LogoLogo
Archive
2.7.13Archive3.0.0Cymmetri3.1.63.1.7
Archive
2.7.13Archive3.0.0Cymmetri3.1.63.1.7
  • Introduction to Cymmetri Cloud 2.0
    • FAQ
      • Adding the Application
      • Supported Web Browsers
      • Forgot Password & Unlock Account
      • Cymmetri Error codes
      • Help
  • Getting Started with Cymmetri Cloud 2.0
    • What is Cymmetri?
    • Starting your Cymmetri Cloud 2.0 Trial
    • Accessing Cymmetri Cloud
    • First Time User Registration
    • Logging in as an end user
    • Setting up Multi-factor authentication rules for Login
  • Administration
    • Reports and Analytics
  • My Workspace
    • Getting Started
      • Introduction
      • Login with External Identity Provider - Social logins
    • How to use the My Workspace
      • Dashboard
      • My Access
      • Inbox
      • Team
      • Session Management
  • Application Management
    • FAQ
      • Support for Application Management
    • Getting Started
      • Introduction to Application Management
      • Adding Applications to be managed by Cymmetri
      • Assigning Applications to End Users
      • Configuring Connector Server
    • SSO How to
      • Configure Single Sign On
      • Configure SAML 2.0 Single Sign On
      • Configure API SSO
      • Configure OpenID Connect based Single SignOn
    • Provisioning How to
      • Azure Provisioning
      • Active Directory (AD) Provisioning
      • Google Apps (Workspace) Provisioning
      • LDAP Provisioning
      • Powershell Provisioning
      • REST Connector Provisioning
      • SCIM v2.0 Provisioning with Basic Authentication
      • SCIM 2.0 with Bearer Authentication
      • SCIM 2.0 with Fixed Bearer
      • Github Provisioning
    • Reconciliation How to
      • Configuring Reconciliation Process
  • Managing Users and Groups
    • Setting up Users and Groups
      • Create Users
      • Create Groups
      • Importing Users
      • Assigning Users to Groups
      • Setting up permissions for Delegation
  • Common Features
    • Features used throughout the Cymmetri Platform
      • Workflow Management
      • Configuring Webhooks
      • Multifactor Authentication (MFA)
  • Personalization
    • How to configure your tenant and personalize it
      • Adding new admins
      • Masters in Cymmetri
      • Personalize Notification Templates
      • Add Branding to your tenant
      • Adding Custom Attributes for User Object
  • Authentication
    • Identity Federation
      • Steps to Configure Azure AD as External IDP for Cymmetri
  • Governance
    • Access Certification
      • Setting up and managing Access Reviews
  • Additional Tools
    • Miscellanous Tools and Utilities
      • Password Filter
  • Privileged Access Management
    • PAM Administration
      • Introduction to Privilege Access Management (PAM)
      • How to Access PAM in Cymmetri
      • Sub-Sections of PAM
      • Steps to configure PAM Server
      • Adding a device/ server in PAM
      • Vault User
      • Vaulting Configuration
      • Break Glass Configuration
      • PAM Reports and PAM History
      • Dormancy Disable Config
    • PAM Usage
      • Assign a server to a user
      • Access the server
Powered by GitBook

Cymmetri.com

On this page
  • Access Review Menu
  • Manage Campaigns
  • Campaign History
  • Self Service
  • Approver Stage
  • Access changes during and after campaign
  • Pre-requisites and Assumptions

Was this helpful?

Export as PDF
  1. Governance
  2. Access Certification

Setting up and managing Access Reviews

Last updated 1 year ago

Was this helpful?

Access Campaign

  • An Identity Governance Campaign is a systematic process of attesting a set of employees who have the appropriate privileges on the appropriate resources at a specific point of time.

  • With the help of the campaign, the privileges are revoked when an employee exits from an organization.

Access Review Menu

Access Review menu is navigated as click Product menu (3 dots) → Identity Governance.

Steps for creation of the Campaign

Campaign Details

Click on Add New to create a Campaign and steps for creation is shown as below :

  1. Organization Admin User logs into Cymmetri.

  2. The user needs to be an Organization administrator to configure an access review campaign

  3. The Organization administrator fills in the following fields to start the campaign

    • Name of the Campaign.

    • Certification completion( period in days) - The overall duration of the access review cycle.

    • Pending notification waiting period - A reminder mail is sent if the access review is not done by the approver within defined calendar days.

    • Campaign Manager - The person responsible for the overall campaign.

    • Revoke access for pending review tasks ( check box ) - It provides us an option to either revoke or continue the access of all users if the access review is not completed in a defined timeline.

    • Next Execution Date- Two options to select from

      • Start Date - Ad-hoc date of execution of campaign

      • Cron Expression - System scheduler to automatically execute the campaign.

  4. Save the details of the page.

Scope

The user fills in the following fields for defining the scope for the certification

  1. Who does this campaign apply to

    • All users

    • To specific organization groups, users, user types, & applications

  2. Exclusion User - To exclude the user to not be a part of the review process

  3. Save the details.

All users

To specific organization groups, users, user types, & applications

Approval Stages

The user can set up the approver in three stages

  • The user selects the number of approval levels from the dropdown field to select total stages:

  • The following fields are displayed after the user selects level approval process:

    • Name

    • Description

    • Level one approval ( Radio button )

      • User - to specify a fixed approval user

      • Reporting Manager - to specify the reporting manager of the user who is under review

  • The User fills them and saves the details.

Stage 1 Approver

Stage 2 Approver

Manage Campaigns

  • The configured campaign will be displayed under the access review tab in the draft state

  • For each campaign admin user can able to

    • View Campaign

    • Edit Campaign

    • Run Campaign

    • Delete the Campaign

  • Now Admin Authority will Publish the Campaign and the status of Campaign will change from

Draft Status → Published Status

  • Here the Admin Authority will run the campaign manually or based on scheduled jobs.

Campaign History

  • Access Review History - It is the Iterations of the campaign performed based on Cron Jobs.

  • The Administrator runs the campaign.

  • If no activity is performed while the campaign is running, All users listed whose status is Pending will be revoked.

Self Service

Also called the Access Review

  • In Self Service User can view the Campaign in 2 sections

    • Active Access Review

      • Here the approving Authority can select any one active campaign for certification purpose.

    • Completed Access Review

Approver Stage

  • While the Campaign is running, the system automatically calculates who is the approving authority, how many user’s access are required to be reviewed in Cymmetri.

  • All active campaigns are visible to the Approving Authority.

    • When clicked on Continue → List of user’s and their access are shown.

  • Approver User can then Approve the individual record or in bulk.

  • In case of revoke access, the system will trigger the selected user for deprovision from the selected application.

Approve / Reject User in All User Campaign

Access changes during and after campaign

  • For the users who are marked “Approved”, such users will continue to have access to the resource. If there are multiple stages of approval then all approvers must mark as “approved”

  • For the users who are marked “Rejected” at any stage of the campaign, their access will be revoked immediately or unassigned from the application.

  • In case no approval or revocation is done, such users access will either be revoked as per the campaign configuration marked “revoke access for pending”. Else user’s access will continue if no action is taken during campaign period.

Pre-requisites and Assumptions

  • Users must be present in Cymmetri and assigned to applications (with or without roles)

  • Approving Authority i.e Manager should be present in the system, if not present then all the user's list pending for approvals will go to the Campaign manager.

  • The Applications selected for the Campaign must be Integrated for Provisioning and Deprovisioning, if not integrated then for the particular user, system will merely unlink the application for user.