Version 6.3 Release Notes - Easily Configure Ideal Access with Entitlement Role Modeling

Highlighted Features

NOTE: Our hardware and software requirements have changed. Please review the requirements and update if needed. This will ensure your servers meet the current standards and continue to operate smoothly.

 

Imagine a world where your IAM platform not only understands the intricacies of your application permissions and how they work but also helps you quickly and easily model ideal role-based access across all applications within the role. With Entitlement Role modeling in Permission Assist version 6.3, this imaginary world is now a reality.

An IAM Platform that Understands Your Application Permissions

In Permission Assist version 6.3, Entitlement Roles understand how permissions are defined within each of your applications. This helps you more quickly and easily define ideal access for each role. For example, let’s say you create an entitlement role for your Tellers. In this role, you assign them to a “Teller” group within your core system. Because Permission Assist knows which permissions are part of that group, it automatically assigns each inherited permission from the group. This doesn’t just make modeling ideal access easier – it also helps you see how changing permissions might affect other permissions.

The Struggle is Over

The days of selecting 100 different permissions, even though they’re inherited from a group, are gone. So is the struggle to figure out which specific permissions belong to a group or which permissions are affected when you enable a particular enlistment. For example, John is a new Loan Officer for First Financial. He needs to be able to process the loan paperwork on the loan origination system. Although the loan origination system is role-based, and internal policies encourage the use of roles to assign permissions, it’s still possible to assign permissions at the user level.

When Jordan, the Provision Engineer, sets up John’s access, he assigns John to the “Loan Officer” group as usual. Then, he goes into John’s account, unknowingly overrides the role, and enables access to process the loan paperwork. Jordan didn’t realize he broke policy and gave John extra permissions. He didn’t realize that the permission John needed to process loan paperwork was one of 55 privileges that John already inherited through the “Loan Officer” group. But, Jordan’s not alone. In the world of Identity and Access Management (IAM), this is just one easy example in a sea of constant struggle.

With Entitlement Role modeling, you can be proactive and prescriptive without the struggle. You can see a detailed analysis of an application’s security model and define ideal access with least privilege. Provision Engineers have a template, so they know exactly which privileges someone should get and how they get them. Confusion is gone; life is good, and the mic is officially dropped. Happy New Year!!

For more information refer to the Entitlement Roles detail page topic.

 

All Features

Aside from the continual performance improvements and minor bug fixes provided with each release, the following features have been included with version 6.3:

Feature

 Description
Customizable columns for application users

A new column button, displayed in the top right corner of the application's Users tab , allows you to add or remove columns from the list of users and sort by new options. To change which columns are displayed, select the column button and then pick any of the following options.

Option Description
Username Select this option to display the Username column, which shows the username of the user as it appears within the application.
Type Select this option to display the application user Type.

Within Permission Assist, users can be classified as specific types such as employee, service account, vendor account, and so on. User types can be helpful for sorting/searching, and can also used by Permission Assist to create recommendations or filter reviews.
Match Select this option to display the Identity column, which shows the Identity the user is matched to.
Created Date Select this option to display the Created Date column, which shows the date the user account was created (if available).
Last Login Select this option to display the Last Login column, which shows the date of the user's most recent attempt to log into the application (if available).
Review Supervisor

Select this option to display the Review Supervisor column.

The user's review supervisor is, by default, determined through the matched Identity and is sourced from the "manager" property in Active Directory. The review supervisor can also be manually reassigned.

If the Security Team starts a review that includes "Reviewing Supervisors" this field is used to determine which review items are assigned to each supervisor.

Customizable columns for application groups

A new column button, displayed in the top right corner of the application's Groups tab , allows you to add or remove columns from the list of groups and sort by new options. To change which columns are displayed, select the column button and then pick any of the following options.

Option Description
Name This option displays the Name column, which shows the name of the group as determined within the application.
Nomenclature This option displays the Nomenclature column, which indicates how the application refers to this group. For example, within the application it may be called a role, template, group, or something else.
Description Select this option to display the Description column, which provides a description for the group. This description can be imported with your application data if it's available. It can also be manually entered within the Privileges tab.
Review Supervisor

Select this option to display the Review Supervisor column.

The group's review supervisor is can also be manually assigned by completing the following steps:

  1. Select a group.

  2. Select the Actions button () in the upper right corner of the detail panel.

  3. Select Reassign Review Supervisor. The Reassign Review Supervisor window opens, allowing you to select a review supervisor for the group.

If the Security Team starts a groups review that includes "Reviewing Supervisors," the review supervisor is used to determine which review items are assigned to each supervisor.

Customizable columns for Identities

A new column button, displayed in the top right corner of the Identities list allows you to add or remove columns from the list of groups and sort by new options. To change which columns are displayed, select the column button , and then pick any of the following options.

Option Description Maps to the following Active Directory attribute (displayed on the Attribute Editor tab)
Name This option displays the Identity's name. It is selected by default and cannot be removed. givenName (First Name) sn (Last Name)
Username

Select this option if you want to see the Identity's username.

 SamAccountName
Email

Select this option if you want to see the Identity's email address.

 mail
Title

Select this option if you want to see the Identity's job title.

 title
Supervisor

Select this option if you want to see the Identity's supervisor as defined within the Active Directory directory source.

 manager
Type

Select this option if you want to see the Identity's type, which is typically defined by the directory source rules, but can also be defined on the Identity.

Within Permission Assist, Identities can be classified as specific types such as employee, service account, vendor account, and so on. Identity types can be helpful for sorting/searching, and can also used by Permission Assist to create recommendations or filter reviews.

 N/A
Source Select this option if you want to see the directory source from which the Identity originates. Currently, the only supported directory source is Active Directory. N/A
Created On

Select this option if you want to see date the Identity was created.

NOTE: This is the created date from your directory source, not the date the Identity was created within Permission Assist.

 whenCreated
Updated On

Select this option if you want to see date the Identity was most recently updated.

NOTE: This is the update date from your directory source, not the date the Identity was updated within Permission Assist.

 whenChanged

Enhanced Reporting

We've enhanced some reports to make your life easier and help with auditing:

  • Identity Matching information has been added the Application Users report (Excel version only). This can be helpful in situations where you want to troubleshoot exactly how a user is matched to an Identity.

  • The import date has been added to both the User Changes log report and the Group Changes log report, which is helpful for auditing purposes.

  • The Created On and Updated On dates have been added to the All Identities Summary report.
Entitlement Role modeling See a description in the Highlighted Features section above for more information.

Job titles have been added to all employees shown within an Identity's organization chart

In the past, only the larger tiles for people at the top could show the job titles, which became inconvenient at times. Now job titles are readily available for all employees (see example below).
Provision team - are you getting more emails than you want?

A new option has been added to the System Configuration > Access Requests > Workflow tab, which allows you define which Provision Engineers are required to respond to access requests, and as a result, which Provision Engineers are emailed when an access request is created. Two options are provided:

Option Description
All

This option is selected by default. When this option is selected, Permission Assist will continue to work as it has in previous versions - all Provision Engineers (regardless if they are defined in the System Authentication area or at the application level) will be considered a potential responder to an access request that is created. Email notifications will be sent to all Provision Engineers.
Application Only

When this option is selected, the Provision Engineers defined at the application level (in the Application > Responsibilities tab) are considered the required responders to an access request for their applications. When an access request is created, the email notifications will be sent to the application Provision Engineers and not to the Provision Engineers defined at the System Configuration area.

If an application doesn't have any defined Provision Engineers, the Provision Engineers defined in the System Configuration > System Authentication > Provision Team become the required responders and will receive an email notification when an access request is created.

 
Schedule imports on a monthly or quarterly basis

If you like (or need) to complete monthly or quarterly reviews of your applications, and you like to automatically import data prior to the review, we hope you'll also like the new options to schedule imports on either a monthly or quarterly basis (see example below).

To use the new options, schedule your automatic imports as usual and select the option you prefer.