Frequently Asked Questions
1 Sub Category |
9 article
Login
Last Updated: December 15, 2020What happens if I did not receive an email? Check your spam folder and ask your Email Admin to whitelist the @securends.com domain Once logged in, I do not have access beyond the homepage? Contact your SecurEnds Admin to provision your access accordingly What If I forgot password? If you forgot your password, you can easily reset it using the forgot password link on the login page. All you need is your email. Find more information here
System of Record
Last Updated: December 13, 2020Utilizing the sample data file, the file being uploaded must contain the following headers with the bolded columns headers being the required fields. If a field is not marked as required, then that column can remain blank, but the header must still be within the file. Column header order does not have to be in the order listed below as long as the file contains all the headers : Employee First Name Employee Middle Name Employee Last Name Employee Email ID (required if used as a unique identifier) Employee ID Employee Type Employee Access Status Manager Email ID Group Owner What happens if a record is skipped? Export the skipped records and refer to the “Error Description” column for an explanation on the skipped record What if the System of Record does not have an unrequired column such as “Employee Middle Name”? Include the header within your file but leave the column blank
Applications
Last Updated: September 24, 2021You can refer to the sample data file for format recommendations, but you can import your own file. The file itself can be imported as a CVS, XLSX, or XLS. The mapping exercise for importing will guide you to how the columns in your data are assigned to SecurEnds columns. Each application will require a unique identifier to make a match with the System of Record. This unique identifier can be either an Email or Employee ID. Without this unique identifier, SecurEnds will not make an initial match and users without unique identifier will be marked as unmatched records. Unmatched records are not reviewed when a campaign is created, therefore they would need to be matched with a user within the System of Record before initiating a review. While importing a CSV, you will be asked which data within your app data will be used to match to the user within the People view or System of Record. You have the default option of using a First and Last Name (not full name) or an email address. The second option is by an Employee ID. Note, if matching choice is Employee ID, this must also exist in your System of Record data so it can be matched. The following bolded fields are required to be matched with columns from your imported file. If a field is not bolded below, then it that data is not required. Employee First Name – required if email address is not present Employee Last Name – required if email address is not present Employee Email ID – required if either first name or last name is not present Login ID or Username (Credential) – Required Employee Middle Name Employee ID (required if used as a unique identifier) Employee Access Status Last Authentication Date Role/Group/Permission – required if performing an entitlement review Role/Group/Permission Description Role Created Date Login Created Date What happens if a record is skipped? Export the skipped records and refer to the “Error Description” column for an explanation on the skipped record. This typically means there are duplicates in the data file. What if the application does not have an optional dat column such as “Employee Middle Name”? You are not required to match that column to the SecurEnds column header and can leave it blank or not include. What if the application does not contain a First Name or Last Name? Yu will need to have an email address so the system can map to the user in the System of Record. You should still bring in the first name and last name if you have that data so that the system can still utilize the First Name or Last Name for Fuzzy Logic matching logic. I have a batch of unmatched users and I know their unique identifier that corresponds with the SOR data. How can I quickly match these unmatched users? In a scenario where a group of users are unmatched for a known reason and you wish to manually match them within SecurEnds, you can do this in bulk. – Navigate to Users > Applications > the application with unmatched users – Actions > More > Bulk Assign – Select UnMatched radio button and select Download – The CSV will contain some data of the unmatched users (see below). Update the IAM User column/attribute (column H) with the email address that corresponds to the user from the People view (System of Record). You are not assigning this to a manager. You are assigning this record to an identity in the People view which will already have a manager. Save your changes as a CSV. Drop or Upload the file and Sync your application to update the new matches
User Access Reviews
Last Updated: July 23, 2021I finished my last review and it did not save, why? Each page during the review process has a Next button to transition to the next user to be reviewed. This Next has a “next and save” functionality. On the last reviewer, there will be no next button. Be sure to Save the last review as changes will not be saved automatically upon closing out. Are updates automatically changed within my applications? Unless you have opted for our LCM module which pushed changes directly into Active Directory, all updates must be made on your end within the application. After updates are acted on within application, make sure to Sync the application to verify the changes. Can users self-certify? No; however, delegations can be made for specific individuals being reviewed. For example: If any application owner is reviewing the application and his own data is housed in the review, it best practice to have someone else review his access rights. He can delegate his credential review to someone else using the delegations tab. Here one can assign the reviewer (potentially themselves) they wish to delegate along with a delegatee email representing the person to conduct the review in their place. If I terminate a user during a review, will those entitlements/credential be revoked and included with the ticketing process? Yes. If a manager marks a user as Terminated during the review, the credential and any entitlements will be marked as revoked and included with the ticketing file that is generated and emailed to the address designated within the application ticketing configuration. One thing to remember, this file is an end of campaign file and will not be generated until the campaign is closed. So, if you have a month-long campaign going on, the action to revoke access for terminated users will not go to your help desk (who ever actions the tickets) until after the campaign is completed. Of course, the manager always has the option to proactively send an internal request to remove the terminated users access within the respective application before the campaign completes. But that is a process outside of the SecurEnds tool and would not impact anything.
Azure Active Directory
Last Updated: December 22, 2020Best Practices 7 Permissions are required when setting up Azure AD connection, they are listed below: Delegated permissions: User.Read User.Read.All User.ReadBasic.All Directory.AccessAsUser.All Directory.Read.All Application permissions: User.Read.All Directory.Read.All We recommend using a service account when setting up (ex. tenant ID, client ID, client secret) When connecting to Azure, we have separate applications when using for SSO or when using for a connector to pull data. Int he event you have Azure SSO and important information housed within Azure AD, SecurEnds will need two applications set up, one for each.
SecurEnds Agent
Last Updated: January 3, 2022When you try to execute the .bat file from command prompt and you get ” ERROR: Access to the registry path is denied.“ This error is due to command prompt not being accessed with Administrative privilege’s. Open command prompt with “Run as Administrator” When you install and start the SecurEnds Agent from command prompt and you get “Unable to access jarfile D:\\Generic_Agent-xxx.jar.” Review and correct the .jar file name in Generic_Agent.xml When you install and start the SecurEnds Agent from command prompt and you get ” EndPoint sync faild due to:::I/O error on GET request for http://23.23.195.159:8083/api2/getPendingEndpoints” in Generic Agent log file (C:\securends\logs\GenericAgent) You will get this error, if IP/port is incorrect or if you are not able to access the IP/ port link. This may happen if IP has been blocked/restricted in your system. To Resolve the error: Try accessing the link from the error message (http://23.23.195.159:8083/api2/getPendingEndpoints) from another system, if it works then it is due to IP being restricted and you need to whitelist that IP in client system. If the above resolution does not help, reach out to SecurEnds. When you install and start the SecurEnds Agent from command prompt and you get ” Caused by: java.net.BindException: Address already in use: bind “ This error occurs if the port (8082 given in the .bat file) is already in use by some other application. Is SecurEnds Agent suitable for any type of system? (Unix, Windows, Mainframe, AS400, RACF, cloud-platforms like AWS, etc. ) Yes. There are options to integrate to connect to various directory services, operating systems, cloud systems, databases, etc. Most integration protocols use HTTPS, SFTP, and any available secured connection when linking with target system. The UI shows that the remote Agent Status is not working as shown below. What do I do? The agent should be restarted. Go to the server where the agent is installed. Click on Windows and search for services. With the list of services, search for generic agent. Right click on the service and restart the GA.
FTP/SFTP
Last Updated: December 22, 2020Best Practices Ensure headers are exact match Traditional file uploads into SecurEnds allow header matching within the tool; however, when using FTP/SFTP Flex Connector, files uploaded must have exact header match for system to recognize. Accepted File Format .csv (comma separated values) Traditional file uploads allow more formatting options, but for this Flex Connector only .csv (comma separated values) is accepted.
DB Extract
Last Updated: December 22, 2020Best Practices We recommend using a service account upon set up. Ensure the server housing our generic agent is able to communicate with the DB we wish to extract data from. Need read only access
How do I review role or group permissions for CSV applications?
Last Updated: April 13, 2021Summary At its core, SecurEnds was built around performing reviews at a user level. However, there are some alternate solutions that can be taken to leverage existing functionality to review permissions associated to roles or groups. The premise is built around creating a user (or “pseudo-user”) to represent the group/role. The specific permissions for that group/role are then added to this pseudo-user as entitlements. This allows for reviewing of the permissions at the entitlement level when performing a campaign. Depending on the number of role/group owners that will be performing the review, configuration will need to be adapted appropriately within the SecurEnds tool. Below are the steps for setting up the system for different scenarios. A Single Role/Group Owner for an Application If an application has a single role/group owner, then one pseudo-user can be utilized in the system. This user will represent the application level pseudo-user that will then have the group/role credentials and permission assigned to it. For a single pseudo-user, they can be added directly to the People tab and the appropriate fields populated. (NOTE: For the below examples, Active Directory is the application that is being used to demonstrate the process so the pseudo-user information being used reflects that) Once this user has been added they can be viewed in the system from the People tab The next step is to utilize the sample CSV file provided within the SecurEnds tool to create credential records to assign to the newly created pseudo user. The first and last name will be the same as the pseudo-user but the Employee ID will reflect the name of the group/role. The Group Owner will also remain the same, and should correlate to the role/group owner that will be performing the review. A “Permission” column will also need to be added, and a separate line included for each permission that is being reviewed. Import this CSV file to the People tab and map the columns appropriately. The credentials (representing the groups) as well as their permissions will now be assigned to the pseudo-user. If roles/groups are to be reviewed at the same time as the users of the application, be sure to add this pseudo user to the application CSV going forward. This will ensure it is included in the scope of the campaign. If the roles/groups are reviewed separately from the users in the campaign, create a separate application that includes just the pseudo-user and have that application included in the campaign template. Below is an example of what it looks like when reviewing the above added user. Each permission has its own approve/revoke option to allow for individual reviewal. Multiple Role/Group Owners for an Application For the use case where there are multiple role/group owners that will be performing the review, the steps are very similar, but the credentials cannot be assigned to a single pseudo-user. Instead, each of the credential records need to be created as separate pseudo-users and included in the application being reviewed. This is to allow for each role/group based pseudo-user to be assigned accordingly to the appropriate role/group owner. The first step is to utilize the sample CSV file provided within the SecurEnds tool to create a CSV that contains each group/role represented as a pseudo-user. This CSV can then be imported into the “People” tab to create these pseudo-users in the system. A separate SOR can also be created and the CSV imported using that method if that is preferred. These users then need to also be added to the Application CSV, with each entitlement as a separate line item. NOTE: Be sure to assign the appropriate Manager, Entitlement Owner/Custodian, or Application Custodian depending on who will be responsible for reviewing these group/role pseudo-users. With the pseudo-users now a part of the application, they will be a part of the campaigns and the groups/roles can be reviewed as individual elections.
