LogoLogo
2.7.13
2.7.13
  • Getting Started
    • What is Cymmetri?
    • Starting your Cymmetri Trial
    • Admin Dashboard
    • Accessing Cymmetri
    • Supported Web Browsers
    • Cymmetri Error Codes
    • Help
    • Personalization
      • General Configuration
      • Admins
      • Masters in Cymmetri
      • Personalize Notification Templates
      • Tenant Branding
      • Custom Attributes
  • Identity Hub
    • Managing Users and Groups
      • Create Users
      • Create Groups
      • Importing Users
      • Assigning Users to Groups
      • Delegation
        • Setting up Delegation
        • Delegating Work to Delegatee
        • Accepting Delegation
    • Authentication
      • Identity Provider
        • Internal IDP
          • Introduction
          • Internal Identity Provider Configuration: Cymmetri
          • Internal Identity Provider Configuration: Active Directory
          • Internal Identity Provider Configuration: LDAP
        • External IDP
          • Introduction
          • External Identity Provider Configuration - Google IDP
          • External Identity Provider Configuration - Azure IDP
          • External Identity Provider Configuration - Salesforce IDP
      • Service Provider
      • Authentication Rules
      • Password Policy
      • Global Auth Policy
    • Attribute Setting
    • Password Filter
    • Logs
      • Audit Logs
      • Import History
      • Scheduler History
  • LIfecycle Management
    • Application Management
      • Support for Application Management
      • Getting Started
        • Introduction to Application Management
        • Adding Applications to be managed by Cymmetri
        • Assigning Applications to End Users
        • Dynamic Forms
        • Configuring Connector Server
      • Provisioning How to
        • Azure Provisioning
        • Active Directory (AD) Provisioning
        • Google Apps (Workspace) Provisioning
        • LDAP Provisioning
        • Powershell Provisioning
        • REST Connector Provisioning
        • SCIM v2.0 Provisioning with Basic Authentication
        • SCIM 2.0 with Bearer Authentication
        • SCIM 2.0 with Fixed Bearer
        • Github Provisioning
      • Reconciliation How to
        • Configuring Reconciliation Process
      • Rules
        • Provisioning
        • Deprovisioning
    • Workflow Management
      • Workflow Configuration
      • Custom Workflow Configuration
      • Workflow Rules
      • Pending Workflows
      • Workflows List
    • Configuring Webhooks
  • Single Sign On
    • Introduction
    • SSO Configuration
      • SAML 2.0 Based SSO
      • API Based SSO
      • OpenID Connect Based SSO
    • Multifactor Authentication(MFA)
      • Introduction
      • Cymmetri Authenticator
      • Push Authenticator
      • Google Authenticator
      • SMS Authenticator
      • Secret Questions
      • Admin MFA Setting
    • Passwordless
      • Introduction
      • TOTP Based
      • OTP Based
      • Consent Based
  • My Workspace
    • Getting Started
      • Introduction
      • First Time User Registration
      • End User Login Process
      • Forgot Password & Unlock Account
      • User Settings
    • How to use the My Workspace
      • Dashboard
      • My Access
      • Inbox
      • Team
      • On Behalf
  • Privileged Access Management
    • PAM Administration
      • Introduction to Privilege Access Management (PAM)
      • How to Access PAM in Cymmetri
      • Sub-Sections of PAM
      • Steps to configure PAM Server
      • Adding a device/ server in PAM
      • Vault User
      • Vaulting Configuration
      • Break Glass Configuration
      • PAM Reports and PAM History
      • Dormancy Disable Config
    • PAM Usage
      • Assign a server to a user
      • Access the server
  • Identity Governance
    • Insights
      • Reports
    • Access Certification
      • Setting up and managing Access Reviews
Powered by GitBook

Cymmetri.com

On this page
  • Access Campaign
  • Access Review Menu
  • Manage Campaigns
  • Campaign History
  • Self Service
  • Approver Stage
  • Access changes during and after campaign
  • Pre-requisites and Assumptions

Was this helpful?

Export as PDF
  1. Identity Governance
  2. Access Certification

Setting up and managing Access Reviews

Was this helpful?

Access Campaign

  • An Identity Governance Campaign is a systematic process of attesting a set of employees who have the appropriate privileges on the appropriate resources at a specific point of time.

  • With the help of the campaign, the privileges are revoked when an employee exits from an organization.

Access Review Menu

Navigate to the Access Review menu by clicking on the Product menu (three dots) and selecting 'Identity Governance'.

On selecting Identity Governance option the page shown below opens where Existing reviews can be seen as well as new Access Reviews can be added

Steps for creating a Campaign:

Campaign Details

Click on Add New to create a Campaign and steps for creation is shown as below :

  1. Organization Admin User logs into Cymmetri.

  2. The user needs to be an Organization administrator to configure an access review campaign

  3. The Organization administrator fills in the following fields to start the campaign

    • Name of the Campaign.

    • Certification completion( period in days) - The overall duration of the access review cycle.

    • Pending notification waiting period - A reminder mail is sent if the access review is not done by the approver within defined calendar days.

    • Campaign Manager - The person responsible for the overall campaign.

    • Revoke access for pending review tasks ( check box ) - It provides us an option to either revoke or continue the access of all users if the access review is not completed in a defined timeline.

    • Next Execution Date- Two options to select from

      • Start Date - Ad-hoc date of execution of campaign

      • Cron Expression - System scheduler to automatically execute the campaign.

  4. Save the details of the page.

Scope

The user fills in the following fields for defining the scope for the certification

  1. Who does this campaign apply to

    • All users

    • To specific organization groups, users, user types, & applications

  2. Exclusion User - To exclude the user to not be a part of the review process

  3. Save the details.

All users

To specific organization groups, users, user types, & applications

Approval Stages

  • The user can set up the approver in three stages

  • The user selects the number of approval levels from the dropdown field to select total stages:

  • The following fields are displayed after the user selects level approval process:

    • Name: name of the stage

    • Description: further details about the stage

    • Level one approval ( Radio button )

      • User - to specify a fixed approval user

      • Reporting Manager - to specify the reporting manager of the user who is under review

  • The User fills them and saves the details.

Similarly Stage 2 Approver and Stage 3 Approvers can also be configured

Manage Campaigns

  • The configured campaign will be displayed under the access review tab in the draft state

  • For each campaign admin user can:

    • View Campaign

    • Edit Campaign

    • Run Campaign

    • Delete the Campaign

  • Now Admin can Publish the Campaign and the status of Campaign will change from Draft Status → Published Status

  • Next the Admin can run the campaign manually or based on scheduled jobs.

Campaign History

  • Access Review History - It is the Iterations of the campaign performed based on Cron Jobs.

  • The Administrator runs the campaign.

  • If no activity is performed while the campaign is running, All users listed whose status is Pending will be revoked.

Self Service

  • Self Service which is also known as the Access Review

  • In Self Service User can view the Campaign in 2 sections

    • Active Access Review: Here the approving Authority can select any one active campaign for certification purpose.

    • Completed Access Review: This section shows all the completed reviews.

Approver Stage

  • While the Campaign is running, the system automatically calculates who is the approving authority, how many user’s access are required to be reviewed in Cymmetri.

  • All active campaigns are visible to the Approving Authority.

    • When clicked on Continue → List of user’s and their access are shown.

  • Approver User can then Approve the individual record or in bulk.

  • In case of revoke access, the system will trigger the selected user for deprovision from the selected application.

Approve / Reject User in All User Campaign

Access changes during and after campaign

  • For the users who are marked “Approved”, such users will continue to have access to the resource. If there are multiple stages of approval then all approvers must mark as “approved”

  • For the users who are marked “Rejected” at any stage of the campaign, their access will be revoked immediately or unassigned from the application.

  • In case no approval or revocation is done, such users access will either be revoked as per the campaign configuration marked “revoke access for pending”. Else user’s access will continue if no action is taken during campaign period.

Pre-requisites and Assumptions

  • Users must be present in Cymmetri and assigned to applications (with or without roles)

  • Approving Authority i.e Manager should be present in the system, if not present then all the user's list pending for approvals will go to the Campaign manager.

  • The Applications selected for the Campaign must be Integrated for Provisioning and Deprovisioning, if not integrated then for the particular user, system will merely unlink the application for user.

Stage 1 Approver
Stage 2 Approver