Self-Service: Remove access rights
Self-Service: Remove access rights
Self-Service: Remove access rights
This use case is part of access right management (ARM) process and in this article is described detailed use case for how end-users are able to remove access rights from Matrix42 Self-Service. This article also contains information how use case is configured and examples how customer is able to expand it.
When the use case is delivered, it contains two possibilities to request access right removal,
1. Remove access rights from myself (available to all end-users)
2. Remove access rights from my subordinate or external subordinate (available to managers)
Use case in a nutshell,
1. Manager or user requests access right removal from Matrix42 Self-Service
2. Approver(s) approves request(s) in the Matrix42 Self-Service
3. Access right(s) are automatically removed from user or manual request is sent for adding the access right(s) manually
4. Manager and user can see their own request history from Matrix42 Self-Service
6. All auditing details are available for reporting (by using ready-made reports and dashboards or IGA admins can easily create own reports)
Use case description
This use case can also related to other processes and use cases, which has been marked
*User lifecycle management
**Governance
***Automation & provisioning
****Expanded access right management
| Description | |
Overview |
This use case describes how user or manager can request removal for active additional access rights, that are requested through Self-Service. Business roles can be removed as a one, not entitlement by entitlement Entitlements, which are added to user based on ***Automated Rules, cannot be removed from Self-Service. If expanded access right management**** processes are taken into use, also physical and privilege accesses can be removed from the Self-Service. |
Operators |
IGA solution |
Prerequisites |
User needs to have active access rights, and auditing details needs to be found from IGA solution. Existing directory group memberships are read to IGA solution and needed audit details are saved to describe users current access rights. |
Result |
Removal request is appropriately approved, send to provisioning and access rights are removed according to defined end date. All audit details are saved and can be reported. User and manager can follow up the request status in Self-Service. |
Operating chain |
|
Self-Service |
Remove access rights from myself |
| Self-Service reporting | User can see own open removal requests |
| IGA admin reporting |
IGA admin can create new reports, views and dashboards or they can review, update and remove ready-made views, reports and dashboards. IGA admin can also decide if only active requests are reported, or is also history data included,
|
| IGA admin actions |
|
Messages |
User can see own open requests and their status, and request history from Matrix42 Self-Service portal, so it is highly recommended that email notifications are added to IGA solution in further development phase and try to guide users to portal at the first phase. Email notifications can be also added by IGA Admin. |
Delete
Expansion possibilities
Expansion possibilities are categorized in three category, but it is always important to validate if requested change has affect to the delivery schedule or work estimations.
| Category | Description |
|
Small (less than hour) |
Small changes does not usually affect to the delivery schedule or work estimations and these changes can be done also by IGA admins,
|
|
Medium (0,5 - 2 work days) |
Medium changes can be for example,
|
|
Large (more than 2 work days) |
Large changes usually takes longer time, since they require more detailed definition-, and testing work. Those can be for example,
|
Relations & configuration instructions
Relations to other use cases
Manage entitlements - use case for IGA admins to be able to define different settings to single access right group (entitlement), such as approvers, visibility in Self-Service, description etc.
Manage applications - entitlement needs to always be related to application, so its highly recommended to create manually or import customers application list to IGA solution.
Approval - use case for different approval types.
Delegation - use case for delegating approval responsibilities to other users.
De-provisioning - is used when group memberships are removed from the user.
Manage admin tasks - use case for IGA admins to be able to get notifications in case there is a need for manual actions.
Audits and reports - ready-made reports and dashboards for monitoring access right removals
Relations to other data cards
IGA Service Request
Person
IGA Entitlement
IGA Business Role
IGA Account
IGA Access Right Record
Configuration instructions
- Publish service "Remove Access Right Subordinate" in ESS
- Publish service "Remove Access Rights from Myself" in ESS
- Configure EPEtask called "[Directory] IGA Service request: Verify, Add, Remove"
- Configure the connection settings and after that Test connection from the EPEtask
- Define user and group filters and settings
- No need to change user identity mappings
- Configure EPEtask called "[Directory] IGA Access Right Record: Remove or Add Group"
- Configure the connection settings and after that Test connection from the EPEtask
- Define user and group filters and settings
- No need to change user identity mappings
- Go to IGA Access Right Record and workflow called "1.0 Access right ending"
- Publish the workflow
- Publish the workflow
- Go to IGA Access Right Record and workflow called "2.0 Add or remove group membership"
- Publish the workflow
- Publish the workflow
- Go to IGA service request and workflow called "2.1 Manager Remove Rights from Others"
- Publish the workflow
- Publish the workflow
- Go to IGA service request and workflow called "2.4 Users Remove Rights from Themselves"
- Publish the workflow
Unit testing instructions
- Create test users to the directory, both user and manager level
- Read directory information and make sure that IGA Work periods and IGA access right records are created correctly
- Make sure that the manager information can be found from the work period datacards
- Create manual type of entitlements
- Request access rights to your test users (user needs to have active access right records, which can be removed)
- Test remove access right services from ESS
- Check the IGA Service Request from ESM that is executed successful
- Check the group memberships from the Directory. New group is removed from the user
- If you are working with an environment where one user can have multiple work periods, make sure to test:
- that entitlement is not removed from the user if it is active on more than one work period at the same time
- that the access right record related to the work period and entitlement is set to suspended
System and approval testing instructions
In this chapter are described preparations tasks and testing instructions for system testing and user approval testing phases.
Preparation tasks for both phases
1. Manage entitlements, manage request catalog, manage IGA users and approvalrelated test cases are successfully tested and preparation tasks are implemented (same test users are used for testing access right requests and approvals).
2. Test users are created and there are existing manager - subordinate relations
Testing instructions,
| Test case | Testing steps | Outcomes |
| Remove access rights from yourself (login as user) | ||
| Request removal for manual and automatic provisioning type of entitlements | ||
| Request business role removal | ||
| Check that status is updated correctly in the front page after declining or approving the removal request (notice polling time) | ||
| Check that My requests is showing history correctly for removal requests | ||
| Remove access rights from your subordinate and approve removal requests made by your subordinate (login to Self-Service as manager) | ||
Approve removal requests waiting for approval |
||
Decline some of the removal requests waiting for approval |
||
Request removal for automatic and manual provisioning type of entitlements |
||
| Request business role removal | ||
| Check that status is updated correctly in the front page after declining or approving the removal request (notice polling time) | ||
| Check that approvals is showing request history correctly | ||
Remove access rights from your external subordinates (login to Self-Service as manager) |
||
Remove automatic and manual provisioning type of entitlements |
||
Remove business roles |
||
Approve access right requests (login to Self-Service as entitlement or business role approver) |
||
Approve removal requests waiting for approval |
||
Decline removal requests waiting for approval |
||
Check that removal request status is updated correctly in the front page after declining or approving the request (notice polling time) |
||
Check that approval history is showing correctly |
||
| Login to IGA solution as IGA admin | ||
| Validate that IGA service request is created correctly | ||
| Validate from the directory that group-membership connection removed correctly | ||
| Validate that reports, dashboards and views are showing auditing details correctly | ||
| Validate that entitlement data card is showing group-membership connection correctly | ||
| Validate that users IGA account data card is showing group-membership connection correctly | ||
| Validate that manual access right removal requests are created correctly (either IGA admin task generated to the support group or email sent for manual actions) |
Delete
Table of Contents