Re-certification
In this use case is described use case for access right re-certification, which means that users access rights are reviewed based on IGA Admins request or recurring request.
Use Case Description
This use case contains all functionalities for all Matrix42IGA Packages, different package content has been marked
* Add-on to IGA Starter package
** IGA Growth package
*** Only available for IGA Enterprise package
|
Description |
Overview |
This use case describes how access rights can be re-certificated in IGA solution.
Re-certification can be started for:
- IGA Entitlements: Re-certification request concerns only certain entitlement(s) added to request.
- IGA Business Roles*: Re-certification request concerns only certain business role(s) added to request
- Organizational: Re-certification request can concern users related to certain organizational unit, Cost Center or title
- ***High risk level users: If risk level calculation is implemented (part of IGA Enterprise package) re-certification can be started to those user who are calculated as high risk users.
- ***Privilege access users: If Manage Privilege Accesses is implemented, re-certification can be started to those users who has privilege account
|
Operators |
IGA solution
Self-Service Portal
Manager / User / Approvers
IGA Admin
IGA Owner |
Prerequisites |
All (about to be) re-certificated access rights are defined in IGA solution and they have needed mandatory information added. |
Result |
Access right re-certification has been successfully completed, IGA admin or IGA owner has been informed about re-certification results and audit details (access right records) are saved. |
Operating chain |
- IGA Admin opens IGA Re-certification Request view and selects "new"
- IGA Admin fulfills datacard
- Access right type:
- IGA Entitlement, IGA Admin needs to select one IGA Entitlement
- If Risk Level Calculation***, Manage Physical Accesses*** or Manage Privilege Accesses*** use cases are implemented, also entitlements related to those use cases can be re-certificated
- IGA Business Role*, IGA Admin needs to select one IGA Business role
- Organizational, IGA Admin needs to select organizational unit, Cost Center or Title
- High risk users***
- Privilege Accounts***
- Re-certification information to Approvers
- Text added, will be sent to needed Approvers in email
- IGA Admin can add automatic removal to be included in the re-certification process
- If automatic removal is included, IGA Admin can decide if approver declines request, if access rights are automatically removed from the directory or application
- Approval type, which changes according to access right type
- If access right type is: IGA Entitlement, Approval type can be:
- Re-run approval process (approval process is re-run according to approval level and approvers defined in the IGA Entitlement datacard
- Request approval only from Managers (IGA solution generates approval requests only to managers, who's subordinate has the IGA Entitlement activated)
- Request approval only from Approvers (IGA solution generates approval requests (all the users who has the IGA Entitlement active) only to Approver 1 and/or to Approver 2
- If access right type is IGA Business Role, approval type can be:
- Re-run approval process (approval process is re-run according to approval level and approvers defines in the IGA Entitlement datacard
- Request approval only from Managers (IGA solution generates approval requests only to managers, who's subordinate has the IGA Business Role active)
- Request approval only from Approvers (IGA solution generates approval requests (all the users who has the IGA Business Role active) only to Approver 1 and/or to Approver 2
- If access right type is Organizational, IGA Admin needs to choose which users are included in the organizational re-certification
- IGA Admin chooses Organizational Unit and selects one organizational unit from the list
- IGA Admin chooses Cost Center and selects one of the Cost Centers from the list
- IGA Admin chooses Title and selects one of the titles from the list
- Approval type is always re-run approval process
- If re-certification request type is high risk users, approval type can be:
- Re-run approval process for high risk users all active access rights (IGA Entitlements)
- Re-run approval process only for high risk IGA Entitlements related to high risk users
- If access right type is privilege accounts, Approval type is always Re-run approval process for privilege accounts
- All Managers, who's subordinate have privilege account needs to approve re-certification request
- Schedule Re-certification (start and end date timestamps)
- Reminder (when reminder will be sent to those who has not responded)
- IGA Solution will generate Approval request according to IGA Re-certification Request information
- Approver opens Self-Service Portal and can see requests waiting for Approval
- Approver can see details concerning Re-certification Request
- Approver can now accept or decline request
- Approver can also add a comment to the request
- IGA solution receives Re-certification Request results
- IGA Admin and / or IGA Owner can follow Re-certification Request progress
- Re-certification Request Status
- How many Re-certification Requests are approved?
- How many Re-certification Request are waiting for approval?
- How many Re-certification Request was rejected?
- If approval was rejected, IGA solution generates IGA Admin task for more detailed reviewing or starts removal automatically from the target system, if option is included in Re-certification Request
- If IGA Entitlement or IGA Business Role* contains manually managed access rights, will IGA solution generate removal request to IGA Admin, email address or other support group
- Access Right Record (audit details) are saved and process ends.
|
Related datacards |
IGA Re-certification Request**
IGA Request
Approval
IGA Access Right Record |
Self-Service |
ESS Approval |
Delete
Expansion Possibilities
In this chapter are listed expansion possibilities, but please notice that these might have affect to the projects schedule and work estimations, so these will always needs Matrix42Consultants review before agreeing on implementation.
1. New target groups
Customer can define different target groups, which access rights needs to be re-certificated according to Company policies. These target groups can be for example organizational units or users with certain title.
Delete
Relations & configuration instructions
Relations to other use cases,
Relations to other data cards,
IGA Re-certification Request**
IGA Request
Approval
IGA Access Right Record
Configuration instructions,
- Configure EPEtask called "[Directory] IGA Service request: Verify, Add, Remove"
- Configure the connection settings and after that Test connection from the EPEtask
- Define user and group filters and settings
- No need to change user identity mappings
- Go to IGA service request and workflow called "6. IGA Re-certification approval"
- Go to IGA Re-certification request and workflow called "IGA Re-certification request"
- Test re-certification request
- Prerequisite: Your test user needs subordinates who has the entitlement / Business role that needs re-certification.
- Prerequisite: When re-certifying Business role, your test user needs to be the owner of a Business role
- Prerequisite: When re-certifying Entitlement, your test user needs to be the owner of the Entitlement
- Validate that IGA Service requests are created successfully
- Validate approval request from ESS
- Reject approval request
- Approve approval request
- Check that re-certification is executed successfully
Delete