Applications exist in SecurEnds just like they would exist within an organization. Each application set up in SecurEnds contains the user information relating to that user’s access of that application.
Admins are able to add Applications to match identities across the established System of Record. Applications in SecurEnds reflect the applications within the organization, usually being a mirror image. You can connect your Application to SecurEnds via a CSV file, Flex Connector, or Pre-built Connector.
Applications within SecurEnds can show credentials and/or entitlements in list view, with ability to export. Application data plugs in with Identity Mindmap allowing tracking of identities across multiple applications. Upon setting up an application within SecurEnds, you are prompted to choose your desired ticketing method. The desired ticketing output is application specific or can be universally configured.
Interpreting Application Data within SecurEnds #
This is a view of the landing page under the Applications tab. When creating a new application, all users will fall into one of six buckets designating status of user information. All numbers present under the headers can be clicked into for list view. Report is exportable. Notice the outlined column headers below:
- Skipped: Two reasons why a user is “skipped”
- User is missing required information
- Duplicate user/entitlement/credential
- Matched: The ideal bucket
- Shows a user’s unique identifier (email, user ID, etc.) in the application has matched with the same identifier in the SOR.
- UnMatched: Means the application user data is in SecurEnds, but no match found within SOR
- Reasons for UnMatched:
- User has different unique identifier in SOR
- User is not in SOR
- Service Accounts
- Reasons for UnMatched:
Service Account Use Case: Service accounts are housed within an application and rarely present in an HRIS system or chosen SOR. This commonly causes service accounts to fall in the “UnMatched” bucket. A best practice for accurately identifying service accounts is to create a SOR specifically for service accounts. This will allow matching upon loading application data and an easy viewable list of all service accounts in scope for reviews. Or service accounts can simply be Excluded.
- Excluded: Destination for users which will be left out of access reviews and associated campaigns
- Exclude users by clicking into “Matched” users pool and clicking “Action” > “Exclude”
- Can restore “Excluded” users to normal status
- Deleted: Similar function to Excluded
- Deleted users are left out of access reviews and associated campaigns
- Can be restored to normal status
- Purged: Acts as a historical record of access changes within your application
- Users who have had accesses revoked during a review will fall into this bucket
- System detects access changes when resyncing post review and “purges” users within SecurEnds who have had their access revoked. This allows admins to determine best course of action for purged users
When you export the application data (Gear icon->More->Export), SecurEnds will export the data to a CSV format and will have mapped the data to SecurEnds attributes. Below is the mapping detail
- Employee First Name – First Name
- Employee Middle Name – Middle Name
- Employee Last Name – Last Name
- Employee Email ID – Email
- Credential – Distinguished Name (Common Name will be a copy of Distinguished Name data)
- Manager Email ID – SOR Manager Email
- Employee Access Status – Access Status
- Employee ID – User Id
- Last Authentication Date – Last Authentication
- Role/Group/Permission – Entitlement DN (Entitlement CN will be a copy of Entitlement DN data)
- Role/Group/Permission Description – Entitlement Description
- Role Created Date – Entitlement Created Date
- Login Created Date – Credential Created Date
Note: If there are Purged Credentials or Purged entitlements as a result of the most recent sync of teh application. Those are still present in the exported CSV data and will be denoted by a P within the Status and Entitlement Status attributes. You will want to exclude these from the CSV if you are just looking at data synced by from the applications. Status codes of E (Excluded) and D (Deleted) are valid records from your application, the SecurEnds Admin has simply chosen to classify these records respectively through an earlier action.
For more information regarding adding Applications via CSV file upload, click here
For more information regarding adding Application via Connector, click here.