Setting up and managing Access Reviews
Was this helpful?
Was this helpful?
An Identity Governance Campaign is a systematic process of attesting a set of employees who have the appropriate privileges on the appropriate resources at a specific point of time.
With the help of the campaign, the privileges are revoked when an employee exits from an organization.
Navigate to the Access Review menu by clicking on the Product menu (three dots) and selecting 'Identity Governance'.
On selecting Identity Governance option the page shown below opens where Existing reviews can be seen as well as new Access Reviews can be added
Click on Add New to create a Campaign and steps for creation is shown as below :
Organization Admin User logs into Cymmetri.
The user needs to be an Organization administrator to configure an access review campaign
The Organization administrator fills in the following fields to start the campaign
Name of the Campaign.
Certification completion( period in days) - The overall duration of the access review cycle.
Pending notification waiting period - A reminder mail is sent if the access review is not done by the approver within defined calendar days.
Campaign Manager - The person responsible for the overall campaign.
Revoke access for pending review tasks ( check box ) - It provides us an option to either revoke or continue the access of all users if the access review is not completed in a defined timeline.
Next Execution Date- Two options to select from
Start Date - Ad-hoc date of execution of campaign
Cron Expression - System scheduler to automatically execute the campaign.
Save the details of the page.
The user fills in the following fields for defining the scope for the certification
Who does this campaign apply to
All users
To specific organization groups, users, user types, & applications
Exclusion User - To exclude the user to not be a part of the review process
Save the details.
All users
To specific organization groups, users, user types, & applications
The user can set up the approver in three stages
The user selects the number of approval levels from the dropdown field to select total stages:
The following fields are displayed after the user selects level approval process:
Name: name of the stage
Description: further details about the stage
Level one approval ( Radio button )
User - to specify a fixed approval user
Reporting Manager - to specify the reporting manager of the user who is under review
The User fills them and saves the details.
Similarly Stage 2 Approver and Stage 3 Approvers can also be configured
The configured campaign will be displayed under the access review tab in the draft state
For each campaign admin user can:
View Campaign
Edit Campaign
Run Campaign
Delete the Campaign
Now Admin can Publish the Campaign and the status of Campaign will change from Draft Status → Published Status
Next the Admin can run the campaign manually or based on scheduled jobs.
Access Review History - It is the Iterations of the campaign performed based on Cron Jobs.
The Administrator runs the campaign.
If no activity is performed while the campaign is running, All users listed whose status is Pending will be revoked.
Self Service which is also known as the Access Review
In Self Service User can view the Campaign in 2 sections
Active Access Review: Here the approving Authority can select any one active campaign for certification purpose.
Completed Access Review: This section shows all the completed reviews.
While the Campaign is running, the system automatically calculates who is the approving authority, how many user’s access are required to be reviewed in Cymmetri.
All active campaigns are visible to the Approving Authority.
When clicked on Continue → List of user’s and their access are shown.
Approver User can then Approve the individual record or in bulk.
In case of revoke access, the system will trigger the selected user for deprovision from the selected application.
Approve / Reject User in All User Campaign
For the users who are marked “Approved”, such users will continue to have access to the resource. If there are multiple stages of approval then all approvers must mark as “approved”
For the users who are marked “Rejected” at any stage of the campaign, their access will be revoked immediately or unassigned from the application.
In case no approval or revocation is done, such users access will either be revoked as per the campaign configuration marked “revoke access for pending”. Else user’s access will continue if no action is taken during campaign period.
Users must be present in Cymmetri and assigned to applications (with or without roles)
Approving Authority i.e Manager should be present in the system, if not present then all the user's list pending for approvals will go to the Campaign manager.
The Applications selected for the Campaign must be Integrated for Provisioning and Deprovisioning, if not integrated then for the particular user, system will merely unlink the application for user.
