Campaigns
Applications
Emails
License Tracking
Users/People
Home Page
Added the Ability to Create and Use Multiple Campaign Instructions
Added the Ability to Select Entitlements in a Campaign Template Via Bulk Upload
Change “Approve All” and “Revoke All” to a Configurable Option
When Custom Entitlement Descriptions are Uploaded, Display Custom Entitlement Description in “SecurEnds Description” Column
Added “Send Notifications to Campaign Owners” on Campaign Details Page
Added Login Created Date to Campaign Pages
Allow Additional Special Characters when Creating Campaign Name
On Campaign Close Page, Added Percent Complete if not 100%
On the Campaign Review All Page, Allow Users to Select the Columns they Wish to View
Added Application and Election Filters on the Campaign Review and Review All Pages
Added the Ability to do Stale Account Reviews
Added Campaign Exception Audit Trail
WebAPI Connector – New Connector
Okta Connector – When Okta is the SOR, Added the Ability to Map Employee Type to userType Attribute or another Okta attribute
Okta Roles Connector – Enhancement
SFTP Connector – Email is No Longer Required When Have First/Last Name
SFTP Connector – Column Headers Are No Longer Case Sensitive
Jack Henry Enhancement
Office 365 – Added Entitlement Filtering
Added Application Manager and Service Account Reviewer to Credentials Page
Added the Ability to Schedule Application Exports
Added Bulk Upload of Descriptions for Service Account Credentials or Manual Entry of Description when Assigning Service Accounts
When applications are filtered by “Include Inactive Credentials”, all values mapped to Inactive status in SOR Fields Mapping will be Used
Added the Ability to Send Emails to Alternate Email Addresses
Added the Ability to Delete and Rename Email Templates
Added the Option to Send a Notification When a User is Added or Removed from A SecurEnds Role
Added an Option to Send an Email When Reviewers Have Been Terminated
Added the Option to Send Escalation Emails after the Campaign End Date
Added a Module to Keep Track of Purchased Identities and Applications Vs. Actual Identities and Applications
Made the Ability for Reviewers to Terminate their Direct Reports Configurable
Added a Filter on the People Details Page to Include or Exclude Terminated Users
Changed Wording of “Unmatched Users” on Home Page
Enhanced My Access Page
Campaigns
Added the Ability to Create and Use Multiple Campaign Instructions
This feature enhances campaigns by allowing Administrators and Campaign Owners to customize reviewer campaign instructions for each campaign. Configuration “Reviewer Notes” was changed to “Campaign Instructions”..
Navigate to Administration->Configuration->Campaign Instructions->Set Up
Select “Add New Instruction” in Dropdown. To increase the size of the instruction box, drag the right corner down.
Enter a name for the new campaign instructions, enter instructions to display in the campaign and then select Save.
When creating a campaign, on the campaign Add page, select which instructions to display for this campaign in the dropdown.
On the campaign review page, the customized instructions will be displayed.
Added the Ability to Select Entitlements in a Campaign Template Via Bulk Upload
When ALL entitlements will NOT be reviewed in a campaign, this feature makes it easier to select a large number of entitlements for review in a Campaign Template.
Navigate to Campaign Templates->Add. Select one or more applications.
Select “No” to not include all Entitlements. Bulk Select will be displayed.
Click “Bulk Select”. Click “Download” to download the list of Entitlements for this application.
Enter “Yes” in the “Select” column to select the entitlement for review.
Upload the file on the Bulk Select Entitlements page.
Entitlements will now be selected in the Campaign Template and saved.
Change “Approve All” and “Revoke All” to a Configurable Option
To curb reviewers from conducting check the box reviews, we have made “Approve All” and “Revoke All” configurable. When Show_ApproveAll_RevokeAll_Campaigns is set to False, the “Approve All” and “Revoke All” will not be displayed on the Campaign pages.
Navigate to Configuration->Default_UI Configuration-> Show_ApproveAll_RevokeAll_Campaigns. Value is set to true.
Approve All and Revoke All are available for selection on the Campaign pages.
Navigate to Configuration->Default_UI Configuration->Show_ApproveAll_RevokeAll_Campaigns. Value is set to false.
Approve All and Revoke All are not available for selection on the Campaign pages.
When Custom Entitlement Descriptions are Uploaded, Display Custom Entitlement Description in “SecurEnds Description” Column
On the Entitlement page, Application Entitlement descriptions are displayed in the “Description” column. However, previously, if Entitlement descriptions were updated via Bulk or Custom, this description overlayed the original description. We will now display both. The original description will be in the “Description” column. Any custom or bulk updates will be displayed in the “SecurEnds Description” column.
On the Review All page, the custom description will be displayed in the “Description” column.
Added “Send Notifications to Campaign Owners” on Campaign Details Page
When a campaign is created and a Campaign Owner is assigned, we now display on the Campaign Details page if “Send Notifications to Campaign Owners” was selected,
Navigate the Campaigns->Add. Select “Yes” to assign a Campaign Owner. Check “Send notification to campaign owners”.
Select “Details” in Campaign action gear. Details now display if notifications are sent to campaign owners.
Added Login Created Date to Campaign Pages
The date the credential was created is now displayed for Manager Reviews, Application Custodian Reviews, Entitlement Custodian Reviews and as an optional column on the Review All page. In addition, this value is displayed on Campaign Reports, Effectiveness Report and PDF Report.
On Review All page, select “Login Created Date” in column selection.
Campaign Report
Campaign PDF Report
Allow Additional Special Characters when Creating Campaign Name
Ampersand, Colon, Semicolon, Comma, Period, Question Mark and Pipe Delimiter (& : ; , . ? |) may now be included in Campaign Names
On Campaign Close Page, Added Percent Complete if not 100%
When Administrators or Campaign Owners close a campaign that is not 100% complete, they will be notified of the campaign completion percentage.
Select “Close” in the Campaign action gear. If reviews are not 100% complete, the percent complete will be displayed as a warning.
On the Campaign Review All Page, Allow Users to Select the Columns they Wish to View
Users are now able to select the columns they’d like to view on the Campaign Review All page.
Navigate to the Campaign Review All page. Click “Select Columns” dropdown and select/deselect the columns you’d like to include/exclude. By default, all columns are displayed except “Login Created Date”.
Added Application and Election Filters on the Campaign Review and Review All Pages
This new feature helps speed campaign completion. The review may be filtered by approved elections, revoked elections and pending elections. Also, the review may be filtered by application.
Reviews may be filtered by election type.
The Review All page may be filtered by election type.
The Review All page may also be filtered by application.
Added the Ability to do Stale Account Reviews
To adhere to Least Privilege principles, this new feature informs Reviewers of inactive accounts so access may be removed. We have added a filter to review applications where the Last Login Date was greater than 30, 45, 60 or 90 days.
On the Campaign Template Add page, select Application Filter.
Select condition for stale accounts. When this template is used in a campaign, only users that have not logged in within the last 60 days will be reviewed.
Added Campaign Exception Audit Trail
Campaign Exceptions are entered to allow a reviewer to review themselves. We have added an audit trail to track who entered a campaign exception, when it was created and whether the exception was added or deleted.
Navigate to Campaign Exceptions and click Audit Trail button.
Audit Trail display who created or deleted Campaign Exceptions, which allow a user to review themselves.
Applications
WebAPI Connector – New Connector
This new connector expands SecurEnds’ connectivity capabilities by enabling connections to a wider range of applications beyond the standard connectors, utilizing Rest APIs. It provides administrators with a user-friendly interface to effortlessly create and manage connectors using the Web API. The Web API Connector supports application synchronization based on specified Match By criteria, empowering administrators to synchronize application data on-demand or according to a predefined schedule. Connect to any REST Webservice which is exposed by various vendors to pull user data and their entitlements into SecurEnds. WebAPI may be used as an SOR or Application. In this release, authentication must be via Basic Authentication or No Authentication. In a future release, we will add Oauth2.0 Authentication. Additional details can be found in the WebAPI Connector Guide.
Navigate to Applications->Add->Data Ingestion = Flex Connector. Select Web API.
Add Connection Details and Mapping.
Okta Connector – When Okta is the SOR, Added the Ability to Map Employee Type to userType Attribute or another Okta attribute
SecurEnds was defaulting Employee Type to “Regular” for all Okta users. With the change, Employee Type may be mapped to to userType or another Okta attribute.
Navigate to System of Record->Add->Connectors->Select Okta. Enter field to map to Employee Type.
Okta Roles Connector – Enhancement
In the Okta Roles Connector, we now pull Groups assigned to a user from the application and SAML Role directly assigned into Entitlements. For Groups, we display the SAML Roles from the Groups assigned in the Entitlement Description column. There is no description for SAML Roles.
SFTP Connector – Email is No Longer Required When Have First/Last Name
SFTP Connector – Column Headers Are No Longer Case Sensitive
We have made a UI change for SFTP Applications to no longer require an email address. Previously, SecurEnds required an email address even when First and Last Names were present.
In addition, we have removed the need for case sensitive column headers.
Jack Henry Enhancement
We have improved the display of entitlements in campaigns for Jack Henry applications. For nested entitlements, the parent of sub-entitlements was unclear. We now append the parent to each sub-entitlement to show the association.
Office 365 – Added Entitlement Filtering
We have added the ability to filter entitlements in the Office 365 connector. Entitlements may be filtered for Roles and Users. Roles may be filtered by include, exclude or a custom query. Users may be filtered using a custom query.
Navigate to Applications->Add and select office 365. Check “Filter Entitlements”.
Added Application Manager and Service Account Reviewer to Credentials Page
On the Credentials page, we’ve added columns for Application Manager and Service Account Reviewer. This is displayed for Applications and SORs.
Added the Ability to Schedule Application Exports
This new feature provides an audit trail of application access in the event of a security breach. The application export will show who has access to the application and may be exported daily, weekly or on demand. Administrators may save the exports to access when needed.
To set up scheduled Application exports, select “Schedule Export” on Application action gear.
Select the frequency (daily, weekly or on demand) and export method (email or SFTP).
An email is sent based on the frequency with the application export attached.
Added Bulk Upload of Descriptions for Service Account Credentials or Manual Entry of Description when Assigning Service Accounts
In campaigns, Service Accounts at the credential level were not displaying a description. Users may now upload descriptions to be displayed on campaign review pages. Also, when assigning credentials as Service Accounts, the description can be manually entered.
To upload the descriptions, select “Bulk Assign” on the Application action gear.
Download All or Service Accounts only.
Enter a description in the description column of Service Accounts and Bulk Upload the file.
Description will be displayed in the review.
To manually enter a Service Account description, on the Credentials page, select the credential and click the Service Account button.
Enter a description in the confirmation window.
The description will be displayed on the campaign review pages.
When applications are filtered by “Include Inactive Credentials”, all values mapped to Inactive status in SOR Fields Mapping will be Used
Connectors and Flex connectors were not considering the Inactive values mapped in SOR Fields Mapping when applying the “Include Inactive Credentials” filter. This has been resolved.
Navigate to Configuration->SOR Fields Mapping and select “Inactive Status” in the dropdown.
When “Include Inactive Credentials” on Application->Add page is selected, all of the values under SOR Field Mapping will be used.
Emails
Added the Ability to Send Emails to Alternate Email Addresses
This enhancement allows emails that are sent to the configured default email address to be routed to an alternate email address. The email address may be selected when adding or editing any of the email types below.
Email Types that may be sent to an alternate email:
- Access Review Completion Notification
- Campaign Launch and Relaunch Email to IT
- Campaign Reminder For IT Team
- End of the campaign
- Generic Agent Health Status Email
- Notify Terminated Date
- Notify update manager
- Recipients List
Navigate to Email Templates->Add. Select any of the email types listed above. To continue to send the emails to the configured default email, select Yes for “Default Recipient Email”.
To send the email to an alternate email address, select No and enter the new email.
Added the Ability to Delete and Rename Email Templates
When users create a new Campaign Launch or Campaign Reminder email template, they may be renamed or deleted. Master templates that are generated by SecurEnds as default templates will not be able to be renamed or deleted.
To change to a different template for a specific email type, click “Set As Default” in the action gear.
To delete an email template, click Delete in the action gear. Emails set as default may not be deleted. Master emails provided by Securends may not be deleted.
To rename a template, click Edit in the action gear and change the Email Template Name. Duplicates are not allowed.
To hide emails not currently in use, click Archive in the action gear.
Email templates may be filtered by Active and Archived status. Active emails may be Restored in the action gear.
Added the Option to Send a Notification When a User is Added or Removed from A SecurEnds Role
To keep users informed, an email may be sent to them when they are added or removed from a SecurEnds role.
Navigate to Cofiguration->Roles->Enter User Name. Check “Send notification to user” to an email to the user.
The following email will be sent to the user:
Added an Option to Send an Email When Reviewers Have Been Terminated
We have added a configurable option to notify customers when Reviewers are terminated. A daily email will be sent with a CSV attachment listing when the following reviewers are terminated:
- Application Custodian
- Entitlement Custodian
- Application Default Reviewer
- Global Default Reviewer
- Delegation
- Credential Delegation
Navigate to Configuration->Default UI Configuration->
IS_EMAIL_TERMINATED_REVIEWERS_NOTIFICATION. Set the value to true.
An email will be sent daily with a list of terminated reviewers.
Attachment in email:
Added the Option to Send Escalation Emails after the Campaign End Date
We have added a configurable option to notify Reviewer’s Managers when reviews are incomplete after the Campaign End Date. The email may be sent once, or daily until the campaign is closed.
Select “Send escalation email to reviewer’s manager after campaign end date” when creating the campaign. To send a single email after the campaign end date, do not check “Continue to send reminders daily until campaign is closed?” To send a daily escalation until the campaign is closed, keep this box checked.
Email will be sent after the campaign end date.
License Tracking
Added a Module to Keep Track of Purchased Identities and Applications Vs. Actual Identities and Applications
This new module will keep administrators informed of the actual number of identities and applications in SecurEnds.
Navigate to Configuration->License in the left navigation bar. When the actual exceeds the purchased amount, a new entry will be entered in the table.
Users/People
Made the Ability for Reviewers to Terminate their Direct Reports Configurable
Customers may now decide if they want to give Reviewers the ability to terminate their direct reports in SecurEnds. Previously, all reviewers had this capability.
Navigate to Configuration->Default UI Configuration->Show_Terminate_For_Reviewers
When the configuration = false, reviewers are not able to terminate their direct reports.
When the configuration = true, reviewers will be able to terminate their direct reports.
Added a Filter on the People Details Page to Include or Exclude Terminated Users
On the People Details page, the person’s direct reports are displayed. There is now a checkbox to show terminated direct reports also.
Navigate to People->Details
Home Page
Changed Wording of “Unmatched Users” on Home Page
To clarify this count, we have changed “Unmatched Users” to “Unmatched Users of Latest Synced Application”. We now list the latest application that was synced and the unmatched users in this application.
Enhanced My Access Page
Users now have the ability to expand or collapse each credential associated with an application and the entitlement rows associated with each credential. We also fixed a bug where credentials and entitlements were not displaying correctly.