For login to SecurEnds, click the link in the email sent or go to your instance of SecurEnds at https://domain.securends.com/

NOTE: If Single Sign-on is enabled, Reviewer will land directly into the SecurEnds instance when they click on the link to login.

For non-SSO users, follow the steps to login as New User.

You will be taken to the SecurEnds dashboard, as below:

Click Open Campaigns.

You will be assigned ONE or MULTIPLE campaigns to review. To begin the campaign, click Begin Review.

Follow the steps of Conducting Access Reviews to perform reviews.

The post Reviewer’s Login appeared first on SecurEnds.

Conducting an Access Review

After logging in, you will be taken to the following screen to conduct reviews (Image 1). Select the “Open Campaigns” box to view the campaigns.

You can see the list of campaigns that have been assigned to you (Image 2). Select “Begin Review” to be taken to the review screen for a particular campaign.

Once you begin a campaign, there are five relevant pieces of information (Image 3):

• The Green Box at the top
  • This box will provide additional instructions for the campaign. This verbiage was provided by your SecurEnds company admin.
• The User’s Names
  • Under the “Direct Report Access Review” column, all the “users” that are assigned to the reviewer are listed.
• Review
  • The “Review” button next to the user is to be clicked to review the credentials and any entitlements associated with the individual user.
• Review All
  • The “Review All” button on the top right can be used to review the credentials and any entitlements of all the users together. This is a good option to reduce the number of clicks.

• Action
  • The drop-down will present 2 options.
    • Update Manager Comments – Optional comments can be entered for the user by the reviewer.
    • Termination Date – If a termination date is known for the user, enter that date and click Save. The pending elections will be recorded as revoked and the UI will update to 0 elections pending for that user.
      • NOTE: The date entered for termination must be a past date and cannot be today’s date.

How to Conduct Access Review:

Key:

1. Credential: How the person is identified in the application. It could be a Username for an Application, Email, Employee ID, etc.
2. Entitlement: All encompassing title for what is accessed. It could mean an app available in Single Sign-On, permission, privilege, role, group, etc.
3. Description: Adds more detail to what accessing an entitlement entails (if needed)
4. Notes: Adds additional information on the reasoning for revoking a credential or entitlement. It is used when access is questionable or unknown and additional follow-up is needed. Notes are kept for audit purposes and sent to the application owner after a review for follow-up and additional decision making

Reviewing Process Workflow:

• If the user should have access to Application but not the entitlements listed, Approve the credential but revoke the individual entitlements.

• It is best practice to add a Note for any revoked credential or entitlement

Individual user review screen:

Upon clicking “Review” next to a user, the following screen appears (Image 4):

In the top box, you will see Campaign Name, Reviewer (you), Person under review, Email of the person, and their status within the System of Record. The system of Record is the main source of information for all the users in the organization. This status could be Active or Inactive meaning they no longer have access to the core system of record, implying they have been terminated.

Under “Application”, you will see the applications to which the user has access.

Under “Description”, you will see any meaningful description associated with the entitlement if provided by the application owner.

Under “Status”, you will see the status of the user’s credential. In this instance it is active.

Under “Action”, is where you can make elections for the review. You can Approve or Revoke or click the Justification icon to the right of Revoke to leave a note (see note window below).

NOTE: If you revoke a credential, all entitlements will be toggled to Revoke as well.

Review All screen:

Once you have made your elections, then you are ready for the next user to review. The buttons at the top of the previous screenshot “Approve All, Revoke All, Clear All, Save, Next and Back” do just that. You can quickly approve or revoke access with approve/revoke all.

NOTE: “Next” functions as a next and save. It will save your elections and pull up the next user to be reviewed. Upon reaching the last review, no Next button will appear, but be sure to “Save”!

Upon clicking Back, a pop-up will show the remaining number of entitlements that need to be reviewed:

You are complete with the review once you have all ZEROs within the pending column of all users assigned to you. You will get a popup screen after completing all the reviews, as shown below:

The post Conducting Access Reviews as a Manager/Reviewer appeared first on SecurEnds.

• Adding notes to a revoked credential or entitlement gives the owner of the application additional details on why the access should be removed

• If access is questionable, revoking and leaving notes allows the application owner to do further research on if the access should be allowed

• Notes are saved and kept within the end of the campaign audit report

• Notes help to enforce the purpose of the IAM review to enforce the least privilege necessary required to fulfill a job role, remove the conflict of interest, and enforce separation of duties

Steps to add Notes/Business Justification:

1. Revoke a Credential or Entitlement

2. Open the Notes window by selecting the “Pencil and Paper” icon

3. View and review any previous notes saved from the “History” section at the top

4. Add a new note under the “Add Note” section

5. Add a business justification for approving/revoking the access

6. Select “Save”

Once saved, notes will be viewable again by selecting the “note” icon under the “History” section

Note: SecurEnds Admin may have configured that the Election Notes will be mandatory for a revoke action. In that case, the Election notes window will popup when access is revoked.

Difference between Notes and Business Justification:

Business Justification:

• The business Justification is a permanent note for the Reviewers which will be saved for future reviews as well.

• Business Justification is always optional.

• After adding the business justification, it will be visible on the review screen, as shown below:

Notes:

• Notes are only for the current reviews.

• Notes can be optional or mandatory, depending on the configuration by the Admin. But it is the best practice to add the notes while revoking any access.

• After adding the notes, the review screen will show a star but not the content of the notes, as shown below:

The post Adding Notes to an Access Review appeared first on SecurEnds.