Setting up and managing Access Reviews
Last updated
Last updated
Cymmetri.com
Cymmetri allows two types of Access Certifications, namely-
Access Certification Campaign
Ad-hoc Certification based on defined events
An Identity Governance Campaign is a systematic process of attesting a set of employees who have the appropriate privileges on the appropriate resources at a specific point of time.
With the help of the campaign, the privileges are revoked when an employee exits from an organization.
Navigate to the Access Review menu by clicking on the Product menu (three dots) and selecting 'Identity Governance'.
On selecting Identity Governance option the page shown below opens where Existing reviews can be seen as well as new Access Reviews can be added
Click on Add New to create a Campaign and steps for creation is shown as below :
Organization Admin User logs into Cymmetri.
The user needs to be an Organization administrator to configure an access review campaign
The Organization administrator fills in the following fields to start the campaign
Name of the Campaign.
Certification completion( period in days) - The overall duration of the access review cycle.
Pending notification waiting period - A reminder mail is sent if the access review is not done by the approver within defined calendar days.
Campaign Manager - The person responsible for the overall campaign.
Revoke access for pending review tasks ( check box ) - It provides us an option to either revoke or continue the access of all users if the access review is not completed in a defined timeline.
Next Execution Date- Two options to select from
Start Date - Ad-hoc date of execution of campaign
Cron Expression - System scheduler to automatically execute the campaign.
Save the details of the page.
Cymmetri provides the ability to define the campaign execution parameters such as one-time / ad-hoc execution or based on a scheduled job from the system (by using the cron expression builder)
The user fills in the following fields for defining the scope for the certification
Who does this campaign apply to
All users
To specific organization groups, users, user types, risks & applications
Exclusion User - To exclude the user to not be a part of the review process
Save the details.
All users
To specific organization groups, users, user types, risk & applications
As shown above access review can be configured on various parameters like specific users, specific groups, specific applications and also specific user types. The review based on usertype is one of the crucial way to implement access review, as it enables organizations to review critical user types like service accounts, privileged accounts, and generic accounts.
In Cymmetri, we can perform the access review based on the user type attribute:
Based on the campaign configuration, the approving authority will be able to approve the access for service accounts, privileged accounts, generic accounts such as common support accounts, etc.
The user can set up the approver in three stages
The user selects the number of approval levels from the dropdown field to select total stages:
The following fields are displayed after the user selects level approval process:
Name: name of the stage
Description: further details about the stage
Level one approval ( Radio button )
User - to specify a fixed approval user
Reporting Manager - to specify the reporting manager of the user who is under review
The User fills them and saves the details.
Similarly Stage 2 Approver and Stage 3 Approvers can also be configured
The configured campaign will be displayed under the access review tab in the draft state
For each campaign admin user can:
View Campaign
Edit Campaign
Run Campaign
Delete the Campaign
Now Admin can Publish the Campaign and the status of Campaign will change from Draft Status → Published Status
Next the Admin can run the campaign manually or based on scheduled jobs.
This page shows the Access review history that helps the administrator to track various certification metrics across campaigns.
It is the Iterations of the campaign performed based on Cron Jobs or when the Administrator runs the campaign.
Administrator can click on the view button to further see details about each user and their access
This section provides users with the ability to comprehensively review campaigns. Users can not only assess the campaign at hand but also explore completed reviews and specifically identify those where the user serves as a Campaign Manager.Access Review is available at My Workspace->Access Reviews->Identity Governance. Within the Access Review module, users are presented with three distinctive sections:
In this section, the approving authority can choose any active campaign for certification purposes. This feature allows for focused attention on ongoing campaigns, streamlining the certification process.
Here, users can access a consolidated view of all completed reviews. This section offers a comprehensive overview of the finalized assessments, facilitating efficient tracking and reference.
Specifically tailored for Campaign Managers, this section showcases all reviews where the user holds the role of a campaign manager.
This targeted view enables quick identification and management of campaigns under the user's purview, enhancing overall accessibility and control.
The Manager can also reassign the review task to another user (say a manager or supervisor) in case the assigned reviewer is not available due to various unforeseen reasons
While the Campaign is running, the system automatically calculates who is the approving authority, how many user’s access are required to be reviewed in Cymmetri.
All active campaigns are visible to the Approving Authority.
When clicked on Continue → List of user’s and their access are shown.
Approver User can then Approve the individual record or in bulk.
In case of revoke access, the system will trigger the selected user for deprovision from the selected application.
In case the number of records to review are large in number the approver may filter the records based on various criteria like user, application, device.
The approver can view the user's risk before approving the users access which enables the approver to make informed decisions based on these risk values.
Access review and approval for privileged users is very critical and these users can be identified by seeing users with higher score as shown here:
If the user under review has any policy violations, the approving authority will be able to view the same. For details, the approver user can view the violations by clicking on the details button
The approver user can view the policy violations (if any) under the Violations tab of the pop-up.
There may be multiple violations of the user based on the policy configurations of Cymmetri IGA.
The approver user can view the past certification history for the current user by clicking on the history button.
For a comprehensive view of the user's events pertaining to the campaign, the approver user has the ability to view the Audit events under the Audit Log tab of the detials pop-up.
Access Reviews provide easy filtering of review records based on following types:
User
Application
Role
Privileged Device
Custom Attribute
The images below shows each type of filter.
Cymmetri provides ability to define the scope of the campaign based on several criteria. Primarily, the campaign can be run for all the users or restricted to
a set of users,
a set of groups,
a set of applications,
based on risk categories,
based on user type
Within user category, there may be other filters that can be applied to restrict the campaign scope
Group based filtering
Risk based filtering-
Reviewers receive periodic email notifications based on the campaign configuration set during the creation of the campaign, reminding them to complete the campaign actions
For the users who are marked “Approved”, such users will continue to have access to the resource. If there are multiple stages of approval then all approvers must mark as “approved”
For the users who are marked “Rejected” at any stage of the campaign, their access will be revoked immediately or unassigned from the application if no remediation workflow is setup. In case of remediation workflow, the user's access to the application shall remain till the relevant approving authority approves or rejects the remediation task. Else, the workflow task will be closed as per the closure policy defined in the remediation workflow.
In case no approval or revocation is done, such users access will either be revoked as per the campaign configuration marked “revoke access for pending”. Else user’s access will continue if no action is taken during campaign period.
Cymmetri allows setting up workflows to process campaign users marked for immediate revocation of access. For this, the workflow needs to be created and corresponding workflow rule must be setup to process remediation of access revocation through the Cymmetri approval process.
In Cymmetri, certain events can lead to change in Access grants for users. These events may require a careful review of the changing rights for such users. As an example, the location of a user updates from the source of truth system / HRMS, in which case Cymmetri will change the relevant location attribute for the user triggering a change in a access in integrated target applications. As a policy, the organization may require such changes to be approved / verified by relevant approvers.
Cymmetri allows a concept of continuous certification where the reporting manager of a user gets alerted of the changing roles and access in target applications. The reporting manager will get a view of all the relevant access grants for all the reportees and the manager, if allowed as per Cymmetri configuration, can unassign a role or remove an application's access for such users as they deem not required.
In the above artefact example, once the reporting manager removes the role, based on the Cymmetri configuration, the role will be unassigned if there is no approval workflow attached with such an event.
Similar to the manager performing the ad-hoc certification process, Cymmetri can be configured to automatically raise tasks for access approval in case of events such as transfer of user, update to any of the HRMS attributes which affect the roles assigned to the user, etc.
Users must be present in Cymmetri and assigned to applications (with or without roles)
Approving Authority i.e Manager should be present in the system, if not present then all the user's list pending for approvals will go to the Campaign manager.
The Applications selected for the Campaign must be Integrated for Provisioning and Deprovisioning, if not integrated then for the particular user, system will merely unlink the application for user.