Use Cases
4 article
Campaign Delegations
Last Updated: May 10, 2021Campaigns can be customized further using Delegations. There are two types of delegations: People Delegations and Credential Delegations. Each delegation has a different function and resulting use case. Delegation settings can be found in the “Delegation” tab under Access Review on the left hand menu. Initiating a People Delegation Clicking “Delegation” will open up the delegation menu where People Delegation is the default in the top left drop down box. The names listed above are all the previous People Delegations. To add new People Delegations, select “Add” in the green box at the top. Select the Reviewer Email whose review will be delegated to another. Next select the delegatee’s email who will be conducting the review on the reviewers behalf. In this example: Harrison’s pending access reviews will be done by Jack. Functionality: People Delegation People Delegation will affect all current and future campaigns It is NOT campaign specific Upon delegation, both parties will see the same campaign. No access is revoked from the original reviewer A “Red Exclamation” icon will appear next to a campaign that has been delegated Use Case:The owner of a review is out of office. The deadline for reviews to be completed will end before the reviewer returns to office. SecurEnds admin will delegate the OOO reviewer’s review to a trustworthy source to complete on their behalf. Initiating a Credential Delegation Navigate back to “Delegation” on the left hand side menu. Click the drop down to “Credential Delegation”. Note: Credential Delegation is application specific. Select the desired application. In the example above, Active Directory is selected: The user, Nyjah’s, email was searched for using the “Search Email”. The corresponding credential “Nhuston” appears and is selected “Tony.hawk” is selected as Reviewer Select Save to confirm delegation Delegation will now appear in list order below Functionality: Credential Delegation Credential Delegation allows an individual to review the selected user’s access every time the application is selected in a campaign Credential Delegations will overarch all other forms of delegation / workflow (example: manager in System of Record or application custodian or entitlement owner) Use Case: An administrator is responsible for reviewing the access of their application. Said administrator has been assigned the Application Custodian for this application within SecurEnds. Conducting an Application Custodian review in SecurEnds will assign all reviews to the selected custodian; however the custodian cannot review their own access. Here, the SecurEnds admin has made the credential delegation for the Application Custodian’s access to be reviewed by a separate, qualified individual.
How do I manage unmatched records for my application (i.e Service Accounts, Vendor records, etc.?
Last Updated: August 30, 2021A requirement to match identities between the System of Record (SOR) and an application being connected to the SecurEnds tool is to match on: the first/last name, an email address or perhaps an Employee ID between SOR and application. In all three cases, that attribute needs to already be a part of your SOR to match against. As an example, Service Accounts or Vendor identities, an email address may not be present or the vendor identity may not be in your SOR. There is an alternate solution or strategy that can be leveraged. The Psuedo-Account Strategy You can consider this strategy for those Active/Terminated users and for Service accounts or other records that cannot be matched to a user in the People view (SOR). Simply using the Assign feature for the unmatched users and assigning them to a user in the People view who then has the manager whom you want to perform a user access review, may “muddy” the list of entitlements under that user. Meaning, when you view that users list of entitlements, they will have their own entitlements for the respective application PLUS all these others accounts which you want to Bulk Assign. Not really a true view of that person’s entitlement list. Instead, we can create a new identity or Pseudo-user within the People tab. By providing a meaningful name which represents the unmatched users, using a unique, dummy email address and providing the actual manager email address whom you would like to review these accounts/entitlements. A Bulk Assign of one or more unmatched records to this pseudo-user will cause those unmatched users to be matched. Then that pseudo-user will appear in reviews under that manager user access review list. Here is an example of creating a pseudo user. Keep in mind that you cannot edit or remove this user once you select Create. People -> Select Add Employee Type = Regular Employee First Name = AppName Employee Last Name = Service Account Employee Email Address = noemail1@mycompany.com Manager Email ID = The email address of the manager who will be reviewing the service account(s) entitlement or users. You can add additional attributes if needed but that is optional Then, when you go thru the Bulk Assign, update the IAM User field within the CSV to noemail1@mycompany.com. Then upload. All those records will be assigned to “Mr. Appname Service Account” who has the manager you provided. You can create as many pseudo-users as you need to account until all the unmatched records that you want to assign is completed. Keep in mind that each pseudo-user will need their own dummy email address. How do I review service accounts, role or group permissions for CSV applications?
Sensitive Rights / Privileged Access Reviews
Last Updated: March 10, 2021Campaign creation: “Include all Entitlements”, select “No” -> Choose desired entitlements to include in campaign
Campaign Error Handling
Last Updated: March 10, 2021Action Button “View” Campaign Pre-Launch….view users / match count / reviewers before Launching
