System Authentication

Authorization Tab

Security Groups determine who has access to administrative, security, remediation, and reporting rights within Permission Assist. The System Authentication area allows you to assign Active Directory groups or users to Permission Assist Security Groups. The following table describes each group and what access is allowed for each group:

Group	Description
Administrators	Members of this group have access to the following: System Configuration – administrators are allowed full access to the System Configuration settings (which determine how Permission Assist works). For example, they can update the Permission Assist license, define workflow settings, determine who is assigned to these Permission Assist groups, and so on. Manage – administrators have limited access to the features within the Manage menu including the following: Identities – administrators have full access to view Identity information including the Active Directory groups, applications, and Permission Assist responsibilities for each Identity. They can also reassign Permission Assist responsibilities using the 'On Behalf Of' feature. Applications – administrators have full access to these features. Administrators may have access to other features within Permission Assist if they also belong to another group.
Security Team	Members of this group have access to the following: Manage: Reviews – the security team is primarily responsible for creating and managing reviews so they have full access to these features. Applications – the security team is primarily responsible for adding applications and importing data so they have full access to these features. Identities – the security team has full access to view Identity information including the Active Directory groups, applications, and Permission Assist responsibilities for each Identity. They can also reassign Permission Assist responsibilities using the 'On Behalf Of' feature. Entitlement Roles – people within these groups have full access to these features; no other groups are allowed access to Entitlement Roles; however, Application Managers also have limited access to Entitlement Roles (see the description for Application Managers in the "info" below this table). Separation Rules – people within these groups have full access to these features; no other groups are allowed access to Separation Rules. Review Items Taskboard – the security team has full access to all reviews and features within the Review Items Taskboard. Change Management Taskboard – the security team has access to view remediation access requests and to initiate personnel events. They cannot complete access requests unless they either belong to the Provision Team, they are a Provision Engineer for a specific application, or they are required to verify the remediation access request before the request can be considered complete (defined in the System Configuration > Taskboards > Reviews > Starting Remediation area). Reports – the security team has full access to view reports under the Reports menu. The security team does not have access to any System Configuration functions unless they also belong to the Administrators group.
Provision Team	Members of this group have full access to the features within the Change Management Taskboard and are be able to make decisions on remediation access requests for all applications. They do not have access to any other features within Permission Assist unless they also belong to another group.
Personnel Managers	Members of this group have access to the following: Change Management Taskboard – the security team has access to view and create personnel events. They cannot complete access requests related to their events unless they either belong to the Provision Team or they are a Provision Engineer for a specific application.
Reporting Only	Members of this group have access to view reports under the Reports menu and are able to view and print data for all reviews and applications. They do not have access to any other features unless they also belong to one of the other groups mentioned above.
Impersonation	Members of this group have the ability to log in and take action as another user. When someone logs in and takes action as another user, their actions are logged within the database. Impersonation data is retained for 18 months.

There are other roles within Permission Assist that are not determined based on the groups on this page:

Supervisors
No special Active Directory group is needed for Supervisors. In most cases, Permission Assist automatically determines which Identities are supervisors based on whether they have direct reports assigned to them within your directory services application (Active Directory). A person could also be given Supervisor access to Permission Assist in either of the following scenarios: they've been assigned Supervisor responsibilities for a user or group within an application, or they've been assigned responsibilities on behalf of another supervisor.

Supervisors have access to the following:
- Review Items Taskboard – supervisors have access to reviews in which they are assigned tasks.
- Change Management Taskboard – supervisors have access to see any access requests they send to the Provision Team. They cannot complete access requests unless they either belong to the Provision Team, they are a Provision Engineer for a specific application, or they are required to verify the remediation access request before the request can be considered complete (defined in the System Configuration > Taskboards > Access Requests area).
  
  NOTE: Supervisors may have access to other features within Permission Assist if they also belong to another group.

Defined Managers
Permission Assist determines which Identities are managers based on whether they have been assigned to an organizational unit on the Managers page.

Managers have access to the following:
- Review Items Taskboard – managers have access to reviews in which they are assigned tasks.
- Change Management Taskboard – managers have access to see any access requests they send to the Provision Team. They cannot complete access requests unless they either belong to the Provision Team, they are a Provision Engineer for a specific application, or they are required to verify the remediation access request before the request can be considered complete (defined in the System Configuration > Taskboards > Access Requests area).
  
  NOTE: Managers may have access to other features within Permission Assist if they also belong to another group.

Application Managers
Any Identity within Permission Assist can be given the responsibility of being an Application Manager, so no special Active Directory group is needed for Application Managers. As an Application Manager, they will have access to the following:
- Review Items Taskboard – Application Managers have access to the Review Items Taskboard and can view/take action on items only for applications they manage.
- Manage:
  - Applications – Application Managers have access to the applications they manage within the Manage > Applications area and can import data if needed.
  - Entitlement Roles - Application Managers have access to Entitlement Roles if the applications they manage are included in an entitlement role; they can allow or deny permissions and commit changes only for the applications they manage (not for the Entitlement Roles as a whole).
- Change Management Taskboard– Application Managers will be able to see remediation access requests related to the applications they manage. They cannot complete access requests unless they either belong to the Provision Team, they are a Provision Engineer for a specific application, or they are required to verify the remediation access request before the request can be considered complete (defined in the System Configuration > Taskboards > Access Requests area).
- Reports - Application Managers have limited access to generate reports for the applications they manage.
  
  NOTE: Application Managers may have access to other features within Permission Assist if they also belong to another group.

Assign AD Groups or Users to a Permission Assist Security Group

To assign an Active Directory group or user to a Security Group, complete the following steps:

Select a security group within the list. The details panel appears.

Select the light grey cogwheel in the upper right corner of the details panel, and select one of the following options:

Option	Description
Add Identity	Select this option to add a single Identity to the Permission Assist security group; the Add Identity box appears. Multiple Identities may be added (one at a time). To add an Identity: In the Select an identity field, type the name of the identity or scroll down and pick the identity from the list. Select Save. The new Identity is displayed within the details panel.
Add Directory Group	Select this option to add everyone within a specific Active Directory group to the Permission Assist Security Group; the Add Directory Group box appears. Multiple groups may be added (one at a time). To add a group: In the Select a directory group field, type the name of a Active Directory group or scroll through the list to find the group and select it. Select Save. The new group displayed within the details panel.

Option

Description

Add Identity

Select this option to add a single Identity to the Permission Assist security group; the Add Identity box appears. Multiple Identities may be added (one at a time).

To add an Identity:

In the Select an identity field, type the name of the identity or scroll down and pick the identity from the list.
Select Save. The new Identity is displayed within the details panel.

Add Directory Group

Select this option to add everyone within a specific Active Directory group to the Permission Assist Security Group; the Add Directory Group box appears. Multiple groups may be added (one at a time).

To add a group:

In the Select a directory group field, type the name of a Active Directory group or scroll through the list to find the group and select it.
Select Save. The new group displayed within the details panel.

When Permission Assist Security Groups are set up, you can test that people have been given appropriate access to Permission Assist by selecting the Test Authentication button on the upper right corner of the page.

Single Sign On Tab

Permission Assist allows you to set up Single Sign On (SSO) through an OpenID Provider. To set up SSO, enter information into each of the following fields as needed:

Field

Description

Preference

Select one of the following options:

Option:

Description:

None

When this option is selected, people will log in to Permission Assist using their regular Windows/network user name and password.

Preferred

When this option is selected, the Permission Assist login page will look similar to the following:

People can either select the button to log in to Permission Assist through SSO immediately or they can wait to be automatically logged in. Selecting the Sign in with a user name link allows them to enter their regular Windows/network user name and password.

The name of the login button is customizable using the "Instructions" field described further below.

Forced

When this option is selected, people are automatically logged in to Permission Assist through SSO. If the person is not currently logged in to your OpenID Provider, they will be redirected to that application so they can log in.

If you're using "forced" SSO login and you need to log in using the recovery password, complete the following steps:

Enter the Permission Assist URL in the address bar at the top of your browser and then add /account/recover to the end of the URL.
For example: https://reviews.yourbank.com/account/recover
After pressing the ENTER key, the account recover login page appears (see picture below).
Enter your account recovery password (defined in the System Configuration > General Settings > System Recovery tab). You'll be logged into Permission Assist as an Administrator.

Redirect Timeout

This option is primarily used with the Preferred option described above, and determines how long people have to wait before they are automatically logged in to Permission Assist.

Instructions

Use this field to enter a customized Login button when single sign on is enabled. For example - if you're using Workforce Identity, you could change the button name to say "Log in with Workforce Identity"

OpenID Provider

The following OpenID providers are available:

Microsoft Azure
Okta Auth0
Okta Workforce Identity
Ping Identity PingOne

Advanced Configuration
Use the instructions on the right side of the page to complete the information in each of the Advanced Configuration fields. The fields of information within the Advanced Configuration area and corresponding instructions will vary depending on which OpenID provider is selected.

When all information is complete, select the Save button to save your settings and enable single sign on.