IBM Security Verify

 View Only

Enforce Standards Compliant Access Revocations using IGI 5.2.5.1

By Ramakrishna Gorthi posted Wed April 08, 2020 10:08 AM

  

IAM.jpg

Authors – Ramakrishna J Gorthi (rjgorthi@in.ibm.com) & Vaibhav V Gadge (vaigadge@in.ibm.com)

Identity Governance and Intelligence (IGI) allows enterprises to provision, audit and report user access and his activities through life cycle, compliance and analytics capabilities. While one of the core functions of IGI revolves around Access Certification / Continued Business Need, there is a more specific requirement of enforcing compliance to standards like SOX, while certifying accesses. Till IGI 5.2.5, there was a support for mandating entry of notes while revoking an access. However, reviewers found a way to circumvent the mandate, by typing makeshift comments like “Revoked” / “abc” / “Not required” / “Done” etc. just for the sake of completing the process. This defeats the whole purpose of Governance.

To ensure that reviewers better comply with the compliance standards, there are enterprises wanting to enforce a rule whereby reviewers can provide a meaningful reason for revoking a specific access. By this, they want to ensure that they better adhere to compliance standards and when there is a company audit, auditors would be happier to know the specific reason for revoking a specific access, rather than a makeshift reason.

IGI 5.2.5.1 provides an option for the admin to configure a set of revocation reasons and hook it up in an Access Certification Campaign, thereby facilitating reviewers to pick-and-choose the revocation reasons from a specific list and thereby ensuring compliance.

Here are the steps to achieve the same:

Step 1: Login to IGI Admin Console, and launch the Lookup Panel, as shown in Figure 1. Create a new Lookup, with the name of the Lookup as “Revocation Reasons” and define the Lookup values, which are essentially the revocation reasons that you would like to use in a specific campaign.

Figure 1 - Revocation Reasons Lookup

Step 2: Once you have configured the lookup for Revocation Reasons, launch the campaign configuration, in which you want to impose these reasons. Note that, the lookup for revocation reasons can be specified / modified while the Campaign has not been launched yet. Once the campaign is launched, you won’t be able to modify this lookup any longer. Figure 2 shows the specific spot where you would associate Revocation Reasons created in Step 1, in a campaign.

 Figure 2 - Pick the Lookup of Revocation Reasons

Step 3: If you notice in Figure 2, there’s a picker icon against the Revocation Notes widget, which will show you the list of Lookups present in the system, when clicked. In the dialog that shows up, you can click on a specific lookup name, to have a preview of the values (read it as revocation reasons), before finally picking the one that you want to apply to the current campaign. Figure 3 illustrates the same.

Figure 3 - Preview the Lookup of Revocation Reasons


Once you have made your choice of the Revocation Reasons, you can save the configuration and proceed with any other configuration in the campaign and launch it.

Note: If you feel that you want to still give the reviewers a chance to override the default list of revocation choices, by specifying his own custom reason, you can configure the same by using the “Allow free text revocation notes” checkbox. By default, it would be unchecked, which would mean that the reviewers would be able to just pick one of the pre-defined revocation reasons.

Step 4: Once, the campaign has been configured with a revocation reason lookup and the campaign is launched, here’s how the day-in-life of the reviewer would be.

Reviewer logs into the Service Centre, clicks on Access Certifier module from Top Left Hamburger Menu and drills down into the campaign in which he is supposed to start reviewing accesses.

 

Figure 4 - Campaign Drill-down View


As shown in the figure, the campaign metadata shows up at the top, which reflects there is no activity yet in the campaign. For the scope of the next steps, we would be focussing on the very first record in this view, which pertains to certifying the accesses of Wilson Regan.

Step 5: Click on the Approve Icon there and you would be prompted to pick the Revocation Notes, as configured by the admin.

Figure 5 - Browse through the application Revocation Reasons

Step 6 – Select the Revocation Reason and once the record is revoked, it opens up for Signoff. Also note that the metadata has been updated with the Review Progress showing that certification for 1 user is recorded.

Figure 6 - Certified User Record

Step 7 – Drill-down into the user record to check that the action has actually been applied, with the reason you had specified.

 Figure 7 - Drill-down into the entitlements of a certified user

Step 8 – Check for the Notes of any given entitlement in this list to see the Revocation Notes that were specified.

Figure 8 - Check the Notes of a certified record



 

0 comments
6 views

Permalink