Version 6.3 Release Notes - Easily Configure Ideal Access with Entitlement Role Modeling

Highlighted Features

Imagine a world where your IAM platform not only understands the intricacies of your application permissions and how they work but also helps you quickly and easily configure role-based access across all applications within the role. With Entitlement Role modeling, this imaginary world is now a reality.

In Permission Assist version 6.3, Entitlement Roles understand the details of how permissions are defined within each of your applications, so they can help you more quickly and easily define ideal access for each role. For example, if you're creating an entitlement role for your Tellers and you assign them to a “Teller” group within your core system, Permission Assist knows which permissions are part of that group, and automatically assigns each of the inherited permissions within the group as well. Permissions that aren't assigned through groups can be individually selected. This doesn’t just make modeling ideal access easier; it helps you quickly see how changes to permissions might affect other permissions.

The days of selecting 100 different permissions, even though they’re inherited from a group, are over. So is the struggle to figure out which specific permissions belong to a group or what other permissions are affected when access to a particular enlistment is assigned. For example, John is a Loan Officer for First Financial, and he needs to be able to process the loan paperwork on the loan origination system. Although the loan origination system is role-based and the Security Team has been encouraging the use of roles to assign permissions, it's possible to assign permissions at the user-level. Because of this, people have often overridden the role and assigned the permission to process the loan paperwork at the user level, not realizing that it is already one of 55 privileges within the loan origination system that are technically inherited via a "loan officer" group. With Permission Assist's detailed analysis of the loan origination system's security model, we can easily understand the privileges that someone should get and how they get them.

With these changes, the Entitlement Roles Details page has changed significantly (see picture below). For more information refer to the Entitlement Roles detail page topic.

 

All Features

Aside from the continual performance improvements and minor bug fixes provided with each release, the following features have been included with version 6.3:

Feature

 Description
Customizable columns for application users

A new column button, displayed in the top right corner of the application's Users tab , allows you to add or remove columns from the list of users and sort by new options. To change which columns are displayed, select the column button and then pick any of the following options.

Option Description
Username Select this option to display the Username column, which shows the username of the user as it appears within the application.
Type Select this option to display the application user Type.

Within Permission Assist, users can be classified as specific types such as employee, service account, vendor account, and so on. User types can be helpful for sorting/searching, and can also used by Permission Assist to create recommendations or filter reviews.
Match Select this option to display the Identity column, which shows the Identity the user is matched to.
Created Date Select this option to display the Created Date column, which shows the date the user account was created (if available).
Last Login Select this option to display the Last Login column, which shows the date of the user's most recent attempt to log into the application (if available).
Review Supervisor

Select this option to display the Review Supervisor column.

The user's review supervisor is, by default, determined through the matched Identity and is sourced from the "manager" property in Active Directory. The review supervisor can also be manually reassigned.

If the Security Team starts a review that includes "Reviewing Supervisors" this field is used to determine which review items are assigned to each supervisor.

Customizable columns for application groups

A new column button, displayed in the top right corner of the application's Groups tab , allows you to add or remove columns from the list of groups and sort by new options. To change which columns are displayed, select the column button and then pick any of the following options.

Option Description
Name This option displays the Name column, which shows the name of the group as determined within the application.
Nomenclature This option displays the Nomenclature column, which indicates how the application refers to this group. For example, within the application it may be called a role, template, group, or something else.
Description Select this option to display the Description column, which provides a description for the group. This description can be imported with your application data if it's available. It can also be manually entered within the Privileges tab.
Review Supervisor

Select this option to display the Review Supervisor column.

The group's review supervisor is can also be manually assigned by completing the following steps:

  1. Select a group.

  2. Select the Actions  button in the upper right corner of the detail panel.

  3. Select Reassign Review Supervisor. The Reassign Review Supervisor window opens, allowing you to select a review supervisor for the group.

If the Security Team starts a groups review that includes "Reviewing Supervisors," the review supervisor is used to determine which review items are assigned to each supervisor.

Customizable columns for Identities

A new column button, displayed in the top right corner of the Identities list allows you to add or remove columns from the list of groups and sort by new options. To change which columns are displayed, select the column button , and then pick any of the following options.

Option Description Maps to the following Active Directory attribute (displayed on the Attribute Editor tab)
Name This option displays the Identity's name. It is selected by default and cannot be removed. givenName (First Name) sn (Last Name)
Username

Select this option if you want to see the Identity's username.

 SamAccountName
Email

Select this option if you want to see the Identity's email address.

 mail
Title

Select this option if you want to see the Identity's job title.

 title
Supervisor

Select this option if you want to see the Identity's supervisor as defined within the Active Directory directory source.

 manager
Type

Select this option if you want to see the Identity's type, which is typically defined by the directory source rules, but can also be defined on the Identity.

Within Permission Assist, Identities can be classified as specific types such as employee, service account, vendor account, and so on. Identity types can be helpful for sorting/searching, and can also used by Permission Assist to create recommendations or filter reviews.

 N/A
Source Select this option if you want to see the directory source from which the Identity originates. Currently, the only supported directory source is Active Directory. N/A
Created On

Select this option if you want to see date the Identity was created.

NOTE: This is the created date from your directory source, not the date the Identity was created within Permission Assist.

 whenCreated
Updated On

Select this option if you want to see date the Identity was most recently updated.

NOTE: This is the update date from your directory source, not the date the Identity was updated within Permission Assist.

 whenChanged

Enhanced Reporting

We've enhanced some reports to make your life easier and help with auditing:

  • Identity Matching information has been added the Application Users report (Excel version only). This can be helpful in situations where you want to troubleshoot exactly how a user is matched to an Identity.

  • The import date has been added to both the User Changes log report and the Group Changes log report, which is helpful for auditing purposes.

  • The Created On and Updated On dates have been added to the All Identities Summary report.
Entitlement Role modeling See a description in the Highlighted Features section above for more information.

Job titles have been added to all employees shown within an Identity's organization chart

In the past, only the larger tiles for people at the top could show the job titles, which became inconvenient at times. Now job titles are readily available for all employees (see example below).
Provision team - are you getting more emails than you want?

A new option has been added to the System Configuration > Access Requests > Workflow tab, which allows you define which Provision Engineers are required to respond to access requests, and as a result, which Provision Engineers are emailed when an access request is created. Two options are provided:

Option Description
All

This option is selected by default. When this option is selected, Permission Assist will continue to work as it has in previous versions - all Provision Engineers (regardless if they are defined in the System Authentication area or at the application level) will be considered a potential responder to an access request that is created. Email notifications will be sent to all Provision Engineers.
Application Only

When this option is selected, the Provision Engineers defined at the application level (in the Application > Responsibilities tab) are considered the required responders to an access request for their applications. When an access request is created, the email notifications will be sent to the application Provision Engineers and not to the Provision Engineers defined at the System Configuration area.

If an application doesn't have any defined Provision Engineers, the Provision Engineers defined in the System Configuration > System Authentication > Provision Team become the required responders and will receive an email notification when an access request is created.

 
Schedule imports on a monthly or quarterly basis

If you like (or need) to complete monthly or quarterly reviews of your applications, and you like to automatically import data prior to the review, we hope you'll also like the new options to schedule imports on either a monthly or quarterly basis (see example below).

To use the new options, schedule your automatic imports as usual and select the option you prefer.