could see who was using what, at what tier, and whether their role justified that access. For example, a user with a Zoom Pro license who only attended meetings (and never hosted them) could be automatically downgraded to a free license, saving costs without impacting productivity.

2. Fast access, by the rules

The implementation of Lumos also enabled a streamlined app store experience. Using HRIS data from Workday, the Roku team configured birthright access based on department. A salesperson, for instance, would automatically get Salesforce access. Any additional requests followed a clear approval chain—first from the manager, then the app owner—eliminating the confusion and errors of the previous Microsoft-based system.

3. Seamless integration with existing tools

Lumos integrated with Roku’s existing tools like Sumo Logic for auditability, Slack for access requests, and even their security infrastructure to ensure compliance.

The time it took for an employee to receive application access dropped from 79 hours to just 45 minutes in the first weeks of Lumos deployment. This shift reduced reliance on backdoor workarounds like Slack DMs to IT and helped ensure a consistent, compliant process.

Key results included:

• Improved Visibility: IT and security could now easily audit app usage, access roles, and entitlement anomalies across the company.
• Reduced Admin Roles: Roku could confidently enforce its “two global admins per tool” policy.‍
• Faster Access: Time-to-access was reduced by 98%, from 79 hours to under an hour.
• ‍Better Collaboration: IT and security teams aligned more effectively, sharing a platform that met both enablement and compliance goals.
• ‍Audit Readiness: Full audit trails made compliance with SOX and other regulations easier and more reliable.

Lumos provided a “single pane of glass” for managing SaaS access, licensing, and entitlements across the organization. The ability to request apps via Slack, coupled with streamlined approval workflows, meant that users got what they needed quickly—without circumventing controls. Lumos’ capability to provision at the entitlement level (e.g., Adobe licenses, Salesforce permission sets) was critical for enforcing fine-grained access policies.

Built-in support for SOX compliance, segregation of duties, and audit trails ensured that security teams could do their job without slowing down the business.

“It just makes it easier for the end user,” says Cary. “It’s a win on both sides.” Lumos didn’t just help Roku manage access; it empowered them to rethink how IT and security could work together to support a fast-moving, secure, and scalable enterprise.