Policy Simulator

Cymmetri's "Policy Simulator" is a rule engine that establishes and enforces critical security and compliance policies throughout your digital environment. It enables precise control over access provisioning and group/role memberships by intelligently comparing user configurations ("IF" conditions) against target access or group memberships ("THEN" outcomes).

Cymmetri's capability to "Review Your Data" facilitates the generation of crucial insights from identity data:

Defining "Should" Scenarios (Inclusion Policies):

• Problem: Ensuring that critical users or roles consistently possess specific, required access for operational or security purposes (e.g., all IT Administrators must be enrolled in Multi-Factor Authentication (MFA)). Manual tracking for large user bases is impractical.

• Cymmetri's Solution: Configure a rule stating: "Users in the 'IT Admin' group (IF condition) should be found in the 'MFA-Enabled Users' group (THEN outcome)." Cymmetri continuously monitors this condition.

• Benefit: Cymmetri automatically identifies any IT Administrator not enrolled in MFA, providing actionable data to promptly address compliance deficiencies. This process generates data highlighting non-compliance in areas where compliance is mandated.

Defining "Should NOT" Scenarios (Exclusion Policies):

• Problem: Enforcing "separation of duties" or preventing high-risk access combinations (e.g., prohibiting any user from possessing both 'Create Payments' and 'Approve Payments' permissions). Manually preventing such overlaps across disparate systems is a continuous challenge.

• Cymmetri's Solution: Configure a rule stating: "Users with the 'Payment Creation' role (IF condition) should NOT be found within the set of users with the 'Payment Approval' role (THEN outcome)." Cymmetri flags every instance of this prohibited overlap.

• Benefit: Proactive risk mitigation. Cymmetri generates data on critical security violations, enabling the prevention of fraud and ensuring stringent adherence to least-privilege principles, thereby eliminating the need for laborious, reactive audits.

Rule Creation Interface:

• You are defining a policy rule.

• The interface allows you to specify:

  • Policy Name

  • Policy Type – Inclusion or Exclusion

  • Risk Level - High, Low, or Medium

Apply conditions based on: (IF Condition)

• Department

• Designation

• User type

• Application

• Application Role

• Country

• RBAC

• Application Risk

• Application Tags

• Cymmetri Roles

• All users

• Cymmetri Groups

• Grade

• Custom Query

• Custom Attributes

(THEN Outcome)

• Should have

• Should not have

• Must only have

History

This page provides a historical record that assists administrators in tracking various policies. These policies are executed either through scheduled Cron Jobs or when the administrator initiates the simulator.

The history tab provides information such as:

• Policy Name

• Policy Run ID

• Execution Status

• Mode (Manual/Scheduled)

• Start At

• End At

• Executed By (Performer of the policy)

• Violation Count

• Actions

Administrators can email or download the reports to themselves.

In the library section, the admin can see the number of violations based on the simulator published with additional information such as:

• Conditions (IF and THEN)

• Violations:

  • Policy ID

  • PolicyRunMechanism

  • UserID

  • Display Name

  • Department

  • Designation

  • Status

  • Country

  • Manager ID

  • User Type

  • User Login

  • Risk Score

  • Application ID

  • App Name

  • Group ID

  • Group Name

  • Application Role ID

  • Role Name

The policy scheduler provides a centralized dashboard for all policies on one page.

Events:

• Service: The event that is scheduled.

• Policy Name: Name of the policy to execute.

• Execution Date: The next planned execution date and time.

• Status: Status of the scheduled policy

• Cron Expression: The timestamp when the scheduler will execute.