Permission Assist Overview

Assurance

Permission Assist was designed to help solve two common issues with regard to permission reviews:

  • Lack of Understanding – it's often difficult to understand access reports - sometimes even when you're an application expert; it becomes even more difficult over time as you add systems/applications and try to connect users across those system to determine if toxic permissions exist. As part of your Identity Governance and Administration (IGA) activities, Permission Assist allows you to easily track identities across all of your applications for audit and security purposes. This helps you make sure the right people have access to the right things.

  • Keeping up with Regulatory Demands - with an increased focus on security, financial institutions and regulatory bodies are wanting to do more frequent reviews and are increasing the number of systems requiring permission reviews. It’s getting harder and harder to keep up with regulatory demands. By streamlining data collection, review workflows, and role-based privilege enforcement, Permission Assist helps make managing and providing proof of reviews easier.

Data Collection

Perhaps the most time-consuming task of an IGA audit is the data collection and preparation. This is why we've made it easy and flexible to import your application privilege data into Permission Assist. There are 3 ways to get your data into Permission Assist:

  1. Many application plugins that are specific to the financial industry are already available within Permission Assist. After adding the application into Permission Assist, simply import the native files that your vendor exports, and Permission Assist will do the rest.

  2. Permission Assist also provides a standardized privilege file template which is easy to understand. If you have access to your privilege data and can get it into an Excel spreadsheet, the standardized file templates are the ultimate fail safe for getting data into Permission Assist.

  3. In the event you have a special system that does not yet have an industry-specific application plugin, we can work with you to create one through our Application Plugin Sponsorship program. For more information, please contact support at:

    Phone: 1-855-212-1155 x2

    Email: support@sycorr.com

    Web: sycorr.com/support

 

Review Workflow

The review process for IGA has been streamlined into an easy-to-use review management system. When a review is started, Permission Assist places reviewers into groups as follows:

Application Managers

An Application Manager is the "owner" of an application or someone who is responsible for the administration functions and maintenance of that application. Within Permission Assist, Application Managers may be assigned to applications within the Responsibilities tab (Manage > Applications > select the application > Responsibilities tab).

If the review is set up to require Application Managers, they are able to complete review items for users within their assigned application (this is their primary responsibility as a reviewer). In addition to reviewing items, they can also complete the following tasks within Permission Assist:

A supervisor is someone who is responsible for reviewing permissions for their direct reports or others the Security Team has assigned to them. A person could also be given Supervisor access to Permission Assist if:

  • they've been assigned Supervisor responsibilities for at least one group within a particular application.

  • they've been assigned responsibilities on behalf of another supervisor.

If the review is set up to require Supervisors, Supervisors are able to complete review items for their direct reports or other users who have been assigned to them (this is their primary responsibility as a reviewer). In addition to reviewing items, they can also see access requests (on the Change Management Taskboard) that they've created by flagging items within a review.

An Area Reviewer within Permission Assist is someone who has been assigned to review a specifically defined set of permission data within an application. For example, if your organization decides they want a specific person to review permissions related to sensitive accounts and sensitive account information, the Security Team may set up a Reviewable Area that includes only the permissions related to that set of functions within an application. The Area Reviewer assigned to that area is responsible for reviewing those permissions to ensure proper access is given (or not) to each user within the application. Area Reviewers are assigned to an area within the Reviewable Areas tab.

If the review is set up to require Area Reviewers, they are able to complete review items for their reviewable areas (this is their primary responsibility as a reviewer). In addition to reviewing items, they can also see access requests (on the Change Management Taskboard) that they've created by flagging items within a review.

Anyone who has been assigned to an organizational unit is a Defined Manager. If the review is set up to require a defined manager, the manager is able to complete review items for users within their organizational unit (defined within your directory source such as Active Directory).

Anyone who has been assigned to the Security Team group within the System Configuration area is a Security Team member. If the review is set up to require the Security Team, Security Team members are able to complete review items for all users. Typically, the Security Team is also responsible for adding applications, importing data, and preparing/overseeing permission reviews. For more information about Security Team members and what they can do, refer to the Security Team's Guide.

 

A Typical Review

The workflow of a review varies depending on how your version of Permission Assist is set up. In a typical review, the Security Team will create a review and notify reviewers that a review has been started. Each reviewer will then log into Permission Assist and use the Review Items Taskboard to manage their review items. Using the Review Items Taskboard can be likened to going through your email with each review item being one item in a list of items. Each review item will need to either be approved or flagged for remediation by at least one person. Depending on how the review is set up, additional reviewers may need to review the item as well. To speed up the process in future reviews, a "Quick Review" can be created which allows Permission Assist to automatically pre-approve review items for identities whose permissions either haven't changed at all or have been reduced since the last review.

When all review items have been approved or flagged by each required reviewer, the review can be determined "Complete" by a member of the Security Team. After the review has been completed, the Security Team can review and export reports to gain insight on how to remedy any security issues that arise. Organizations will frequently prepare for an actual IGA audit by creating one or more "test" reviews within a test environment.

 

Role-Based Privilege Enforcement

With Entitlement Roles, Permission Assist will auto-discover and enforce employee roles across all applications, and instantly alert you to users who are outside the permission structure you create. It's easiest to explain how the role build works by example. Let's say you have ten tellers who work at a particular branch. All of your tellers have been added to your directory service and are in the Teller group. Using the Entitlement Roles you are able to create a defined permission template for your Tellers. In your template, you allow them access to all the features in your Teller application that they should be allowed to do. When you start a review, Permission Assist will look at the most recent imported application data, and compare that against the Teller Role you built. If any Tellers are out of line with the Role you will see the specific permission(s) identified in the Review Items Taskboard along with a reason. It is then the job of the reviewers to mark the item as approved or flagged for remediation. Note that just because Permission Assist identifies a permission as out of bounds, doesn't mean that there isn't a real-world reason for a person to have additional permissions. For instance, perhaps one of your tellers opens the bank and needs extra permissions to be able to open the safe. In this way, Permission Assist helps you to see people in your organization that have extra privileges and manage their access with confidence.