What is Cymmetri?

Cymmetri is a Converged Identity & Access Management Platform and a well-trusted platform acting as an advisor and an end-to-end partner for Security-aware teams looking to deploy Identity and Access Management Solutions across their organization.

We offer an industry-standard product backed by a strong team that always aims to innovate our solutions to cater to a wide variety of enterprise needs.

To access Cymmetri, users must use a web browser, such as Google Chrome or Safari, and enter the appropriate address in the address bar as shown below:

URL: https://<companyname>.cymmetri.com/login

Example: https://helpdocs.cymmetri.com/login

Once the address is entered, it opens a page as shown below, where the users may enter their username and password to access Cymmetri.

Version: cloud_3.1.0 product release

Date: 02 May 2024

New Features

1. Add Welcome Guide when no nodes added

2. Amaya Operations cards messages updated

3. Tooltip DX enhancements

4. Add confirmation dialogue when request method is missing

5. File Upload Validations based on filename length and file size

   • File validation applied on User Bulk Imports, Group Assignments, Application Assignments, Role Imports, Upload metadata SSO.

   • Branding Image upload applied image size validation and image name length valdation.

   • Validation also applied on self service User avatar upload, application icon upload.

6. Cymmetri Verify App issuer format is changed now so there wont be duplicate record creation from now onwards, earlier we did not take into account of the environment but now we are considering that as well

Fixes

1. Deprovision Via scheduler when threshold value is set:- Past date user is also getting deprovisioned when rule is applied on status 

2. Application-Role-One role mandatory, validation should be present at least one active 

3. Node name without spaces overlap 

4. Amaya- Not able to drag down node which is at the top most corner 

Known Bugs

1. Manager notification: receiving user name required manager name

2. Workflow initiated for form but form is getting updated without workflow approval.

3. In application setting if show to user flag off then also application show in recent application.

4. Unable to identify application properties data type where value is empty

1. Start by clicking on the link register.cymmetri.io to start the registration of your tenant on the Cymmetri Cloud 2.0, and enter your personal details with your work email. Click on Next.

1. Enter your country and phone number (mandatory to receive OTP), and enter a domain name for your tenant. In case the domain available message is not shown, choose a different domain name. Click on the Start Trial button.

1. You will receive an OTP on your mobile number from the previous step. Enter the OTP here and wait for a few seconds for your tenant to be created.

1. You will be redirected to your domain to create the first Organization Admin user. Ensure that your password matches the password policy.

1. You will receive a message showing that your tenant has been created.

1. Click on the Login button to proceed with the onboarding process

1. Enter your username and press Next

1. Enter your password and proceed with the setup of your tenant by clicking on the Login button.

1. Choose applications from the application catalogue, and click on the application icon for all the applications you wish to add. Then click on the Next button.

1. Enter details to create a second administrator account. Click on the Send Invite button to create an administrator. Click on the Next button to proceed.

1. (Optional) Add users if you wish to. Then click on Finish.

1. You will be redirected to the Dashboard to proceed with the system.

Next Steps:

Version: cloud_3.1.7 product release

Date: 30 September 2024

New Features

1. CISO Dashboard service deployment remains the same as the last release since the sprint release for the same is mid-next week. (EoM - September 2024)

The Cymmetri dashboard acts as a central command center for identity management, providing a visual summary of key metrics and quick access to administrative functions. Upon logging in, administrators see a comprehensive overview of user activity, system health, and important shortcuts.

Dashboard Overview

The main dashboard section provides critical insights into daily user activity and authentication health:

• Users Activity: The total count of successful user logins on the current day.

The admin can delete the user from the users tab in the identity hub section.

After the user is deleted, they are moved to the Suspended Users tab.

In the section for suspended users, the administrator has two options: they can choose to

• Resume User - Which relocates the user back to the all users section OR

This section stores and manages user accounts that have been archived or deactivated. These accounts are usually no longer active but are retained for historical or compliance purposes.

You can see the other condition when the users are moved to the archived users

All Users Session

This page provides Cymmetri administrators with the capability to monitor and manage all user sessions across the entire platform.

This functionality allows administrators to gain insights into ongoing user activities, view active sessions, and, if necessary, terminate or manage these sessions for security, compliance, or administrative purposes.

The admin can terminate all the user sessions at once or select them individually. The page also has a search option for the admin to search the desired user session.

Configuring Cymmetri as a Service Provider

Administrator needs to go to Authentication->Service Provider

Then click on +Add New button, On the screen that appears most of the data is prefilled. Yet if the administrator needs the data can be changed as per need. Once done click on Save. The prepopulated data appears as below:

The Global Auth Policy allows to configure various user login parameters as shown below:

Auth Failed Count: The Auth Failed Count parameter signifies after how many failed login attempts will the user account be locked.

Unlock after Minutes: The Unlock after Minutes parameter signifies after how many minutes will a locked account be automatically unlocked.

Token Expiry Minutes: The Token Expiry Minutes parameter signifies after how many minutes will the session token expire.

Refresh Token Expiry Minutes: The Refresh Token Expiry Minutes parameter signifies after how many minutes will the refresh token expire.

API Client Refers to API Extension.

Version: cloud_4.0 product release

Date: 10 October 2025

Frontend Framework Upgrade

Upgraded Node.js version to v20.16.0 for frontend build generation.

Spring Boot Upgrade

Migrated the backend framework to Spring Boot v3.4.4 and upgraded multiple dependent libraries.

Amaya Enhancements

Multi-role Support

Supports multiple role assignments if the application supports it.

New Node Types & Capabilities

• Conditional Node: Expression builder support using forwarded data variables.

• Transformational Node: Modify or add new attributes (primarily used in sync operations).

• API Node:

  • Create/Update/Delete/Role Assign/Unassign operations.

Quick Setup Templates Updated

New templates added in AMAYA for:

• Zoho Expenses

• Zoho Books

• Zoho CRM

• Zoho Desk

SSO Policy

• 12-hour frequency added for MFA enforcement on applications.

Separation of SSO and PAM

Based on a configuration property, SSO and PAM can now be enabled/disabled independently for flexible access control.

SOD

• Enhanced UI with conflict details on Teams & Inbox pages.

• Bug fix for handling multiple conflicting rules under the same SoD policy.

External SoD Violation Handling (Preventive)

Preventive approach for checking the potential violation of the user to stop violations from occurring.

Reconciliation

Reconciliation History UI

Users can now view reconciliation summaries directly from the table view.

Reconciliation Improvements

• Skip updates if the application is not assigned.

• Skip user update if already linked; remarks added to history.

• For both-exist update case: if application is not assigned then user update will not happen; remark “Application not present so skipping” added and marked as error.

• For both-exist link case: validation added — if the application is already assigned, the user will be skipped and a remark added in the reconciliation history.

Role Reconciliation Enhancements

This release extends reconciliation capabilities to include both users and their associated roles.

• Role Synchronization: Along with users, one or more roles (if present) can now be synced into Cymmetri. Supported sources include REST API applications, database applications, and Amaya.

• Role Reconciliation Dashboard: A new dashboard provides visibility into roles, with options to keep or remove stale roles (roles not present in the source but existing in Cymmetri).

Suspend to Archive Enhancements

• Final delete provisioning call triggered by default unless explicitly disabled.

• Property-based toggle: cymmetri.suspend.to.archive.provision.triggered = false disables it.

Suspend During Deletion Logging

Application and status logs are now captured under USER_CHANGE_STATUS for traceability.

Bulk User Actions

Bulk actions introduced via the dashboard:

• Lock/Unlock User

• Activate/Deactivate User

• Delete User

• Assign Local Group

Post-Commit Hook for Application Update

New hook: Application Post Update After Commit — provides enhanced support for executing actions after an application update is finally committed in Cymmetri.

Redis Stream Support

Support for JMS with Redis Streams is provided now.

Workflows

• Enhanced logic for unique Task ID generation.

• Task ID format can now be configured (length, characters).

• New notification templates added for application assign / un-assign / update, post-workflow emails:

  • Target User Notification (the user for whom application event is triggered)

Annotations

Annotations enable dynamic approver configuration in access reviews and workflows. They can be assigned as reviewers or approvers for both Application and Group Reviews. Supported combinations include:

• User only

• User + Application

• User + Application + Role

• User + Group

Approvers can be individual users or groups.

Group Review

Introduced the Group Review capability in access reviews. Admins can now initiate reviews based on:

• All Groups

• Specific multiple Groups

• Specific multiple Applications

Exclusion Access Types in Campaigns

Support for Exclusion Access Types has been introduced in Application Access Review Campaigns, allowing more granular control over which accesses are excluded from reviews. The following types are now supported:

• On Create by Provision Rule

• On Update by Provision Rule

• Exception Applications

• Global Applications

Data Pipeline

The Data Pipeline enables merging and processing of data from multiple sources for views, such as:

• MongoDB to ClickHouse

• ClickHouse to ClickHouse

The processed data is stored in ClickHouse, and can be leveraged in hooks, APIs, and for reporting.

Policy Simulator

Cymmetri's Policy Simulator enables rule-based enforcement of access and compliance policies by evaluating "Should" and "Should NOT" scenarios. It identifies access gaps or violations (e.g., missing MFA or conflicting roles) and allows launching targeted review campaigns based on these insights.

CAPTCHA Support

Cymmetri now supports CAPTCHA validation using hCaptcha and Traditional CAPTCHA, enhancing protection against automated and bot-based attacks.

Ticker

The Ticker feature allows administrators to broadcast time-bound text-based updates, announcements, or alerts directly within Cymmetri. Messages can be broadcasted to specific users before and after login based on rules.

Self Registration

Cymmetri now supports configurable Self Registration, allowing users to securely register themselves based on defined parameters and policies.

Sub User Creation

Admins can configure registration fields and hook code for creating and updating sub users (Team Members).

Activation Link

New self-registered users can set their login passwords using the Activation link support.

Reset Password Link

Admins or Managers can send a reset password link to registered users so they can set their login passwords.

Role Management

Cymmetri’s Role Management enhancements improve handling of roles at an individual level, including:

• Role-wise Status Management (e.g., Success, Fail) for better visibility and traceability of role lifecycle events.

• Single Role Retry Mechanism.

• Time-based Role Management with Status Tracking.

• Old vs. New Role List Management.

360 Generate Comparison Report

The 360 Degree Reconciliation feature allows pulling user and role information from target applications connected to Cymmetri, enabling comparison of users and their entitlements across applications, the source of truth, and the Cymmetri identity store. Use cases include:

• Identities present in Source application but not in Identity Store.

• Identities present in Source but not in Target application.

• Similar reports for entitlements across applications.

Team Configuration Changes

• Admin can provide configuration, registration fields, password reset activation link, and hook code for creating and updating sub users (Team Members).

• Admin can configure the Manager Application setting in the Assign Application setting to restrict the Manager to assign and the user to request only applications that are assigned to the manager.

Banner

The Banner feature allows administrators to broadcast time-bound image-based updates, announcements, or alerts directly within Cymmetri. Banners can display scrolling images or carousels and can link to an external page via a valid URL. They can be broadcasted to specific users before and after login based on rules.

Advanced Analytics (Cube.js) – Custom Reports & Dashboards

Enhancements provide more control and flexibility over Cymmetri data:

• Custom Reports (Dashlets): End users can create reports with various dimensions and measures.

• Export & Share: Download reports as CSV/PDF or send via email.

• Custom Dashboards: Combine multiple reports into personalized dashboards for a complete view of KPIs and metrics.

The Cymmetri Help Page serves as a vital resource, offering users a comprehensive documentation hub that breaks down all the features and provides step-by-step configurations for various functionalities.

To access this valuable documentation, you can visit https://help.cymmetri.io directly. Alternatively, you can simply click on the help icon located at the bottom left of your Cymmetri tenant screens.

Key Features of the Help Page:

1. Comprehensive Feature Explanation: The Cymmetri Help Page covers all the features of the platform straightforwardly. Whether you are a beginner or an experienced user, you can find detailed explanations of each feature, ensuring you have a clear understanding of its purpose and functionality.

2. Step-by-Step Configurations: One of the highlights of the Help Page is its provision of step-by-step configurations for various features. This means you can follow a simple, structured guide to set up and customize different aspects of Cymmetri according to your specific needs.

3. User-Friendly Language: The documentation is crafted in a manner that balances technical precision with user-friendly language. You won't find unnecessary jargon, making it accessible for users with varying levels of technical expertise.

Cymmetri has integrated advanced CAPTCHA validation capabilities to bolster security against automated threats and bot-based attacks. The platform now supports two distinct methods, providing administrators with a flexible approach to securing user interactions.

Supported CAPTCHA Methods

• hCaptcha: This method is a privacy-focused and widely adopted alternative to traditional CAPTCHA. It requires users to perform a simple task (e.g., identifying objects in an image) to prove they are human, effectively blocking bots while maintaining user privacy.

• Traditional CAPTCHA: This classic method uses distorted text or numbers that users must correctly enter. While this method is effective, it can sometimes be more challenging for users to solve.

These integrations enable Cymmetri to enhance its security posture by providing a robust defense layer, ensuring that user registration and login processes are protected from malicious automated activity.

Administrator Configuration

To enable and configure CAPTCHA, administrators must navigate to the Configuration section and select Captcha Configuration.

From this menu, the administrator has two options:

1. hCaptcha Type: Selecting this option enables hCaptcha validation, which utilizes simple, interactive tasks for user verification.

2. Traditional CAPTCHA: Choosing this option will implement the classic method of using distorted text.

The administrator can then save the configuration.

Below is an example of what the Traditional CAPTCHA looks like to an end-user.

Global Search is a powerful, word-based search feature that empowers users to instantly navigate across various pages in Cymmetri by simply typing in relevant keywords. This functionality streamlines the process of locating specific information, making it significantly easier to access any content within Cymmetri with just a few keystrokes. By incorporating Global Search in Cymmetri, the time spent browsing through menus or sifting through irrelevant data is minimized, directly enhancing productivity and user experience.

The Global Search feature is available in the top bar, which makes it available on all pages as shown below:

For using the Global Search, the user needs to click on the search box. When clicked, it opens a search dialog box.

Note: The search dialog box can also be opened using Ctrl+K (in Windows) or Command+K (in Mac)

Upon entering a term, you'll receive precise matches or helpful suggestions. Simply browse the list and select the desired page to view it, clicking anywhere outside the search modal instantly closes it, allowing you to seamlessly return to your previous page.

The page also provides certain shortcuts which can be used for ease:

Esc: Close the search Dialog box

↓↑: for Navigate up and down the search list

Enter: For opening the selected page

The Search box appears below in non-administrative logins:

Administrator tasks pertaining to bulk users may be eased by creating groups of users.

Creating User Groups

Access the group configuration page by clicking Identity Hub > Groups on the left-hand side.

Click on the “+Add New” button to start creating a new group

Group Name: Indicates the name of the group.

Group Type: For environments not using Active Directory, either Local or Remote Group may be chosen. In case Active Directory is being used for synchronization in the tenant, the appropriate type according to the group policy object must be chosen.

Parent Group: If a parent group is chosen, all the policies and rules applicable to the parent group will be assigned to this new group, in addition to the policies and rules specifically applied to this new group.

Group Description: Optionally, a description may be provided to the group.

Once all the details have been entered, click on the Save button, and a new group is created.

Delegation as a process in the Cymmetri platform refers to the ability of any end-user to delegate their responsibilities to any other end-user on the platform. As such, delegation provides the ability to the delegatee to perform various actions, including Single Sign On, Application Requests, managing workflows by providing approvals, and performing Cymmetri administrative actions (if the delegator has the required permissions on the platform), among other actions. However, the login flow for the delegatee stays the same.

Configuring the delegation on your tenant

Access the Delegation administration panel, by clicking on the Configuration left-hand side menu item and then clicking on the Delegations menu item.

For any user to be able to delegate their work to other users, the user should be added to the delegation users list; To Add Users to the delegation list so that they can delegate their activities, click on the Assign New button and select one or more users to add to this list.

User and Assignee Consent

The User and Assignee Consent sections allow organizations to align task delegation practices with their unique policies. This customizable feature empowers administrators to define specific consent texts, ensuring that both the user delegating a task and the delegatee receiving it acknowledge and agree to these terms.

The user consent will be displayed whenever the delegator (user) goes to their settings in their Workspace and assigns a delegation to an end-user (delegatee). This consent will be recorded in the Cymmetri backend for audit logging purposes.

Similarly, the assignee consent will be recorded when the end-user (delegatee/assignee) logs into the account for their manager (delegator/user).

Here's how it works:

1. Administrator Configuration: Administrators can craft consent texts tailored to their organization's requirements. These texts typically outline the responsibilities, expectations, and any legal or compliance aspects associated with task delegation.

2. User Perspective: When a user decides to delegate a task to someone else, they will be presented with the customized consent text. The user must carefully review and accept the terms before proceeding with the delegation process. This step ensures that the user is aware of the implications of task delegation and is willing to proceed.

3. Assignee Perspective: On the other side, the delegatee who is about to receive the delegated task will also be presented with relevant consent text. They must thoroughly read and accept these terms before taking on the responsibility. This step helps establish clarity and accountability for the delegatee.

Upon receiving a delegation request, the user is notified via email and within the platform.

To view the delegated task the delegatee can go to Settings->Delegation to Me to see details about the delegated tasks and the user who has assigned the task

The user needs to click on the Accept button to accept the delegation. On clicking the Accept button an Assignee(delegatee) Consent is shown which the users need to read and confirm. The Consent also shows details of the delegator and the duration of the delegation.

Once the user accepts the delegation the user sees a login button, to login into cymmetri as the delegator

On clicking the login button the delegatee is redirected to the delegator's My Workspace Dashboard.

The delegatee can access and perform actions on all the applications assigned to them and if any application is excluded during delegation they are not visible to the delegatee.

Self-registration empowers users with greater control over their accounts, reducing the administrative burden on IT and security teams. These enhancements focus on a secure and streamlined self-registration process and improved password management.

New Features:

• Configurable Self-Registration: Cymmetri now supports self-registration, allowing new users to create their accounts securely. This process is governed by pre-defined parameters and policies, ensuring that all new accounts meet your organization's security and compliance standards from the outset.

• Activation and Password Management:

• Activation Link: Once a new user self-registers, the system automatically sends them an activation link. This link allows them to set their own secure password, finalizing their account setup.

• Password Reset Link: For existing users, administrators, or managers can now easily send a password reset link. This empowers users to securely reset their login credentials independently, eliminating the need for manual password changes by support staff.

These updates automate key user management tasks, providing a more efficient and secure experience for both users and administrators.

To enable and manage these features, administrators must perform the following configuration steps:

1. Access Configuration Settings: Navigate to Configuration → Self Registration Config within the Cymmetri interface.

2. Choose Password Generation Method: The administrator has two primary options for password management:

3. Generate Activation Link: This option, as described above, sends a link to the user, allowing them to create their own password.

4. Generate Password: This alternative automatically generates a temporary password that the user must use to log in for the first time before being prompted to change it.

Add Custom Fields: For increased flexibility, the administrator can add new User Registration Fields by clicking + Add Registration Field, allowing for the collection of additional information relevant to the organization.

Cymmetri's Internal Identity Provider (IDP) is a powerful authentication solution that supports seamless integration with various Identity Providers (IDPs).

We will explore the configuration options for three types of IDPs:

• Cymmetri,

• Active Directory, and

• LDAP.

The flexibility of the Cymmetri Internal IDP allows you to manage multiple IDPs of the same type, making it easy to adapt to diverse environments with different Active Directory/ LDAP instances. Cymmetri's Internal IDP aims to provide a centralized and adaptable authentication solution for your environment, supporting various IDP types.

To access Internal Identity Providers navigate to Authentication-> Identity Provider->Internal IDP

To customize the applicability of different IDPs, administrators need to configure . These rules enable the configuration of various conditions. When these conditions are met, the corresponding authentication mechanism or IDP is used for user authentication.

To access Internal Identity Providers navigate to Authentication-> Identity Provider->Internal IDP.

Since Cymmetri is a default Internal IDP no configuration is needed for it. An administrator may still have an option to disable Cymmetri Authentication which can be done by editing the Cymmetri Authentication Internal IDP mechanism.

An administrator may also change the Display Name and/ or Description as shown in the screen above.

In Cymmetri, the Attribute Setting is a tool for user attribute management.

It provides administrators with granular control over attribute visibility during user creation or updation processes. This feature empowers administrators to enable or disable both predefined and custom attributes effortlessly.

When an attribute is disabled, that associated field doesn't appear anywhere in the user creation or updation pages, streamlining the user management experience.

Cymmetri can work with systems that handle user account provisioning manually, such as help desk or service request platforms. These systems typically rely on human intervention to create, modify, or deactivate user accounts, and Cymmetri can communicate or integrate with them to streamline these processes.

For example: If a company hires a new employee, the help desk team manually creates an account for the employee. Cymmetri connects with this help desk system to track or manage the account creation process.

Manual Application Provisioning Workflow

Integration with Powershell

1. For the powershell connector we need a windows server machine with a connId server on it.

2. Configure powershell connector with following properties
3. Must configure powershell script with valid data using the reference below

Reference:

Custom Attributes may be added for all user entities in your Cymmetri Platform. This allows organizations to add custom user attributes that are used across the applications in the organization.

For example, your organization has a custom attribute that captures and uses the local language of your employees and vendors to provide local services. This attribute may be stored in your Active Directory and may need to be synchronized to your organization’s other applications during the course of an employee or vendor’s employment.

Cymmetri platform allows the administrator to define custom attributes on a tenant-wide level.

Custom attributes can be used at various places, like when creating a user, as a filter when searching for users, and are visible in the other sections of user info

The Ticker feature is a powerful communication tool in the Cymmetri platform that allows administrators to broadcast real-time, time-sensitive, text-based messages to users. It's a key component for improving internal communication and enhancing security awareness.

This feature provides a robust channel for broadcasting important updates and alerts, including:

• Urgent Announcements: Instantly communicate system-wide announcements, such as new policies or security reminders.

• Maintenance Notifications: Inform users about scheduled system maintenance or downtime to minimize disruption.

The User Management interface in Cymmetri provides an intuitive and efficient way to manage users within Cymmetri. The interface is designed to support both list and card views, allowing administrators to easily navigate through user profiles according to their preferences. To access the User Management page, navigate through: Identity Hub -> User

Features

The UserManagement Page provides various features that ease user management.

This feature allows administrators to perform multiple user management tasks simultaneously, streamlining the process of managing a large number of user accounts. The following actions can be performed in bulk, namely:

• Lock User

• Unlock User

• Activate User

While users may be imported and synchronized from other Identity providers, sometimes users may need to be added manually by the administrator.

Steps to Create Users:

1. First, navigate to the User configuration page by clicking on the Identity Hub > User menu on the left-hand side panel.

The Edit User functionality allows administrators to modify user details within the Identity Hub.

Steps to Edit a User:

• Navigate to Identity Hub -> Users, select the specific user you wish to edit, then go to the User Info page and click on Edit User

Users may be imported into the Cymmetri platform using the bulk Import Users feature.

Please Note: User import process follows the synchronization policies as defined .

Importing Users

For Importing Users in the Cymmetri platform administrator needs to click on Identity Hub > User menu and then click on the Bulk Import > Import Users button.

Active Directory (AD) is a robust Identity Provider (IDP) in enterprise environments. It authenticates and authorizes users, facilitating seamless access to resources. AD centralizes user management, streamlining security protocols and ensuring efficient user provisioning.

Active Directory can be utilized in Cymmetri as an Identity Provider (IDP), leveraging existing AD user accounts to access Cymmetri, as the platform supports the LDAP protocol.

For configuring AD as an Identity Provider, the primary service needed is the Adapter Service.

The Adapter Service

The Adapter Service or Auth Adapter Service is exposed as a rest service that runs on HTTPS and acts as an adapter to facilitate authentication using the LDAP protocol which is often employed for authentication purposes in various systems and every adapter service instance is called by the

Lightweight Directory Access Protocol (LDAP) serves as an important Identity Provider (IDP) in enterprise environments. It authenticates and authorizes users, facilitating seamless access to resources. LDAP is commonly used as a directory service for managing user identities and authentication information within an organization.

LDAP can be utilized in Cymmetri as an Identity Provider (IDP), leveraging existing user accounts to access Cymmetri, as the platform supports the LDAP protocol.

For configuring LDAP as an Identity Provider one of the primary services needed is the Adapter Service.

The Adapter Service

The Adapter Service or Auth Adapter Service is exposed as a rest service that runs on HTTPS acts as an adapter to facilitate authentication using the LDAP protocol which is often employed for authentication purposes in various systems and every adapter service instance is called by the

Cymmetri's External Identity Provider (IdP) feature allows you to authenticate user identities using different IdPs for various user types. This flexible configuration enables you to streamline access for both internal employees and external users, such as consultants, vendors, and their employees. In this documentation, we will guide you through the process of configuring an External IdP within Cymmetri's identity and access management system.

For internal employees, you can configure Cymmetri's Internal IdP mechanisms like Active Directory or LDAP. This allows seamless authentication for your organization's employees.

Whereas external users, such as consultants, vendors, and their employees, can be verified using popular External IdPs like Google, Azure, Salesforce, or any other supported IdP. This approach simplifies access for external parties while maintaining security and control.

Within Cymmetri, the authentication process is highly customizable through the definition of authentication rules. While the platform provides a default authentication rule, administrators have the ability to define custom authentication rules that align with the specific business needs and the variety of identity providers at their disposal.

For instance, let's consider a scenario where an organization has distinct user types, such as regular employees, contractors, and administrators. The administrators might require to authenticate employees with Active Directory as the identity provider and use Cymmetri's own authentication engine to verify the identity of vendors and contractors. With Cymmetri's flexibility, administrators can create authentication rules that cater to these varying requirements, ensuring a tailored and secure authentication experience based on user roles and organizational needs.

Admins can find authentication rules in Authentication tab in Cymmetri.

To create a new authentication rule, admin must simply click on the "Add New" button on the top right corner of the page.

The admin must fill in the following details

The "Import History" tab in Cymmetri provides a comprehensive record of all data imports, ensuring transparency and accountability in managing user and system information. This feature is designed to offer administrators insights into the history of data imports, facilitating effective tracking and auditing.

To check the import history in Cymmetri, go to the "Import History" tab within the Logs section. This area keeps track of all bulk import events, including imports for user and application assignments.

In this section, administrators can find a detailed history of import events, including:

1. File Name: The name of the file that was imported.

Understand how to add and manage your cloud and on-premise applications through your Cymmetri Identity platform deployment. Your Cymmetri Identity deployment allows you to manage your cloud-based applications and on-premise applications from a single administration console.

Adding Applications

Understand how to add the applications used by your organization to be managed in your Cymmetri Identity platform deployment. Use the FAQ to learn how to add applications to be managed in the deployment.

For any user to be able to delegate their work to other users, the user should be added to the delegation users list; Check how to Add Users to the delegation list so that they can delegate their activities.

Delegate Work to Delegatee

Following are the steps to delegate work to a delegatee:

The logged-in user needs to go to their Settings Page by clicking on the user's username on the top right

Once on the Settings Page user needs to click on the My Delegations menu

Cymmetri provides a robust suite of provisioning operations that enable seamless identity and access management across various applications. Below is a detailed overview of the provisioning operations supported by Cymmetri.

1. Test Operation

• Purpose: The Test Operation is used to validate the connectivity and configuration settings between Cymmetri and the target application or directory service. This operation ensures that all necessary parameters, such as API endpoints, credentials, and schema mappings, are correctly configured.

• Usage Scenario: Before initiating any provisioning tasks, administrators can use the Test Operation to verify that the integration between Cymmetri and the target system is functioning as expected.

1. Any application which supports SCIM v2.0 with fixed bearer is workable for application.

2. Following are configuration which is used for SCIM with fixed bearer

1. Base address - It is the endpoint of the target system which supports SCIM v2 API’s.

Integration SCIM v2.0 with Basic

1. Any application which supports SCIM v2.0 with basic authentication is workable for application.

2. Following are configuration which is used for SCIM with basic authenticator.

Integration REST Application

1. The REST connector is designed to manage provisioning by relying on RESTful service.

2. For REST applications we need target applications which support REST API’s.

3. Following configuration is tested for felicity application.

Version: cloud_3.1.2 product release

Date: 13 June 2024

New Features

1. The workflow self-approval module was updated to support custom attributes (type: user type and Converter Type: String ) as condition parameters.

2. Teams config module updated to support custom attribute (type: user type and Converter Type: String ) as condition parameter.

3. On behalf module updated to support the custom attribute (type: user type and Converter Type: String ) as a condition parameter.

4. Auth Rule module updated to support custom attribute (type: user type and Converter Type: String ) as condition parameter.

5. Quick Setup - Setup applications using pre-defined operations

6. Import-Export App Configuration - Transfer configurations of applications smoothly between tenants, simplifying the setup for users by ensuring all configurations, including user configurations, server configurations, and policy maps, are accurately migrated.

7. Removal of Deprovision Rule Exclusion Applications Field: a) Manual Execute Deprovisioning b) Deprovisioning via Scheduler c) Update Threshold Delete Config d) Deprovision Rule Updation e) Backward Compatibility f) Suspend or Resume User g) Impact on UI

8. Access review reject process updated, on rejection workflow support added.

9. SAML Single Logout

10. The new screen will show loading on UI till tenant creation is completed once OTP is verified

11. Interchanged position of login ID and email on add/edit user for better UX.

12. Add support for the page number field for pagination in Amaya

13. 360 Recon

14. Lotus Notes Connector

15. Application Policy Map (Active Directory) samAccountName is compulsory for Create only flag in User as well as Group (AD application new bundle - When SAMaccount name is set to false in Group policy map, members are not assigned in group when recon Pull is executed for both exist=Update).

16. Added Warning information and warning popups (Only UI changes no impact on backend functionality): a. Creation of user manually. b. Updating of user manually. c. Bulk upload CSV (creation of user) d. Manager assignment e. Policy map creation and updation f. Reconciliation Pull operation g. Reconciliation push operation h. Selfservice ➝ Teams: i. Creation of user ii. Updation of user

17. Removal of Email validation from the backend

Fixes

1. The user info page crashed while the user edit fails

2. Import/Export of App Configuration

3. Amaya- Detailed description of failed/executed logs should be shown

4. AD application new bundle- The group link attribute in the db is empty, and users are not getting updated in the group

Known Bugs

1. Manager notification: receiving user name required manager name

2. Unable to identify application properties data type where value is empty

3. Amaya || Create user operation fails due to an invalid password

4. In forgot password/password breach condition-asking disabled MFA factor also

The Banner Management feature allows you to display customizable messages or images to users. These banners can be configured to appear either on the login page (before a user authenticates) or within the user portal (after a user logs in). You can define a name, a start and end date, visibility options, and an active status toggle for each banner. This is useful for sharing announcements, reminders, or policy updates with specific audiences.

Prerequisites:

To configure a banner, ensure you have the following:

• Image Files: You can upload up to five images. They must be in JPEG, PNG, or JPG format and have a maximum file size of 500 KB each.

• Filenames: Each image filename can be up to 30 characters long.

• Targeting Conditions: For banners shown After Login, you can set conditions using user attributes such as User Type (e.g., "Employee") or Department (e.g., "HR"). You can use AND/OR logic to create complex rules.

Configuration Steps for Banner:

Step 1: Create a New Banner

1. Navigate to the Configurations section.

2. Click on Add Banner.

Step 2: Define Banner Details

1. Enter a descriptive Name for the banner.

2. Set the Start Date and End Date to control when the banner is active.

Step 3: Select Banner Visibility

Choose whether the banner should appear Before Login or After Login.

After Login Banner:

• Upload: Click to upload an image file. You can use drag-and-drop or a manual upload.

• URL: Enter a URL to redirect users to a specific page when they click the banner.

• Conditions: Apply a set of conditions based on user attributes to ensure the banner is only displayed to a targeted group of users. Once configured, the banner will appear as a pop-up after a user logs in. Clicking the banner will redirect them to the specified URL. Users can close the banner by clicking the cross mark and confirming.

Before Login Banner:

• Select the Before Login option and save the changes.

• The banner will be displayed on the login page before any authentication occurs.
• Clicking the banner will redirect to the specified URL. Users can dismiss the banner by clicking the cross mark.

Tenant branding in Cymmetri allows you to personalize and enhance the visual identity of your environment. With tenant branding, you can customize the appearance of your platform, including logos, color schemes, and even tailored messages, aligning it with your organization's branding guidelines.

This not only creates a cohesive and professional user experience but also reinforces your brand's presence throughout the Cymmetri environment. It's a powerful tool for organizations looking to maintain a consistent and recognizable image while utilizing Cymmetri's identity and management capabilities.

The Cymmetri platform allows a certain level of customization to your tenant from the administration panel. This includes the ability to modify the default Cymmetri branding scheme to your own Organization’s branding scheme.

1. Your Organization Name and Tagline

2. Your Organization Logo

3. Your Organization Branding Colors (Primary, Secondary, Accent Colors)

Configuring your tenant branding

1. To access the branding menu, first click on the Configuration menu on the left-hand side and then proceed by clicking on the Branding menu item.
2. Start the configuration by entering your Organization Name and Tag Line

3. Proceed by adding a Welcome text and Welcome Tagline, and select whether the Cymmetri help icon should be visible to the user or not

The configuration will be applied in a few seconds to reflect your branding.

In Cymmetri, the administrator now has the option to select the "Reset to default theme" button, allowing them to revert to the original theme.

Notifications are triggered from the Cymmetri platform for various actions occurring on the platform either through direct action by the end-user or by the virtue of some backend action (such as running of a scheduler for a campaign). Cymmetri platform ships with default notification templates listed below-

1. Mandatory Notifications

• Sign-up / Registration

• OTP Notification

• Access Code Manager Notification

• Access Code User Notification

1. Optional Notifications

• Workflow Notification

• Reviewer Notification

• Application Access Approval Request

• Application Assignment

Please note: The above notifications are available out of the box. The system also allows custom notifications to be triggered for specific events using the Cymmetri Webhooks. The custom action trigger can call an existing Cymmetri notification template or a custom template can be included in the webhook code.

The default templates may be modified by the administrator using the following process:

1. Access the notification templates menu by clicking on the configuration menu on the left-hand side menu bar and then clicking on the Notification templates pop-up menu.
2. Click on the eye icon to preview the corresponding template

1. Values in <> anchor tags and ${} reflect macros.

2. Click on the pencil icon shown above the image to edit the template.
3. We may treat this template as an email and edit the subject of the email.

   By default, the email notification will be sent to the corresponding affected end-user, but selecting the toggle option for “Send notification to Reporting Manager” will also copy the mail to the Reporting Manager of the affected end-user, allowing for offline follow-up for the notification.

In user lifecycle management, the transition of a user's status from Suspended to Archived initiates a critical de-provisioning sequence. This process is designed to ensure that all user entitlements are permanently revoked from target applications, a final action controlled by a configurable flag.

User Creation and Initial Status: The process begins with a user being created in the system, with their initial status set to Active.

Suspension Initiation: An administrator initiates the suspension of a user by selecting the "Delete User" option. This action changes the user's status to Suspended, thereby revoking their login privileges while retaining their account information.

Movement to Suspended List: The user's profile is then moved to the Suspended Users list, allowing administrators to differentiate between active and temporarily disabled accounts.

Log Verification: The administrator can verify this status change by reviewing the system logs. The logs will record the status transition from "ACTIVE" to "DELETE." This log entry also provides a clear record of the user's application status, indicating if any associated applications were also de-provisioned at this stage.

Forced Deletion: Should the administrator require immediate, permanent de-provisioning, the "FORCE DELETE" option can be used. This action bypasses the standard suspended state and triggers the final de-provisioning call immediately, ensuring that all entitlements are permanently removed.

Final Validation: To confirm the user's complete de-provisioning, the administrator can once again validate the status in the system logs. The logs will confirm the final deletion and provide a complete audit trail of the user's lifecycle, from creation to final de-provisioning.

Cymmetri’s 360-Degree Reconciliation feature provides a robust solution for ensuring data integrity and consistency across your organization’s identity landscape. This functionality involves pulling user and role information from various applications connected to the Cymmetri platform. This collected data is then compared against your organization's primary Source of Truth (e.g., HRMS) and the Cymmetri identity store.

Key Capabilities and Benefits

This feature provides a holistic, 360-degree view of user entitlements, allowing administrators to easily identify and rectify discrepancies. It facilitates several critical reporting and security scenarios, including:

• Identity Discrepancy Reporting: The system can generate reports highlighting users who exist in the source application but are not present in the Cymmetri identity store or a target application. This helps identify onboarding failures or synchronization issues.

• Entitlement Mismatch Analysis: It provides a comprehensive comparison of user entitlements (roles, permissions, etc.) across multiple applications. This allows for the easy identification of unauthorized access or provisioning errors, such as a user having a role in one application but not in another where it is required, or vice versa.

• Enhanced Audit and Compliance: By providing a single, consolidated view of all user entitlements, the feature significantly streamlines audit processes. It ensures that user access aligns with established policies and helps maintain a secure posture by highlighting potential security risks.

1. Any application which supports SCIM v2.0 with bearer token is workable for application.
2. Following are configuration which is used for SCIM with bearer.

   1. Base address - It is the endpoint of the target system which supports SCIM v2 API’s.

   2. Username - Username to authenticate SCIM API endpoint.

   3. Password - Password to authenticate SCIM API endpoint.

   4. Security Token - It is a token which is used to authenticate.

Accessing the Applications Menu

Applications menu in the administration page displays the various options pertaining to the Application Management Process.

Applications menu can be accessed as mentioned below:

Identity Hub

1. Login as either an Organization Administrator, Domain Administrator, or Application Administrator.

2. Click on the Identity Hub icon on the left side bar.

3. Click on the Applications text on the slide out bar.

Understanding the applications supported by Cymmetri

Applications supported by the Cymmetri platform fall majorly into three categories -

1. Pre-configured Applications These are the applications that have already been configured by the Cymmetri platform for provisioning on cloud or on-premises.

2. Custom Applications for Provisioning These are the applications that you wish to manage through Cymmetri and support the generic connectors that the Cymmetri platform provides.

3. Custom Applications for Single SignOn only When you need to add an application for the sole purpose of enabling Single Sign-On (SSO), Cymmetri offers the capability to add a custom application that can be configured for SSO using the supported mechanisms.

Adding Application

Once you have chosen the application to be added from the above categories, you are ready to add a new application.

1. Click on the “Add New” button on the top-right corner in the Applications page.

2. In the Add New Application screen, you may search for your desired application (e.g., Active Directory or some authorative source like Darwin Box or Oracle HCM), or your desired connector (e.g., REST) or choose the “Custom” application type from the available application catalogue.

And also support for other standard categories of applications as shown below:

3. Now click on the tile shown in the list below to open the right slide out menu for renaming application as shown below.

4. Add your custom label (if you wish) in the text box and click on the “Add Application” button.

Conclusion

Application has been successfully added to your listing now. You may click on the configure now button to start configuring the application.

Annotation provides a centralized mechanism to define and select dynamic approvers for workflows, application access reviews, and group access reviews, enabling dynamic approval routing, which makes it easy to configure and manage.

The Annotation feature, found under the Configurations tab, allows you to designate specific users as approvers for critical identity management operations. By configuring an Annotation and selecting it within a Workflow (say, user creation) or an Access Review Campaign (for application/groups), all associated approval requests are routed directly to the Annotation-defined approver(s). Annotations enable the administrator to easily change the actual user without changing the annotation, which makes it a one-point change that gets applied at all various places where the annotation is used as an approver. With the flexibility of applying to both the application and group, it makes it easy to reuse the annotation and increases its usability.

Note:

1. Annotation names must be lowercase and cannot contain any special characters.

Assigning Users to a Group

Users once created in the Cymmetri platform can be assigned to a group. Assigning users to a group helps ease the administrative efforts to apply the same policies and assign applications to multiple users.

When assigning users to groups, various approaches can be used:

• Adding User to Group (from the Group Page)

What is a Password Policy?

A password policy is a set of rules and requirements established by an organization or system to govern how users create and manage their passwords.

The purpose of a password policy is to enhance security by promoting the use of strong, unique passwords and minimizing the risk of unauthorized access.

In Cymmetri, only the admin can create a password policy bby navigating to the authentication section and then in password policy.

Upon landing the user can view a default Cymmetri password policy which cant be deleted or deactivated.

The Cymmetri platform provides a centralized view for monitoring and auditing all reconciliation activities under the Audit Logs menu. This functionality offers administrators both a high-level summary and detailed drill-down views of each reconciliation job.

The Reconciliation History table, accessible via Audit Logs → Reconciliation History, has been enhanced to display the key reconciliation summary metrics directly in the table view.

This enhancement allows administrators to quickly assess the health and outcome of each reconciliation run without navigating to a separate detail page. The at-a-glance summary typically includes:

• Pending Records: Count of records awaiting processing.

• Synced Records: Count of records successfully synchronized (created, updated, or deleted).

In Cymmetri the "Scheduler History" feature plays a crucial role in maintaining visibility and control over scheduled tasks and operations. This functionality is designed to offer administrators insights into the history of scheduled events, providing transparency, accountability, and efficient management of routine processes.

In the "Scheduler History" tab, accessible within the Logs section of Cymmetri, administrators can delve into the details of scheduled tasks, gaining insights into various aspects of the scheduler's operation. The information presented includes:

Event of the Scheduler: Specifies the type of scheduler event that took place.

1. Event of the Scheduler: Specifies the type of scheduler event that took place.

A Batch Task in Cymmetri is a configurable, automated job designed to perform bulk operations by executing a specific backend API endpoint. These tasks can be scheduled to run at predefined intervals or be triggered manually. They are commonly used for operations like data synchronization, user lifecycle management (e.g., deactivating inactive accounts), and report generation.

Prerequisites:

Before you can configure a batch task, you must ensure the following are in place:

• API Endpoint: The backend API endpoint that the task will call must be fully developed and operational.

• Permissions & Authentication: The API endpoint must have the necessary permissions to perform its intended function, and Cymmetri must be configured with the proper credentials to authenticate with it.

• Clear Business Logic: The logic behind the task must be well-defined to ensure it performs the correct operation on the right data set.

• Manual Testing: The API endpoint should be manually tested to confirm it works as expected before being integrated into a batch task.

Step 1: Navigate to Batch Tasks

1. In the Cymmetri platform, go to the Configurations menu.

2. Select Batch Tasks.

Step 2: Add a New Task

1. Click the Add Task button to create a new batch task configuration.

Step 3: Define Task Details

1. Name: Provide a unique, descriptive name for the task.

1. Description: Enter a brief explanation of the task's purpose.

1. Endpoint: Specify the particular API operation the task will execute.

1. Complete Batch Task URL: Provide the full URL of the API endpoint.

Step 4: Configure Scheduling

1. Use the toggle switch to enable or disable scheduling.

1. If enabled, configure the task's frequency. You can select from options such as daily, weekly, or monthly runs, or create a custom schedule using a CRON expression.

1. To generate a custom schedule, use the Generate Cron Expression tool, then click Generate and Apply.

1. If disabled, the task will only run when manually triggered.

2. Click Save to finalize the task configuration.

After a task runs, its status and execution details will be recorded in the Audit Log.

Step 5: Execute a Batch Task

1. To manually run a task, find it in the list of batch tasks.

1. Click the edit icon next to the task's name.

2. Select the Run option.

3. To verify the execution, navigate to the Audit Log, where you can view the status and results of the executed batch task.

Google Configuration:

1. Log in to your Google admin account and go to the Admin Section as shown below:

Once in the admin section click on Apps > Overview

In the overview page click on the Web and mobile apps tile to add a new custom app

On the Web and mobile apps page click on the Add app dropdown and then select Add custom SAML app to add the Cymmetri tenant as a custom app

Provide a relevant App Name, Optionally a description for the application can be provided. An App Icon can also be attached if required. Once entered click on the Continue button

On the Google Identity Provider Detail page download the metadata file by clicking on the DOWNLOAD METADATA button. This metadata file needs to be used to get Entity ID, SSO URL, and Certificate. Administrators can download the certificate here or later as shown . Once downloaded click on Continue.

Once the IDP metadata and certificate are obtained the Service Provider(i.e. Cymmetri) details need to be provided. We need to provide the ACS URL and the Entity ID these details can be obtained from Cymmetri as shown here. No change needs to be done for the Name ID format and Name ID, it can be kept to UNSPECIFIED and Basic Information > Primary email. Once done click on Continue

Attributes can be added on this screen which could then be sent as a SAML response to Cymmetri. These values can be used to create a user in Cymmetri if JIT provisioning is enabled on Cymmetri's side

Group membership information can also be sent by configuring groups here and if the user belongs to the configured group. Once attributes and groups are configured click on FINISH.

Once you click on the FINISH button the below screen appears that shows the configuration details. It also shows various shortcuts to Test SAML Login, Download Metadata, Edit Details, and Delete the App

Download IDP Certificate

If the administrator does not download the certificate while configuring the custom application, it can be later downloaded. For the same the administrator needs to go to Security>Authentication>SSO with SAML applications. This will open the Security Settings page from where either the IDP details like SSO URL and Entity ID can be copied and the IDP Certificate can be downloaded. These details can be used to configure the IDP in Cymmetri.

Cymmetri Configuration

Once Google IDP is configured, the administrator must proceed with the configuration on the Cymmetri side. To achieve this, the administrator needs to set up Cymmetri as a Service Provider and also incorporate Google as an external IDP.

The page shows how to configure a Service Provider.

Once the Service Provider is configured, we need to configure Google as an external IDP.

Administrator needs to go to Authentication->Identity Provider->External IDP. Here you may either configure the already created google-idp instance or +Add New

In either cases a screen opens where you need to provide the below mentioned details

• Name: Google IdP

• IDP Type: Google

• Entity ID: https://accounts.google.com/o/saml2?idpid=xxxxxxxxxxxx

• SSO Service URL

Once all the details are entered Save the changes.

For enabling Google IDP to be used as an IDP for specific set of users an Authentication Rule needs to be configured. you can see the steps on how to configure Authentication Rules.

Once the rule is configured whenever a user matches with the rule conditions the user is redirected to Google screen and the user needs to provide his/her Google credentials to be able to login into Cymmetri.

Adaptive authentication is an advanced security measure that assesses various factors and context elements in real-time to determine the level of risk associated with a user's access attempt.

Based on this risk assessment, the authentication system can dynamically adapt its level of scrutiny and request additional verification steps if needed. This approach enhances security while minimizing disruption for legitimate users.

In Cymmetri there are various adaptive checks that the admin can enable for additional factor of authentication.

1. Device Trust Check - If enabled, Cymmetri will check if the device being used to perform action on the Cymmetri portal, has been trusted by the user

2. User Behavior - Cymmetri determines whether the behavior of user matches with the known behavior pattern of the user over time

3. Blacklisted IP - Maintains a blacklist of IP addresses that are known to be sources of unauthorized access, hacking attempts, or other malicious activities

4. Blacklisted Location - Cymmetri maintains a list of locations from which the administrator wishes to restrict access of the portal

5. Short Lived Domain - Cymmetri checks the email address domain of the user with a database of known providers of short-term or disposable email addresses

6. Impossible travel scenario - Tracks the change in location of user attempting an action over a short period of time and flagging if, system deems the pattern to be impossible.

The admin can enable these checks as per the business use case

To navigate to the adaptive settings page, click on the "Go to settings" button on the top right corner of the page.

IP Address Checks

Administrators can include an IP address in the blacklist by following these steps:

Enable the "IP address Check" radio button at the top of the page, input the IP address into the "Blacklisted IP address" field, and press enter. The specified IP will be added to the list. To synchronize the list with the database, click the "Sync Now" button.

You can select additional actions when module detects an anomaly. They are the following:

• Ask additional MFA and notify - If an MFA rule has been established and adaptive authentication is activated for it in the MFA section, when a user attempts to log in with a blacklisted IP address, the user will be prompted for additional factor(s) for authentication as defined by the rule. Additionally, the user will receive email notifications regarding the login activity.

• Only Notify - This option solely sends a notification to the user about the login activity.

• Block user and notify - This option not only blocks the user upon a login attempt with a blacklisted IP but also notifies the user on their registered email ID.

Device Trust

Define how Cymmetri determines if a device is trusted for the user and allows to define behavior of authentication in Cymmetri, in case of untrusted device

The admin can define

1. No of successful authentication attempts

2. Number of devices per user

3. Number of days

4. Additional action when module detects anomaly

• Location based checks

Organizations can maintain a list of blacklisted locations as part of their adaptive authentication strategy to enhance security measures and mitigate potential risks

The admin can select the blacklisted location on this page. Also additional actions on these checks can be selected.

• Impossible Travel Scenario

Track the changes of location from which the user attempts to perform actions on the portal over a short period of time and flags an action attempt

The admin can configure the:

1. Check Windows(in hrs)

2. Average Distance (in Km)

• Short lived Domain Checks

Checks the .email address domain of the user with a database of known providers of short-time or disposable email addresses

The admin can Sync the database where the domains are stored and updated

• User behavior checks

Cymmetri determines whether the behavior of user matches with the known behavior pattern of the user over time

The admin can select the required checks to verify the consumer behavior:

1. Unusual time of Login

2. Unusual number of Login failures

3. Unusual keystrokes pattern

The admin can enable, configure and save these adaptive checks individually as and when required.

In Cymmetri, the Audit Logs serve as a vital tool to maintain transparency, accountability, and security in your identity and access setup. This feature meticulously records a detailed account of various activities, ensuring a comprehensive overview of critical events and system changes.

Cymmetri uses a high performance columnar database management system designed for online analytical processing (OLAP). Its architecture and features make it well-suited for maintaining audit logs with strong protection and tamper resistance.

Below are key capabilities that contribute to these aspects:

Protection from alteration of logs data

Audit logs are critical in any security framework as they provide a reliable trail of all activities within a system. Ensuring that these logs are tamper-proof is vital to maintaining the integrity, accountability, and transparency of the data. Cymmetri, a robust identity management platform, implements several best practices and technological safeguards to ensure that audit logs remain tamper-proof. Here’s how Cymmetri achieves this:

1. Immutable Log Storage

Cymmetri uses immutable storage for audit logs, meaning once data is written, it cannot be altered or deleted. This ensures that even privileged users or attackers cannot manipulate the logs. The immutable nature of the storage ensures that records are permanent and always available for audits.

2. Cryptographic Hashing

Each audit log entry in Cymmetri is hashed using cryptographic algorithms, such as SHA-256, before being written to the storage. Hashing creates a unique digital fingerprint of the log entry, making any changes immediately detectable. If the contents of an entry were altered in any way, the hash would no longer match, thus providing tamper-evident logs.

3. Chain-Based Logging

To add an extra layer of tamper-proofing, Cymmetri leverages chain technology for audit logs. Each log entry is chained to the previous one using cryptographic hashes. This makes it impossible to alter any individual log without breaking the entire chain. chain ensures both immutability and accountability since every change or addition to the log becomes part of a transparent, verifiable sequence.

4. Role-Based Access Control (RBAC)

Cymmetri strictly enforces role-based access controls to restrict who can view and interact with the audit logs. Only authorized personnel have the rights to access the logs, and the system records all accesses, creating an additional layer of oversight. This minimizes the risk of tampering from internal threats or misconfigurations.

5. Logging Redundancy and Backup

Cymmetri ensures that audit logs are stored in multiple secure locations using distributed databases or cloud storage. This redundancy guarantees that even if one storage instance is compromised, the logs in other locations remain intact. Regular backups further protect the integrity of logs by ensuring that a historical record is always available.

6. Time-Stamping

Each audit log entry is time-stamped with a high degree of precision to ensure traceability and integrity. The timestamps are included in the cryptographic hashes, making it impossible to modify both the content and the timing of the log entries. This creates a reliable chain of events that can be used to track down and investigate suspicious activities.

Cymmetri’s tamper-proof audit logs combine state-of-the-art technologies like cryptographic hashing, immutable storage, and chain to ensure that the integrity of the audit trail remains intact. With features like RBAC, redundancy, time-stamping, and real- monitoring, Cymmetri offers a highly secure logging framework that prevents any unauthorized modifications, ensuring full accountability across its systems.

For administrators looking to review system-related logs in Cymmetri, the process is simple. Just head to the "Audit Logs" tab within the Logs section. Here, you'll find a wealth of information, covering everything from user logins to requests for accessing applications.

Audit References

Cymmetri Audit Log maintains all events processed via Cymmetri. The events are tracked based on per object event log as per the Cymmetri logging framework. Events that become part of the the log are-

1. Human driven events processed by the system. Example- a Cymmetri Admin changing an application configuration.

2. Scheduled events processed by the system. Example- Deprovisioning job to disable Cymmetri users.

3. Events triggering associated processes as set up in the system. Example- Authentication service will verify the authentication rule to check for Passwordless or MFA based login journey.

Cymmetri goes the extra mile by capturing each and every system event, offering administrators a thorough understanding of what's happening within the platform.

For a closer look at a specific log entry, administrators can click on the eye icon next to it. This action provides a detailed response, offering insights into the exact activities that took place.

The admin can also filter the logs based on:

1. The actor who performed the event

2. The performed event

3. Start and end date of the events

4. Target and target type

Cymmetri provides a reference view for the changes occurred during an audit event.

In essence, Cymmetri's Audit Logs empower administrators with the tools they need to keep a close eye on system activities, ensuring a secure and well-documented identity and access management environment.

Github Enterprise provides provisioning using SCIM 2.0

Pre-requisites

1. Create an account in Github (Enterprise).

2. Enable SAML for the Github tenant to be used with Cymmetri.

Step 1. Configure SSO in Cymmetri

Note the application URL received from the Git SAML configuration

Continue the configuration by logging into Cymmetri using at least Application Administrator role

Note: Public certificate gets from SSO metadata(cymmetri) and format it using following

Note: Make sure when you test SAML then in cymmetri login with github admin users loginid which is added in cymmetri.

Configure Profile Mapping

Create User in Cymmetri and make sure login id of Cymmetri is same as gitHub Admin user login id.

Test SSO with the Cymmetri user.

1. Configure SCIM v2.0 (Github) application from master (cymmetri).

2. Basic provisioning policy attribute and policy map already aaded in default schema.

3. Github Application is run using Fixed Bearer token.

4. To get Fixed bearer token following steps used.

Step 1: Go to user settings in github

Step 2: Go to developer settings

Step 3: Go to personal access token and generate new token

Step4: Click on Configure SSO

Step 5: Click on Authorize

1. Use following cymmetri provision configuration and change according to github account.

2. Fixed Bearer Value copy from personal access token

3. Click on save

4. Click on Test Configuration with success message.

Version: cloud_3.1.15 product release

Date: 09 February 2025

New Features

1. User Management

• User Threshold

Cymmetri platform has six different admin roles with various levels of access to the various menus and resources on the administration portal of Cymmetri.

In addition to these six admin roles, Cymmetri also supports three different privileged user roles that grant varying levels of access (read, write, report) to privileged users within Cymmetri.

Administrators

The various admin roles on the Cymmetri Identity Platform may be described as follows:

In this section, we will provide you with detailed information about the types of applications and connectors supported by Cymmetri

Supported Pre-configured Applications

Cloud Based Applications

The 360 Degree Recon is one of a type feature of Cymmetri that enables administrators to have a holistic view of user data.

The 360-degree reconciliation process in Cymmetri is designed to ensure that identity data across different systems is consistent and up-to-date. The reconciliation process involves comparing records from Cymmetri with the records in target systems (like Active Directory) and identifying discrepancies that need to be addressed.

The 360-degree reconciliation process in Cymmetri is crucial for maintaining data integrity across all connected systems. By regularly running reconciliation, organizations can ensure that their identity data is accurate.

Configuring 360 Degree Recon

The 360 degree recon can be configured for all the provisioning applications supported by Cymmetri. Here we will be seeing an example of 360 Degree Recon with Active Directory.

Dynamic Forms enable administrators to request additional fields from either administrators or end-users when assigning applications. These additional user fields are then collected and used for provisioning the user into the managed application.

Creating a dynamic form:

For creating a dynamic form the administrator needs to configure the managed application. For e.g. Identity Hub->Applications->Service Now(Application may change )->Forms

Load the default form by clicking on the “Load Sample Data” button