Authors – Ramakrishna J Gorthi (rjgorthi@in.ibm.com) & Vaibhav V Gadge (vaigadge@in.ibm.com)
Identity Governance and Intelligence (IGI) allows enterprises to provision, audit and report user access and his activities through life cycle, compliance and analytics capabilities. While one of the core functions of IGI revolves around providing a common platform for requesting accesses for any given application in the enterprise, there are ways for end-users to pro-actively assess the applicable mitigation controls for a given risky access request.
Mitigation Controls typically are the Exceptions under which a user can continue to hold a risky access. Enterprises typically designate a Risk Manager to assess the Risk and the requisite Mitigation Controls. But then, there are enterprises who want the end-users to call out any existing exceptions (Mitigation Controls), by virtue of which they can hold that access. Here are the steps of how an end-user can associated mitigation controls with a given Access Request.
For the end-user to specify mitigation controls, the admin has to enable the corresponding configuration in the Process Designer, for the appropriate Activity:
Figure 1 - Enable the configuration for end-user mitigation
Turn on Risk Mitigation specification for the end-user, by setting “Enable risk mitigation” to true.
When the end-user (In this case SChang) logs in, and attempts an Access Request, here’s what he sees (Figure 2) as the first view of that flow. For now, focus on the Risk of the user, which shows it’s a Low Risk Profile.
Figure 2 - End User launches the Self Create Request
Once the users adds a Risky Access to the Shopping Cart, the Risk Posture of the User changes to red, as shown in Figure 3.
Figure 3 - End User add a Risky Access to the Shopping Cart
Now, with this Risk Access in the Shopping Cart, if the user goes to the Shopping Cart, he would see an additional control at the bottom, which is the Mitigation Button, which is the handle for the end-user to specify Mitigation Controls, as shown in Figure 4.
Figure 4 - Risk Posture changes and visibility of Mitigate button
Once you click on the Mitigate Button, you would be presented with a dialog to view the Risk, the associated activities, and the Available Mitigation Controls, as shown in Figure 5.
Figure 5 - Add Mitigation Control
You can select a specific control, from Available Control List, and click on the button highlighted in Figure 5 to move it to the Assigned Control List.
One you assign a mitigation control, do ensure that you see that control under the Assigned Control List, as shown in Figure 6.
Figure 6 - View the added mitigation control
Once you apply the requisite mitigation controls, you can go ahead and submit your request. Once the request is submitted, the request would be marked Incompatibility Mode. Based on the configuration of the workflow, the request would hit let’s assume the Risk Manager.
When the Risk Manager logs in and drills down into the request from SChang, he’ll have a view as shown in Figure 7.
Figure 7 - Risk Manager reviews the request details
As you can see, the Risk Manager can view the request details and in addition, he can click on the Mitigate button to view if the user has specified any mitigation control.
The Risk Manager can review the mitigation control, and if he feels any change needed, he can modify the mitigation control and then Approve the Request. Figure 8 is what the Risk Manager would see, when he clicks on the Mitigate Button.
Figure 8 - Risk Manager reviews mitigation controls