Setting up and managing Access Reviews

Access Campaign

• An Identity Governance Campaign is a systematic process of attesting a set of employees who have the appropriate privileges on the appropriate resources at a specific point of time.

• With the help of the campaign, the privileges are revoked when an employee exits from an organization.

Access Review Menu

Navigate to the Access Review menu by clicking on the Product menu (three dots) and selecting 'Identity Governance'.

On selecting Identity Governance option the page shown below opens where Existing reviews can be seen as well as new Access Reviews can be added

Steps for creating a Campaign:

Campaign Details

Click on Add New to create a Campaign and steps for creation is shown as below :

1. Organization Admin User logs into Cymmetri.

2. The user needs to be an Organization administrator to configure an access review campaign

3. The Organization administrator fills in the following fields to start the campaign

   • Name of the Campaign.

   • Certification completion( period in days) - The overall duration of the access review cycle.

   • Pending notification waiting period - A reminder mail is sent if the access review is not done by the approver within defined calendar days.

   • Campaign Manager - The person responsible for the overall campaign.

   • Revoke access for pending review tasks ( check box ) - It provides us an option to either revoke or continue the access of all users if the access review is not completed in a defined timeline.

   • Next Execution Date- Two options to select from

     • Start Date - Ad-hoc date of execution of campaign

     • Cron Expression - System scheduler to automatically execute the campaign.

4. Save the details of the page.

Scope

The user fills in the following fields for defining the scope for the certification

1. Who does this campaign apply to

   • All users

   • To specific organization groups, users, user types, & applications

2. Exclusion User - To exclude the user to not be a part of the review process

3. Save the details.

All users

To specific organization groups, users, user types, & applications

Approval Stages

• The user can set up the approver in three stages

• The user selects the number of approval levels from the dropdown field to select total stages:

• The following fields are displayed after the user selects level approval process:

  • Name: name of the stage

  • Description: further details about the stage

  • Level one approval ( Radio button )

    • User - to specify a fixed approval user

    • Reporting Manager - to specify the reporting manager of the user who is under review

• The User fills them and saves the details.

Similarly Stage 2 Approver and Stage 3 Approvers can also be configured

Manage Campaigns

• The configured campaign will be displayed under the access review tab in the draft state

• For each campaign admin user can:

  • View Campaign

  • Edit Campaign

  • Run Campaign

  • Delete the Campaign

• Now Admin can Publish the Campaign and the status of Campaign will change from Draft Status → Published Status

• Next the Admin can run the campaign manually or based on scheduled jobs.

Campaign History

• Access Review History - It is the Iterations of the campaign performed based on Cron Jobs.

• The Administrator runs the campaign.

• If no activity is performed while the campaign is running, All users listed whose status is Pending will be revoked.

Self Service

• Self Service which is also known as the Access Review

• In Self Service User can view the Campaign in 2 sections

  • Active Access Review: Here the approving Authority can select any one active campaign for certification purpose.

  • Completed Access Review: This section shows all the completed reviews.

Approver Stage

• While the Campaign is running, the system automatically calculates who is the approving authority, how many user’s access are required to be reviewed in Cymmetri.

• All active campaigns are visible to the Approving Authority.

  • When clicked on Continue → List of user’s and their access are shown.

• Approver User can then Approve the individual record or in bulk.

• In case of revoke access, the system will trigger the selected user for deprovision from the selected application.

Approve / Reject User in All User Campaign

Access changes during and after campaign

• For the users who are marked “Approved”, such users will continue to have access to the resource. If there are multiple stages of approval then all approvers must mark as “approved”

• For the users who are marked “Rejected” at any stage of the campaign, their access will be revoked immediately or unassigned from the application.

• In case no approval or revocation is done, such users access will either be revoked as per the campaign configuration marked “revoke access for pending”. Else user’s access will continue if no action is taken during campaign period.

Pre-requisites and Assumptions

• Users must be present in Cymmetri and assigned to applications (with or without roles)

• Approving Authority i.e Manager should be present in the system, if not present then all the user's list pending for approvals will go to the Campaign manager.

• The Applications selected for the Campaign must be Integrated for Provisioning and Deprovisioning, if not integrated then for the particular user, system will merely unlink the application for user.