Certification and Attestation

Cymmetri Identity Governance provides for managing user certification through its Campaign Management feature. As part of user access review, a campaign can be set up to automatically process the user entitlements and send the review request to the appropriate approvers in the system.

The campaign allows review of

● All users

● Groups of users

● Type of users (employees, vendors)

● Application wise users

The system allows the review to occur in stage-wise approval allowing up to 3 levels of certification.

The campaign can be setup to occur periodically using Cymmetri’s scheduler.

At the review side, the mapped approver user can view and approve the certification in Self service console of Cymmetri. The approver can certify in bulk by either approving or revoking the access of the required users. The revocation of access is in real-time. To read more and configure refer this.

Unstructured Data Attestation

As an add on component, Cymmetri allows request provisioning for Windows File System share folders utilizing PowerShell connector. Cymmetri can also perform periodic reviews of the resources and permissions available with users.

Segregation Of Duties

As a part of strong governance controls, Cymmetri provides configuration for Segregation Of Duties or SoD through the Admin console. Every large organization faces the complexity of providing adequate access to its users to allow business as usual practices. However, over time, as more applications and their entitlements come into play, the ability to restrict the access controls involves greater risk.

Cymmetri’s SoD attempts to mitigate the access gaps and more then required access to users by defining appropriate business roles and responsibilities and managing them over a long period of time. Cymmetri breaks the configuration down to two main aspects:

1. Defining the business functions through

   1. Process

   2. Tasks

   3. Business Roles

2. Defining the access policy

   1. Business Policy

   2. Rules

Once the above definitions are understood and configured manually or through bulk-upload, the system can begin processing risk scores and access violations for individual users based on their existing entitlements.

The violations allow the business line managers and risk management to understand the access rights in violation. The violations are based on the business policy and rules which are in violation of the tasks that might be in conflict for business roles.

Apart from the violations, the system calculates and assigns a risk score to every user and their application entitlements. Based on the application roles in the target system, Cymmetri generates a qualitative risk score combining all the applications and entitlements.

A qualitative risk score will be assigned based on the application risk factor and overall risk across all applications associated with the user. To read more and configure refer this.

IAM Reporting

Cymmetri allows monitoring of key IAM metrics as per the Cymmetri reports under Insight menu. To read more and configure refer this.

Apart from the out of box reports, Cymmetri provides custom reporting and dashboards which provide the ability to view the Cymmetri data as per specific needs. This is possible through Cymmetri's Analytics module.

Overview of the policies that can be enforced from Cymmetri

• Authentication Policy & Rules

• Password Policy

• Provisioning Policy & Rules

• De-provisioning Policy

• Segregation Of Duties & Violation Policies

• Multi-Factor based Authentication

• Passwordless Authentication

• Privileged Access Policy

• IGA Policy Management

Overview

This manual outlines the administration process for managing and handling policy violations within the Cymmetri Identity Governance and Administration (IGA) system. The system provides features such as maintaining a Library of Default Policy Violations, policy simulation, scheduled violation reporting, and autocorrection mechanisms. These features help ensure compliance, mitigate security risks, and maintain proper access control across the organization.

Functional Features

Library of Default Violations

The IGA system maintains a centralized Library of Default Violations, which includes predefined policy violations. These violations are categorized based on typical governance issues, such as excessive access, unauthorized role assignments, or segregation of duties (SoD) violations.

How to Access and Manage the Library

1. Navigate to the Policy Violations Library under the Governance section.

2. Review the list of predefined violations (e.g., Excessive Privileges, Segregation of Duties, Unauthorized Role Assignment).

3. View detailed descriptions of each violation type, including risk levels, sample records, and suggested remediation actions.

Administrator Actions

• View or export reports detailing current violations.

• Modify or update violation definitions based on changes in business requirements.

• Add new policy violations to the library, if necessary (refer Designing Policy Violations for custom violations).

Designing New Policy Violations through Simulation

The system allows administrators to design custom policy violations using the built-in Policy Simulator. This feature helps assess potential risks before applying new policies system-wide.

Steps to Design a New Policy

1. Access the Policy Simulator Navigate to the Policy Simulation section and click on Create New Policy.

2. Define Policy Conditions Provide a unique name, description, and select the target population. Define conditions like roles, data access, and compliance rules.

3. Assign Violation Severity Select a Severity Level (Low, Medium, High, Critical).

4. Simulate the Policy Click Simulate to apply the policy to the current system configuration and view results.

5. Modify and Re-Simulate Modify conditions and rerun the simulation if necessary.

6. Save and Enforce Save the policy to the Library of Default Violations and enforce it across the organization.

Scheduled Violation Reporting

Administrators can schedule regular reports to monitor policy violations across the organization. These reports provide detailed information on violations, risk levels, and affected users.

Steps to Schedule Reports

1. Navigate to the Scheduled Reports section under Governance.

2. Select the Create New Report option.

3. Choose the Violation Types and Risk Levels to include (e.g., Excessive Privileges, High-risk violations).

4. Set the report frequency (e.g., daily, weekly, monthly).

5. Define Email Recipients for the report (e.g., security@company.com, hr@company.com).

6. Save and activate the scheduled report.

Auto-Correction of Violations

To ensure prompt remediation of critical violations, the IGA system offers an Auto-Correct feature. This feature automates the process of resolving violations by initiating corrective actions, such as access reviews or approval workflows.

How to Enable Auto-Correction

1. Navigate to the Auto-Correct Settings under the Policy Violations section.

2. Select the violations that require auto-correction.

3. Choose the appropriate remediation action (e.g., Access Certification Process, Approval Cycle).

4. Enable notifications for the administrator to receive updates on actions taken.

5. Ensure the Audit Log records all auto-correct actions for compliance and reporting purposes.