UAR Enhancements & Fixes

IGA Enhancements

Access Template Based Reviews

The Problem
Traditional access review campaigns often require reviewers to evaluate access at the individual user and entitlement level. This approach can be time-consuming, difficult to interpret, and misaligned with how organizations actually design and manage access-through roles and expected access patterns. As a result, reviewers may face high manual review burden, miss access misalignments, or struggle to identify access exceptions, increasing audit risk.

The Solution
SecurEnds now supports Access Template-Based Campaigns for User Access Reviews, enabling organizations to conduct role-based access reviews using approved access templates instead of reviewing access at just the user and entitlement level.
This creates a more structured review model that aligns users, entitlements, and expected access by role.

This release includes three key capabilities:

1.Composition Reviews allow template owners to review the entitlements that define each access template, helping ensure each role remains accurate, complete, and aligned with policy.

2.Membership Reviews allow reviewers to validate which users are assigned to each access template, making role-based access reviews faster, more intuitive, and easier to complete.

3.Outlier Reviews identify additional entitlements assigned outside the approved template baseline, helping teams quickly detect exceptions, reduce excess access, and reinforce role integrity.

Together, these capabilities standardize role-based access reviews, reduce manual review burden, improve audit readiness, and strengthen access governance.

To use Access Template-Based Campaigns, IC must enable this capability. Please reach out to your IC.

UAR Enhancements & Fixes

1. Updates in Campaigns

Dynamic Entitlement Columns in Reviews & Reports:
Campaign reviews and reports now support dynamic, multi-attribute entitlement columns (e.g., application, account, path/group), giving reviewers clearer visibility into what they are certifying. Usability has also been improved with enhanced filtering and sorting, preserved selections during navigation, and new sort options like Entitlement and Last Login-helping reviewers work faster and focus on higher-risk or stale access.

Unmatched / Orphaned Accounts in Campaigns:
Campaigns can now optionally include unmatched application accounts (orphaned credentials not tied to a known identity) in the review scope. This gives organizations greater visibility into stray or legacy accounts and helps reduce risk by ensuring these accounts are either properly associated or removed.

2. Updates in Connectors:

. Oracle Connector: Clearer Entitlement Details for Tables and Roles;Updated the Oracle connector to make application entitlements easier to understand. Table entitlements now show the permission, table owner, and whether it’s grantable, and role entitlements now list the role’s permissions in the entitlement description.

.Configurable Jack Henry Template Ingestion:
Added configuration to control how deep Jack Henry template-level data is ingested, and ensured missing/blank entitlements are included

.Improved AWS IAM Identity Center Group Descriptions
For the AWS IAM Identity Center connector, when a group description is missing or empty, the system now automatically uses the associated Permission Set description as a fallback, ensuring more complete and informative entitlement details.

3.Updates in Access Template

.Create Access Templates from Access Analysis
Users can now create Access Templates for user access reviews through Access Analysis screen. Selected applications and entitlements are automatically populated into the template and can be reviewed and edited as needed, streamlining template creation and improving efficiency.

.Improved Access Template Update & Approval Workflow:
When Access Templates are changed, updates now follow a more controlled approval workflow. Admins can submit changes for approval to template owners, who can then approve or reject the requests. Once approved, updates are applied consistently, and users’ access can be updated automatically based on the new template definition. This improves governance, reduces manual follow-up, and provides a clear audit trail of who approved which changes.

4.Updates in Ticketing System:

.Improved Ticket Status Synchronization for Campaigns:
Ticket status updates from connected ticketing systems are now synchronized on a scheduled basis, with manual refresh still available. Reviewers and administrators can see uptodate fulfilment status directly in campaign reports without having to switch tools, improving visibility into whether approved changes have been completed.

.Multiple Slack Workspace Support for Notifications:
Organizations can now configure multiple Slack workspaces; notifications (launch/reminders/escalations) are sent based on active workspaces.

IGA Enhancements

1.Form Management

Forms continue to be central to standardizing access related requests. In this release, we have enhanced the visualization of form based requests (for example, nonemployee and service account forms) by adding a mind map view that shows the request flow and status. This helps requesters and approvers quickly understand where a request is in the process and which steps are pending.

2.Updates in Provisioning Policy:

SOR-driven identity changes (such as department or title updates) are now more clearly detected and reliably drive downstream access controls, strengthening joiner/mover/leaver processes. Admins can also configure which identity attributes are used for access analysis and control, improving performance and ensuring insights and HRdriven changes focus only on the attributes that matter most.

3. Enhanced SOD Reporting with Violated Entitlements:

SOD reports now include a Violated Entitlements column across the UI and exports (PDF/CSV), clearly showing which entitlement(s) triggered each violation.

The post Q1 Version 2026 (05/08/2026) appeared first on SecurEnds.

IGA Enhancements

1. Updates in Campaigns

PDF Export for Audit Trails: Audit Trails can now be exported in PDF format, in addition to the previously available CSV format. PDF provides a clean, structured layout that is easier to review compared to raw CSV data.

2.Updates in Connectors

UltiPro Connector: Inclusion of an option to add Additional Columns This will allow users to select attributes like department, location, etc.

Servicenow Connector: Inclusion of an option to configure whether Group or Role or Both should be used as the entitlement.

Github: Inclusion of an option to use the following as entitlement type.

• Teams
• Teams & Roles
• Teams, Roles & Repositories
• Teams, Roles, Repositories & Permission Sets

3. Updates in Ticketing System

Freshservice: Freshservice can now be used as the ticketing system for access reviews. After adding the application details and selecting the ticketing system, you will see Freshservice available as an option.

4. Access Analysis Updates

Employee HR Status: Access Analysis with built-in Role Mining provides deep visibility into how access is distributed across your environment. Additionally, Employee HR Status has been added as a default attribute in Access Analysis, enabling users to verify whether a credential is active according to the SOR.

5. Bug Fixes & Improvements

• Optimized Application Loading:
  Resolved issues causing blank screens and slow loading on login or SSO due to large JavaScript bundles and caching problems. Implemented bundle splitting, lazy loading, and caching enhancements for faster performance.

IGA Enhancements:

1. Form Management

Forms are structured, customizable interfaces used to collect standardized information for initiating processes like access requests, approvals, and provisioning. This will help in standardizing and streamlining data collection for access requests. These forms can be designed and configured by the organization’s Admin to suit their specific needs and policies.

• Types of Forms

Non-Employee Forms: These forms are used to request access for individuals who need system access but are not regular employees of the organisation. This can include contractors, vendors, consultants, interns, or any third parties.

Service Account Forms: These forms are used to request access to service accounts-special system or application accounts that are not tied to a human user but are used by software processes, automated tasks, or services to perform specific functions.

2. Updates in Provisioning Policy

• System Change Tracking: After each SOR sync, the system now tracks changes in employee attributes and sends an email to the manager summarizing the updates.

Example: Department changed from IT to Sales, or Title changed from Lead Analyst to  XYZ.

• Enhanced Field Type Support: Previously, provisioning policies for both Birthright and Termination supported only the String field type. Now, additional field types—Integer, Boolean, and Date—are supported.

3. Updates in Access Template

• Time-Bound Fields with Justification in Access Templates:
  Access request templates will now include time-bound fields along with a justification section, similar to the existing time-bound functionality for entitlements.

This feature improves governance by ensuring temporary access is automatically revoked after the specified duration, supports compliance by capturing the reason for access for audits and certifications, and reduces risk by preventing unnecessary long-term access through enforced expiry dates.

The post Q4 2025 (01/13/2026) appeared first on SecurEnds.

Campaign Scheduler

Campaign Scheduler

The Campaign Scheduler helps in planning your campaigns ahead of time by selecting the desired launch date. This ensures timely execution without manual intervention.

Once scheduled, the system automatically generates and launches the campaign at the specified date.

Add a new Employee Type when using the Identities–> Add action

We will be able to add a new Employee type in Identities while adding a new user

Manage Access

Manage Access is a centralized self-service portal designed for submitting and managing access requests. It allows users to request access to multiple applications and access templates —either for themselves or on behalf of others—all from a single, convenient interface.

My Requests

This is a read-only screen and is available to all users.

This section lists access requests that you have submitted, as well as those submitted by others on your behalf. You can view either pending requests or all requests by selecting the appropriate ‘Status’ filter.

All Requests

This is accessible to admin users only.

An admin can see all access requests submitted across the system. In addition, the admin could delegate any pending request to another approver.

Access Request details

My Approvals

This view is available to all users.

Users can only see the requests that require their approval. By default, the view shows requests with the ‘Pending Approval’ status, but you can use the ‘Status’ filter to view all approval requests.

Access Template

An access template allows you to combine multiple applications and entitlements (permissions) into a single template. This template can then be used to raise a request, instead of requesting access to each application individually. This is especially useful for recurring or role-based access needs.

Policy Templates (Visibility Policy/Scoping Policy)

Policy templates define how access templates, applications, and entitlements are displayed and how users are scoped for access request operations. These policies ensure that visibility and user selection are governed by ownership and organizational hierarchy, maintaining security and relevance in access management.

Visibility Policy

Visibility policy determines which Access Templates, Applications and Entitlements each user can view and request

Scoping Policy

Scoping Policy controls each individual’s privilege to search & copy other users for Access Request purposes.

Provisioning Policy

Provisioning Policies define automated access rules for onboarding (Birthright) and offboarding (Termination) scenarios. These policies streamline access provisioning and de-provisioning based on predefined conditions, ensuring consistency and compliance across the organization.

Delegation

Global Delegation

Delegation will simply allow another user to view and perform the approval flow on behalf of the original reviewer. If enabled, both parties will receive an email that there has been a delegation.

Request Level Delegation

Request Level Delegation helps to delegate each request to the new approver. Delegation can be performed by approver or admin.

Request Mindmap

Request Mindmap Layout gives the request centric view across users and applications. Here you can view an individual request and see all relevant user/applications/Access Templates/entitlements/ approval flow/approvers associated in an easy-to-read format.

Access Template Mindmap

This mindmap displays all the users/applications and entitlements associated with template.

The post Q3 2025 VERSION 2.377 (09/19/2025) – IGA 1.0 appeared first on SecurEnds.

Access Analysis

Access Analysis

Access Analysis with built-in Role Mining is a new capability that gives you deep visibility into how access is distributed across your environment. It scans your entire user population and analyzes entitlements to identify common access patterns, enabling you to detect anomalies, reduce over-provisioning, and lay the groundwork for scalable role-based access control (RBAC). 

What It Does: 

• Automatically clusters users with similar access to suggest baseline roles
• Detects outlier access that may indicate risk or misalignment
• Provides insights into high-risk entitlements and unused permissions
• Surfaces hidden trends across departments, teams, or functions

Available now to all User Access Review (UAR) customers as part of our IGA platform expansion. It will serve as the foundation for upcoming features like Access Templates, which allow users to request access aligned with mined roles 

SFTP Connectors – Now have Box/ Cloud/ Flexfolder options

Our SFTP-based connectors for Fiserv, Fiserv Director, Fiserv Integrated Teller, Jack Henry, Global Funds Exchange, Symitar, Concur, and Lawson have been enhanced to support multiple file ingestion sources. In addition to traditional SFTP, you can now ingest data directly from AWS S3 buckets, Box, Flex Folder, or use a manual upload option. This added flexibility simplifies integration across diverse IT environments, and accelerates onboarding by accommodating both automated and manual data flows.

ManageEngine ServiceDesk On-prem ticketing implementation

SecurEnds now supports ticket creation through the on-premise version of ServiceDesk, expanding integration options for organizations with locally hosted ITSM systems. 

To configure Servicedesk, navigate to Configuration->Ticketing System for Access Review. Select “Set Up”.  Select “Servicedesk” in Ticketing System dropdown and “On Premise” in Instance Type dropdown and then enter connection details.  

Campaign Messaging – Exclude reviewers from Launch Campaign message

During campaign launch, notifications can now be sent via email or messaging platforms such as Microsoft Teams and Slack. Previously, the option to exclude specific users from notifications was available only for email. With this update, exclusion controls are now extended to messaging notifications as well, giving administrators more flexibility in tailoring communication and ensuring only the intended recipients are notified, regardless of the delivery channel. 

Mandating an election note when moving from Revoke to Approve in Campaign

During a campaign, reviewers often revoke access, add a justification note, and save their decision. If the decision is later changed from Revoke to Approve, the original revocation note remains attached and cannot be removed. To address this, SecurEnds now allows administrators to configure a rule that mandates a new election note whenever a reviewer changes an access decision from Revoke to Approve. This ensures a clear, auditable explanation is captured for all decision reversals, improving transparency and reducing ambiguity in review data. 

To set this configuration, go to Administration > Configuration > Campaigns > Configurations and search as in below screen shot.  

Nested Entitlements support for Azure AD

Nested entitlements can be now pulled into campaigns for Azure applications. To bring in nested data, while configuring Azure application in securends, just flip a config switch and the next data sync will bring in the nested data from Azure. Earlier this feature was only available for on-premises AD.  

New Dashboard and Menu improvements

The dashboard has been refreshed with a modernized stylesheet, delivering a cleaner, more streamlined user experience. The left-hand menu has been redesigned for a sleeker look, featuring updated menu names and a reorganized layout for improved navigation. 

The post Q2 2025 VERSION 2.376 (28/07/2025) appeared first on SecurEnds.

Transformation Services – Allow clients to send SecurEnds a CSV file for application setup

Transformation Services – Allow clients to send SecurEnds a CSV file for application setup

SecurEnds Transformation Services allows customers with a service contract or managed services to streamline onboarding by sending a CSV file for application setup. SecurEnds handles the data transformation and mapping, ensuring CSV data is correctly formatted and imported into the platform. This service accelerates deployment, reduces manual setup effort, and ensures a seamless and accurate integration of application data.

FloQast – New Connector

SecurEnds now offers a seamless integration with the FloQast accounting platform through an out-of-the-box connector. This feature enables automated ingestion of user and entitlement data from FloQast to perform User Access Reviews (UARs) efficiently. To activate the integration, an API key is generated within the FloQast application and configured in SecurEnds, ensuring secure and continuous data synchronization for improved compliance and access governance.

Workday Enhancement – ability to include entitlements/roles

The SecurEnds Workday connector now supports parsing entitlements and roles when the customer’s customized Workday report includes entitlements grouped under the security_groups header. This enhancement allows organizations to ingest and review entitlements directly from Workday, enabling more granular access governance and improving the completeness of User Access Reviews (UARs) for Workday-connected applications. 

UAR: Bulk Upload of Delegation

The Bulk Delegation Upload feature allows customers to import delegation data files to update global people delegation settings in bulk, eliminating the need to create delegation records manually. This is especially useful for organizations that maintain delegation information within their HR system and can easily export it as a file. This enhancement streamlines delegation management, saving time and ensuring consistency across the User Access Review (UAR) process

Campaign Delegation – Audit Ready Notes

This enhancement allows admins to provide a reason note when delegating a campaign to another reviewer. The reason is captured directly within SecurEnds and made available in audit reports, ensuring full transparency. This eliminates the need to maintain separate documentation and helps auditors easily track and verify the rationale behind delegation decisions. 

The post Q1 2025 Version 2.375 (05/01/2025) appeared first on SecurEnds.

Bulk Reviewer Management at Campaign Level

Bulk Reviewer Management at Campaign Level

A new Bulk Update Reviewer option has been added to the campaign page, allowing administrators to efficiently manage and delegate reviewer responsibilities at scale. This enhancement significantly reduces the time required to update multiple reviewers, streamlines reviewer management, and minimizes the risk of oversight. Additionally, the Update Manager Notification now includes details of delegated users, entitlements, and applications, enhancing transparency and ensuring all stakeholders remain informed throughout the delegation process. This feature saves valuable administrative time by enabling mass updates, reducing manual effort, and ensuring that no critical tasks are missed due to oversight.

Credential Visibility Control at Campaign Level

The credential hiding configuration, previously applied globally, can now be set at the campaign level. This allows administrators to selectively exclude single credentials (with no entitlements) from specific campaigns, providing greater flexibility and precision in managing credential visibility without impacting other campaigns. By allowing credential visibility to be customized for individual campaigns, this enhancement ensures that unnecessary data is excluded only where relevant, improving the focus and efficiency of specific reviews without affecting global settings.

Track Reviewer Changes with Notes for Full Audit Visibility

A Notes section has been introduced in the Update Reviewer feature, allowing administrators to document reasons for reviewer changes. These notes will appear in reports, exports, and notifications, offering a clear audit trail for all reviewer updates and improving overall accountability. The inclusion of this feature strengthens audit readiness by maintaining detailed records of reviewer changes, promoting transparency, and ensuring that all actions taken are clearly documented and easy to reference during audits.

Automated Campaign Data Archival for Better System Performance

Campaign data is now automatically archived based on configurable retention periods. Administrators can download archived campaign reports at any time, ensuring access to historical data without cluttering the active campaign list, which improves overall system performance. This feature enhances system efficiency by preventing active campaign lists from becoming overloaded with old data while preserving long-term access to critical historical records, supporting both compliance requirements and performance optimization.

Customizable Email Reminders for Timely Campaign Completion

Administrators can now configure specific dates for reminder emails instead of relying on a fixed number of days before the campaign end date. This added flexibility ensures reminders are sent at the most appropriate times, aligning with internal workflows and increasing the likelihood of timely reviews. By offering more control over reminder scheduling, this enhancement increases the chances of task completion, reduces overdue reviews, and ensures that notifications are timed strategically to maximize response rates.

Dynamic Button Visibility on Application Credentials Screen

The Application Credentials screen now dynamically hides irrelevant buttons based on the selected status in the Status dropdown. This declutters the interface and ensures users only see actions relevant to the current state of the credential, improving overall user experience and reducing potential for errors. By simplifying the interface, this change allows users to focus on necessary tasks, minimizes distractions, and ensures a smoother, error-free experience when managing credentials.

Enhanced WebAPI Security with Bearer Token Authentication

The WebAPI Connector now supports authentication using Basic Auth with a Bearer Token. This enhancement enables more secure and versatile API integrations, meeting diverse security requirements while maintaining compatibility with existing systems. The ability to use both Basic Auth and Bearer Tokens enhances integration security, providing stronger protection for sensitive data and allowing organizations to comply with modern authentication standards.

Expanded SharePoint Connector for Multi-Site Data Access

The SharePoint Connector has been enhanced to retrieve data from multiple site collections when configured with an account that holds Site Collection Admin permissions. This improvement supports complex SharePoint environments and ensures broader data access. By enabling multiple site collection retrieval, the connector reduces manual data consolidation efforts, improves operational efficiency, and simplifies data gathering from diverse SharePoint resources.

Automated CSV Entitlement Mapping for Streamlined Imports

The CSV connector now supports mapping multiple entitlements spread across horizontal columns. This removes the need for manual transformations, as the application can process Entitlement 1, Entitlement 2, etc., directly from the CSV headers. This feature significantly reduces administrative workload by automating entitlement mapping, ensuring greater accuracy, and saving time otherwise spent on manual data manipulation.

Role-Data for Azure AD Imports

A new feature in the Azure AD connector enables administrators to include or exclude specific roles during data imports. This feature allows for more precise control over role-based review management. This update reduces unnecessary data imports, streamlines the onboarding process, and ensures that only relevant roles are included in each campaign.

Detailed User Change Tracking with From/To Values in Audit Logs

The User Audit Trail now captures and displays both the old and new values for all user actions. This enhancement improves visibility into data changes, making audits more effective and comprehensive. The ability to view both the original and updated values ensures greater accuracy in audits, facilitates rapid troubleshooting, and provides a more complete understanding of user actions and system modifications.

Campaign Approvals Fully Captured with Approve All Logging

Actions taken by reviewers using the “Approve All” button are now logged in the Campaign Audit Trail. This provides administrators with greater insight into the review process, ensuring full transparency. Capturing these bulk approval actions increases accountability, ensures all decisions are traceable, and provides clear documentation for regulatory and audit requirements.

Enhanced Clarity in Audit Logs with Campaign and Application Names

Audit trail entries now include application and campaign names in descriptions, offering greater clarity and context for logged actions. This update simplifies audit reviews by making logs easier to interpret and directly linking actions to their corresponding campaigns or applications, reducing investigation time and improving traceability.

Dynamic End Date Inclusion in Reviewer Notification Emails

A dynamic variable for the campaign end date has been added to the Notify Update Manager email template. This ensures reviewers are aware of deadlines, promoting timely review completion. By including campaign end dates in notifications, this enhancement reduces the risk of missed reviews, improves communication clarity, and ensures that reviewers are fully informed about their responsibilities and deadlines.

The post Q4 2024 Version 2.374 (01/06/2025) appeared first on SecurEnds.

Campaigns

Enhanced Auto-Close Campaign Feature

Instead of triggering the auto-close feature once the 100% completion threshold is reached, this functionality is enhanced to wait until the end date of campaign before closing the campaign automatically. This ensures that admins have sufficient time to make any necessary changes before the campaign closure. However, it is configurable to close the campaign immediately or wait till campaign end date.

Display Percentage Complete at Top of All Campaign Election Pages

Campaign progress percentage is shown at top-right of review screens with fill colour indicating the overall progress (akin to traffic-light red-yellow-green)

This is how it looks when 100% complete

As campaign progresses, percentage complete is shown in yellow as below-

Campaign Close Confirmation to Include Campaign Name

With this change User can be doubly sure that they are closing the correct campaign, as Campaign Name is shown in the Campaign close confirmation popup. Customer suggested and we listened.

Delta Campaign with no changes Shown 100% Complete

Progress of a Delta campaign with no changes/elections to be made, is changed to 100% immediately on launch of campaign, thus helping UAR admin in campaign management.

Additional Columns on Reviewer Pages

Two new columns “SOR Email” and “HR Status” is available on the UAR Campaign screen. This additional information would help expedite review process for manager with large number of reportees.

Campaign Notes for Credential and Entitlement during Revoke Process

Today when Credential is revoked all corresponding Entitlements are revoked automatically by the application. As part of this enhancement whenever credential is revoked and user provides notes, the same Notes is applied and displayed to associated entitlements as well.

Application

Clone a SOR as an Application

Earlier SOR was allowed to be included in a campaign. In an earlier release, we removed and made to only include Applications. Hence if same HR system is required for Credential reviews user had to duplicate that as an Application. With this enhancement a user can decide to clone a SOR as an Application during creating the SOR itself.

Configuration for cloning the SOR as an Application

SOR & Application Created

Connectors

Bitbucket – A New Connector

Securends is expanding its Out-of-the-Box integration with addition of this new connector with Bitbucket. Bitbucket connector will pull project permissions as entitlements with format : {Project Name} – {Permissions} 

Navigate to Applications->Add->Data Ingestion = Connector.

Select Bitbucket Connector. Add connection details and mapping.

Active Directory – Employee ID Flag is Now UI Level Config

Employee ID field while using Active Directory can be mapped to different incoming fields. However this mapping had to be done in database with the help of support team. With this enhancement the mapping is now available in the SOR/Application screens for AD Connector. This also gives flexibility to have different mapping for different AD.

SOR Connectors – Exclude Employee ID Through Config

During connector sync of a SOR, if the source system had employee ID data, Securends ingested that attribute.  This affected how records are added to People and updated.  In some cases the employee id attribute in the source system was used for other reasons than as a unique value.

With this release by providing an additional configuration option, API need not always ingest the employee ID attribute. This option at SOR connector level, gives freedom to clients to pull employee ID from one SOR and not from another SOR.

Snowflake Connector – Additional Functionality

Currently, from Snowflake Integration, Securends application was pulling Single/Default Role of user in data sync. However users can have multiple roles in Snowflake. Securends integration with Snowflake is now improved to pull all the Roles of user (Default Role + Granted Roles)

FlexFolder Connector – Custom Configuration Options

Similar to SFTP or Cloud Storage flex connectors, FlexFolder is a helpful way to automate ingesting data through CSV automatically. We are now making FlexFolder more configurable so that customer can provide their own mapping instead of having to follow the default header names in the CSV.

Credential Updates

Application Credential is Purged -> Un-assign From the People Identity

This feature is part of Securends plan of improving the product continuously for better user experience.

When status of a credential moves to purged in any application, earlier our guideline to admins was to manually unassign credential from respective user/identity. This enhancement automates this step reducing manual user intervention.

SOR People Identity is Purged -> Un-assign From All Applications

Similar to the previous enhancement, this enhancement automates un-assigning purged identities.

When an identity/Credential is purged in any SOR (only if the identity is matched automatically)

• All credentials from other applications which are assigned to respective identity/email are unassigned
• All credentials from All SORs which are assigned to respective identity/email are unassigned

Matching Logic

Admin Can Now Assign an Unmatched Credential

Fuzzy logic is great. But for those unmatched credentials, this feature reduces number of clicks to search for an identity and assign.

When user navigates to fuzzy match screen(Application –> Credentials –> Match) and when there are no results(empty table) displayed for Fuzzy match and user clicks on ‘Assign Button’, now here itself we display Assign Credential popup for user to search and assign.

Audit Logging

Audit Trail of Application Config Change Captures Additional Details

We have now enhanced the audit logging for Application config changes by capturing additional details. Any change to individual fields is logged by clearly indicating what was the config before this change and what it is now for better clarity.

Messaging

Slack & Teams – Launch Campaign Message Directly Sent to User Instead of Channel

Currently, system sends Campaign Launch Message to Slack channel. If any new reviewers are part of campaign then admin has to manually add those users to channel.To avoid this, Securends now sends the Launch Message to Direct Chat of individual users.

While sending the Bulk Launch Message, it also consolidates and includes only the relevant Campaign Names associated with the user/reviewer.

Ticketing

SNOW – For Scripted API method Table Name is Configurable

A configurable product offers greater flexibility in product functionality. Here in SNOW ticketing for scripted API, system created attachment to ‘Incident’ table by default. There was an ask for making the table name configurable. Hence with this release we now allow a configurable Table name within Ticketing Configuration.

JIRA – Issue Type is Configurable

Similar to SNOW Ticketing, Jira ticketing integration is enhanced to allow further flexibility.

Today for Jira ticketing, the ticket gets created as a ‘Task’ issue type. Since some Jira projects do not support ‘Task’ issue type, this “Issue Type” field is now made configurable.

For onprem Jira – Issue type field is added

For Jira Cloud – Issue type field is introduced

Report

Add additional Columns to Users Report

User Report now has these additional columns:

Termination Date and Last Authentication Date from SOR, and Last Authentication Date from Application.

This aids admin in their SOX audit to determine if a user that was terminated accessed an application after their termination date.

The post Q3 2024, Version 2.373 (10/01/2024) appeared first on SecurEnds.

Campaigns

Added Ability to Assign a Manager’s Direct Reports to a New Reviewer at One Time

SecurEnds has made it easier to delegate a manager’s direct report reviewers to another reviewer.  We have added “SOR Manager Email” as an option for credential delegation.  When selected, users may search for a manager’s email and then select the direct reports that should be assigned to a new reviewer.  A Credential Delegation Audit Trail will track the delegation.

Navigate to Access Review->Delegation.  Select Credential Delegation in the dropdown and select applications. 

Select SOR Manager Email in the dropdown, then search for a manager and select.  Select direct reports to reassign in the Direct Report dropdown and then enter the new reviewer in Assign Reviewer.  Then click SAVE.

The reviews previously assigned to the manager’s direct reports will now be assigned to the user in Assign Reviewer.

Applications

NEW Flex RPA Connector

The RPA (Robotic Process Automation) connector revolutionizes the extraction of entitlement data from a multitude of applications without an API. This connector was introduced in a limited release and is now available to all in this Q2 wider release. 

Navigate to Applications, click ADD button. 

Select Flex Connector radio button.  Enter name and select Flex RPA.  Click Save and follow the instructions in our Flex RPA Users Guide.

NEW Microsoft Dynamics Business Control Connector

We have added the Microsoft Dynamics Business Control Connector that will pull users and permissions and be available as an SOR or Application.

Navigate to Applications->Add.  Select Connector radio button and search for “dynamics”.  Select the Dynamics 365 Business Central Connector.

Add connection details.

NEW Paylocity Connector

The new Paylocity Connector may be used as an SOR or application and will pull users.  We currently only support one Company ID.

Navigate to Applications->Add.  Select Connector radio button and search for “paylocity”.  Select the Paylocity Connector.

Add connection details and Save.

Updated Match Logic

SecurEnds has updated our application match logic to handle specific customer use cases.

When syncing and matching, all credentials will be unassigned and all identities will be terminated when an SOR is disabled.

Emails

Added Optional “Reply To” Field and Header to Email Configuration

We have added the option to set the “Reply To” field as a different address than the login email address.  It will show as a header in all SecurEnds emails.  When “Reply To”, the email will be forwarded to this address.

Navigate to Configuration->Email Settings->Setup

Enter “Reply To” address in Configuration.

Ticketing

Added Ability to Configure Columns in the CSV Sent for Ticketing and Email Provisioning

Improved Display Fields in CSV and Reordered Columns

A new configuration was added to specify which columns should be displayed in the Ticketing and Email CSV attachment. 

Navigate to Administration->Configuration->Ticketing System for Access->Configurations. 

Search for EXCLUDE_COLUMNS_FROM_TICKETING_SYSTEM_ATTACHMENT and select Update in the action gear.

To include all columns, enter No.  To specify columns to include, enter each column header separated by commas. 

In this example, the following columns are excluded:  entitlement description, entitlement DN, notes, termination date, Business justification

The excluded columns are not displayed in the CSV attachment.

For Manager Elections, we will display “App Credential – <credential value>” on the Ticketing and Email CSV attachment.  Columns will be displayed in the following order: 

NEW – Deskpro Ticketing

SecurEnds is now able to send tickets via Deskpro

To configure Deskpro, navigate to Configuration->Ticketing System for Access Review. Select “Set Up”.  Select “Deskpro” in Ticketing System dropdown and enter connection details.

When setting up applications, select “Deskpro” for ticketing.

Added a New Configuration to Service Now Ticketing to Pull Assignee from “Display Name”

By default, SecurEnds will pull Assignee from the “Name” field in Service Now.  An option has been added to pull Assignee from the “Display Name” field.  This configuration is in the application property file.  If this change is desired, request a property file change from your Implementation Consultant.

Platform Modernization

Java Upgrade

Adhering to industry best practices is important to SecurEnds so we are continually upgrading our IT platform. In this release we have upgraded Java to version 17 and Spring Boot to version 3.2.1.

The post Q2 2024, Version 2.372 (7/01/2024) appeared first on SecurEnds.

Campaigns

Added SOR Last Sync when Creating a Campaign

SecurEnds has added a configurable option to display the latest SOR sync date and time when creating a campaign.

Navigate to Configuration->Campaigns->Configurations.  Set INCLUDE_SOR_SYNC_ON_CAMPAIGN_ADD to true.  The default value is true.

Navigate to Campaigns->Add.  Select a campaign template.  The list of all SORs with will be listed with their last sync date and time.

Added the Ability to Change the Background Color of Campaign Instructions

The background color can be green(default), white, red, blue or yellow.

Navigate to Configuration->Campaigns->Instructions/Notes.  Select the background color from the dropdown.

The instructions will display the color selected.

Added the Ability to Define the Quarter Date Range for Historic Campaigns

We have added the ability to define Quarter 1 to begin on any month of the year.  Previously, Q1 was always defined as January, February, March.  Now, users have the ability to set when Q1 begins and subsequently the following quarters.

Navigate to Configuration->Campaigns->Configurations.  Set QUARTER1_STARTING_MONTH to any number between 1 and 12.  For example, if enter 2, then Q1 will begin with February.  Q1 will be February, March, April.  Q2 will be May, June, July, etc.

Navigate to Historic Campaign and select the Quarters dropdown.  The quarters will be define based on the selected starting month.

Applications

Added Ability to Copy Existing Applications

Users are now able to copy applications.  The configuration details will be replicated, only requiring a new name for the new application.  This feature is only available for Applications, not SORs.

Navigate to Applications and select “Copy” in the action gear.

Enter a new application name.  The remaining fields will all be replicated from the original application.  Filtering may be updated.

Added “Type” column on SOR and Application Pages

We have added a “Type” column on the SOR and Application pages which will allow users to filter by Type.

Navigate to Applications or System of Record.  Enter type of application to filter.

Added Export on the Application Entitlements Page

On the Application Entitlements page, users are now able to export a list of all Active Entitlements and the associated active (not purged) Credentials.

Navigate to Applications->Entitlements.  Select Export button.

Entitlements with the associated credentials will be listed in the Export.

Added “Status” column on Entitlement Credential Page

SecurEnds has added a credential status column on the Entitlement Credential page to inform users if the credential is Matched, Unmatched, Excluded, Service Account or Deleted.

Navigate to Applications->Entitlements->Credentials

Added a “Test Connection” Button when Creating an Application to Test Connectivity

Added a “Test Connection” button to our most popular connectors to confirm connectivity when creating an application.  No need to wait to sync an application to confirm connectivity.  Connectivity can be tested when creating the application without retrieving data.

Navigate to Applications->Add->Connector->Azure AD

After entering Configuration Details, click the Test Connection button.

When invalid credentials are entered, an error will display.

Add Capabilities of SFTP Flex SORs to CSV SORs

CSV SORs function the same as the SFTP Flex Connector.  Previously, the UI counts only displayed Total People and Skipped records.  Now, the UI counts also display the number of credentials that are matched, unmatched, purged and skipped.  When deleting an SOR, the identities in People should be deleted.

The following actions are available in the action gear:  Sync, Update, Delete, Import, Entitlements, Credentials, Export, Schedule Export, Custodian, Disable, Bulk Assign, Bulk Exclude and Bulk Restore, Export Skipped Records, Sync Status, Details, View Audit Trail. 

Box Cloud Storage Connector – New Connector

We have created a new connector to expand the SFTP connector capabilities.  This new connector gives users the ability to use SFTP but connect to a Box file repository. 

Navigate to Applications->Add->Data Ingestion = Flex Connector.

Select Cloud Storage Connector.  Select Box in Host dropdown.  Add connection details and mapping.

Reports

Added Entitlements to the User Report

Added Application and User Status Filters to the User Report

Users now have the option to display the User Report with or without entitlements.  Users also have the ability to filter the User Report by Application and User Status in an Application.

Navigate to Users Report.  To include entitlements, check “Include Entitlements” or de-select to exclude entitlements.  The default is unchecked, do not include entitlements.

Select filters for Applications and User Status in Application.

When setting up a scheduled User Report, users may choose to include or exclude Entitlements.

Added Ability to Send User Report to AWS or Box

Scheduled Users Report may now be sent to an AWS or Box repository in addition to SFTP.

Navigate to Administration->Configuration->Users Report Schedule

Select Export Method = SFTP, AWS or Box

Send Terminated Reviewers Report after SOR Sync Rather Than Daily Job

When configuration IS_EMAIL_TERMINATED_REVIEWERS_NOTIFICATION is set to true, an email report of terminated reviewers will be sent.  Previously, this report was sent daily.  Now the report will be sent when the SOR is synced. 

Navigate to Configuration->Default UI Configuration-> IS_EMAIL_TERMINATED_REVIEWERS_NOTIFICATION.  Set the value to true.

When an SOR is synced, the report will be run and an email will be sent if there are terminated users.

Email Notifications

Test Email Connection Prior to Sending Launch and Manual Reminder Emails

Prior to sending Launch and Manual Reminder emails, connectivity is tested.  If successful, then emails are sent as usual.  If there is a connectivity failure, an error is displayed and the Campaign will not be launched.  The email configurations will need to be resolved or notifications unchecked in order to launch the Campaign.

SecurEnds has also updated the Email Audit.  Previously, only the successfully sent emails were listed.  Now ALL emails are listed with a status of whether they were sent successfully or if there was a failure.

Navigate to Campaigns->Launch.  Select “Send Launch Campaign Email Notifications” = yes.

Connectivity will be tested.  If there is an error, it will be displayed and the campaign will not be launched.

Administration Configurations

Consolidated Campaign, Ticketing and Email Configurations

Previously, all configurations were under Default UI Configuration.  Due to the number of configurations, it could be difficult to find the configuration needed.  Therefore, we have consolidated the Campaign, Ticketing and Email Configurations.  We have also added a description of each configuration.

To view all configurations related to Campaigns, navigate to Configuration->Campaigns->Configurations. 

All campaign related configurations are shown here with a description of each configuration.

To view all configurations related to Ticketing, navigate to Configuration->Ticketing System for Access Review->Configurations. 

All ticketing related configurations are shown here with a description of each configuration.

To view all configurations related to Emails, navigate to Configuration->Email Settings->Configurations. 

All email related configurations are shown here with a description of each configuration.

The post Q1 2024, Version 2.371 (4/01/2024) appeared first on SecurEnds.

Campaigns

Added the Ability to Create Hierarchical Campaigns

This feature enhances campaigns by providing the ability to create multiple levels of approval.  After the initial review process, the campaign may be reviewed by two additional reviewers before completing the campaign.

When each review level is 100% complete, the review will automatically be sent to the next level of reviewers.  The 2^nd or 3^rd level reviewers may be the Direct Manager (if not reviewed by Direct Manager at the 1^st level), Reviewer’s Manager or an Alternate Reviewer.  The 2^nd and 3^rd level reviewers will see the elections made by the previous reviewer.  They may choose to keep the election made by the previous reviewer or change it.  Once a campaign level is complete, it moves to the next level reviewers.  The previous reviewers may not view the campaign at that point.  2^nd and 3^rd level reviewers will be notified via email when the previous level is complete and the campaign is ready to be reviewed at their level.  2^nd and 3^rd level reviewers must select “Complete Campaign Level” on the Open Campaigns page when they have completed elections.  When all reviewers have selected “Complete Campaign Level”, the review will move to the next level reviewers.

Administrators will have the ability to move the campaign to the next level of reviewers, even if the elections are not 100% complete. 

To create a Hierarchical Campaign, navigate to Campaigns->Add.

Select the first level campaign reviewer.

Select Hierarchical Review = Yes, and select the 2^nd level reviewer.

To select a 3^rd level reviewer, click “+ Add Additional Level”

Select a 3^rd level reviewer.

Reviewers will see the hierarchical review by clicking “Open & Completed Campaigns”

To perform the review, reviewers select “Continue Review”. 

When all elections are made, the Reviewer should select “Complete Campaign Level”.  When all Reviewers have completed the level, reviews will automatically be sent to the next level Reviewers.

Administrators may select “Complete campaign Level” on the Campaigns action gear to move to the next level even though all reviewers have not selected “Complete Campaign Level” and elections are not complete.

Added the Ability to Send Additional Escalation Emails to Upper-Level Management

When reviewers have not completed reviews by the end date, an escalation email may be sent to their direct manager.  We have added the ability to also send an additional email to the manager’s manager or anyone else when the reviews are not complete.

Navigate to Campaigns->Add.  Select “Send escalation email to reviewer’s manager”.

Check “Send additional escalation emails”.  Select to send email to the next level manager or another person.  Also select when to send the email based on the number of days before the end date.

Added the Ability to Include BCC in Emails

We have added the ability to add a blind carbon copy in all emails.  When the BCC field is entered, all emails sent from SecurEnds will also be sent to the BCC.

Navigate to Configuration->Email Configuration->Setup.  Add an email address in the BCC field.

Added Fields to the Fuzzy Match Page

On the Fuzzy Match page, SecurEnds is now displaying columns for HR Status and Manager Email.

Navigate to Applications->Credentials->Unmatched Credential->Match

Applications

AWS Cloud Storage Connector – New Connector

We have created a new connector to expand the SFTP connector capabilities.  This new connector gives users the ability to use SFTP but connect to an AWS file repository. 

Navigate to Applications->Add->Data Ingestion = Flex Connector.

Select Cloud Storage and add connection details and mapping.

On-Prem Jira Connector – New

SecurEnds now supports On-Prem Jira. 

Navigate to Applications->Add->Data Ingestion = Connector.  Select Jira.

In Configure Application, select Instance Type = On Premise.  Add connection details and mapping.

AWS IAM Identity Center Connector – New

SecurEnds has built an AWS IAM Identity Center/AWS SSO Connector.  Any SSO may be configured to add users and groups to the AWS IAM Identity Center.  SecurEnds will pull users as credentials and groups and permission sets as entitlements from the AWS IAM Identity Center.   

Navigate to Applications->Add->Data Ingestion = Connector.  Select AWS IAM Identity Center.

Add connection details under Configure Application.

AWS Cloud DB Connector – New

SecurEnds has added a new connector to pull from an AWS Cloud DB.  This connector will utilize an access token for authentication.

Navigate to Applications->Add->Data Ingestion = Flex Connector.  Select Cloud DB.

Add connection details.

Ultipro (UKG) Connector – Updated

Improvements have been made to the Ultipro(UKG) Connector.  Tooltips were added to the Configuration label.s and Last Authentication Date is now displayed.  Role and it’s description details are shown on the Application Entitlement page.  Employee Title, Job Title and Department with their associated descriptions are shown on the People page.  We have added the ability to map employeeType to any key by specifying it in the Configure Application section.

Navigate to Applications->Add->Data Ingestion = Connector.  Select Ultipro.

Enter connection details. 

AD Connector – Show Nested Entitlements by Default

For the AD Connector, SecurEnds will always show “Include Nested Entitlements” with a default of No.  Previously, in order to include Nested Entitlements, the DevOps team needed to set a DB configuration. 

Navigate to Applications-> Add->Data Ingestion = Connector.  Select Active Directory.

Workday Connector – Improved Failure Messaging

When there was a failure in the Workday sync, a generic message was displayed in the log file.  A more informative message will now be displayed in the logs when there is an invalid url, invalid username or invalid password.

WebAPI Connector – Added Support for Oauth 2.0

The WebAPI Connector was added in our last release.  In this release, we have added authentication using Oauth 2.0.

Navigate to Applications-> Add->Data Ingestion = Flex Connector.  Select WebAPI.  Select Authentication Type = Oauth 2.0.

Access Request/Identity Lifecycle Management

Added a Configuration to Be Able to Request Access for Any Application, Regardless of Group Assignment

In the Request Access module, users are able to request access for applications that apply to user groups they are included in.  With this feature, we have provided the ability to request access to any application, regardless of user group.  This feature is configurable.

Navigate to Configuration->Default UI Configuration.  Search for RESTRICT_REQUESTS_BY_USER_GROUP.  To display applications for request based on User Groups, then set the configuration to “true”.  To display all applications for request, regardless of User Groups, then set the configuration to “false”.

Navigate to Request Access.  Available Apps will display for selection based on this configuration.

Improved Request Access UI

We have made minor UI changes to make the Request Access page more intuitive.  The user’s current applications are displayed at the top under the “Your Apps” heading.  Applications available for request are displayed under the “Available Apps” heading.

When an application is selected for request, it will be selected and specific roles and groups may be selected.

Added the Ability to Request All Application Types

Previously, users were only able to request access for applications set up as CSVs, DB Flex, Azure or Okta.  We have added the ability to select any application type, including all DB Flex and all Connectors.

All application types may now be selected for request.

Audit Trail

Added an Audit Trail for Administration Configurations

To keep administrators informed of which configurations have been changed and by who and when, we have added an Audit Trail to capture this information.  This version of the Audit Trail will capture changes to Roles configurations, Ticketing configurations, Email configurations, Message configurations, UI configurations and Default UI configurations.  Additional configurations will be added to the Audit Trail in future releases.

Navigate to Administration->Configuration.  Click the “Audit Trail” button.

The Audit Trail will show which configurations have changed, who made the change, when the change was made and what the previous and new values are.

Ticketing

Added Ticketing for ManageEngine ServiceDesk

SecurEnds is now able to send tickets via ServiceDesk. 

To configure ServiceDesk, navigate to Configuration->Ticketing System for Access Review. Select “Set Up”.  Select “ServiceDesk” in Ticketing System dropdown and enter connection details.

When setting up applications, select “ServiceDesk” for ticketing.

Added the Option to Use the Two-Step Checkout Model in Service Now Request

SecurEnds is now able to support ticketing for Service Now Request when customers have Two-Step Catalog Checkout Model enabled. 

Security

Upgraded to Latest MySQL Version 8.0.34

Added Captcha to Login Page

SecurEnds has implemented SW patching to ensure resiliency and security and improve performance.

Captcha on Login page for username/pw login:

The post Version 2.369 (01/01/2024) appeared first on SecurEnds.