Delegation settings can be found in the “Delegation” tab under Access Review on the left hand menu.

Initiating a People Delegation

Clicking “Delegation” will open up the delegation menu where People Delegation is the default in the top left drop down box. The names listed above are all the previous People Delegations. To add new People Delegations, select “Add” in the green box at the top.

Select the Reviewer Email whose review will be delegated to another. Next select the delegatee’s email who will be conducting the review on the reviewers behalf. In this example: Harrison’s pending access reviews will be done by Jack.

Functionality: People Delegation

• People Delegation will affect all current and future campaigns
  • It is NOT campaign specific
• Upon delegation, both parties will see the same campaign. No access is revoked from the original reviewer
  • A “Red Exclamation” icon will appear next to a campaign that has been delegated

Use Case:

The owner of a review is out of office. The deadline for reviews to be completed will end before the reviewer returns to office. SecurEnds admin will delegate the OOO reviewer’s review to a trustworthy source to complete on their behalf.

Initiating a Credential Delegation

Navigate back to “Delegation” on the left hand side menu. Click the drop down to “Credential Delegation”.

Note: Credential Delegation is application specific. Select the desired application.

In the example above, Active Directory is selected:

• The user, Nyjah’s, email was searched for using the “Search Email”.
• The corresponding credential “Nhuston” appears and is selected
• “Tony.hawk” is selected as Reviewer
• Select Save to confirm delegation
  • Delegation will now appear in list order below

Functionality: Credential Delegation

• Credential Delegation allows an individual to review the selected user’s access every time the application is selected in a campaign
• Credential Delegations will overarch all other forms of delegation / workflow (example: manager in System of Record or application custodian or entitlement owner)

Use Case:

An administrator is responsible for reviewing the access of their application. Said administrator has been assigned the Application Custodian for this application within SecurEnds.

Conducting an Application Custodian review in SecurEnds will assign all reviews to the selected custodian; however the custodian cannot review their own access. Here, the SecurEnds admin has made the credential delegation for the Application Custodian’s access to be reviewed by a separate, qualified individual.

The post Campaign Delegations appeared first on SecurEnds.

There is a requirement to match identities between the System of Record (SOR) and an application being connected to the SecurEnds tool in order for the credential to be included in reviews. Applications match to the system of record using three different methods: 1) a first/last name, 2) an email address or 3) perhaps an Employee ID between SOR and application. In all three cases, that attribute needs to already be present in the SOR in order to match against. As an example, a credential in your application which represents a Vendor with an email address may not be present in your HR system of record. There is an alternate solution or strategy that can be leveraged.

The Psuedo-Account Strategy

You can consider this strategy for those Active/Terminated users and for records that cannot be matched to an identity in the People data (populated by your SOR sync).

Simply using the Assign feature for the unmatched users and assigning them to a user in the People view may “muddy” the list of entitlements under that user you assigned the unmatched record to. Now that manager needs to review a credential, he has no idea about for one of his direct reports. Meaning, when you view that user’s list of entitlements, they will have their own entitlements for the respective application PLUS the credential and entitlements of this unmatched user. Not really a true view of that person’s entitlement list.

Instead, we can create a new, fake identity or Pseudo-user within the People data. By providing a meaningful, “smart” name to represent the unmatched user, coupled with a unique, fake “smart” email address; you can then assign this pseudo user to an actual manager email address whom you would like to review these accounts/entitlements. A Bulk Assign of one or more unmatched records to this pseudo-user will cause those unmatched users to become matched. Then that pseudo-user will appear in reviews under that manager user access review list. Here is an example of creating a pseudo user. Keep in mind that you cannot edit this user once you select Create without using an import of a CSV approach.

• People -> Select Add
• Employee Type = Regular
• Employee First Name = AppName
• Employee Last Name = Vendor Account
• Employee Email Address = noemail1@mycompany.com
• Manager Email ID = The email address of the manager who will be reviewing the vendor account(s) entitlement or users.
• You can add additional attributes if needed but that is optional

Then, when you go thru the Bulk Assign, update the IAM User field within the CSV to noemail1@mycompany.com. Then upload. All those records will be assigned to “Mr. Appname Vendor Account” who has the manager you provided. You can create as many pseudo-users as you need to account until all the unmatched records that you want to assign is completed. Keep in mind that each pseudo-user will need their own dummy email address.

How do I match Service Accounts?

How do I review role or group permissions for CSV applications?

The post How do I manage unmatched records for my application that I cannot match (i.e Vendor records, old credentials no longer in the SOR, etc.)? appeared first on SecurEnds.

The post Sensitive Rights / Privileged Access Reviews appeared first on SecurEnds.

The post Campaign Error Handling appeared first on SecurEnds.