Review Items Taskboard
After logging in to Permission Assist, the Taskboard is displayed. The Taskboard is kind of like a "home base" for reviewers; it’s the place where the majority of the work for all reviews will happen.
Taskboard Navigation
If you are just starting to use Permission Assist, this section may be helpful for familiarizing yourself with the different areas of the Taskboard and how they're used.
1 | 4 | ||
2 | 5 | Review Item Details | |
3 |
Review Information
This area displays the review name. If you have more than one open review occurring at the same time, or if you want to see a previously completed review, select the review name or select the Switch Review button - . A new pane appears allowing you to select the review you'd like to view.
Applications List
The Applications List (circled on the image below) displays a list of applications included in the review. The Security team is able to see all applications within the review. The Application Managers and Supervisors will only see the applications for which they have review responsibilities.
If the review includes multiple applications, select the application you want to review. After selecting an application, you'll see the progress of your responsibilities for that application, including the total number of items that need to be reviewed, the number of items that have already been reviewed, and a progress bar that provides a visual representation of your percentage complete (see picture below).
The number to the right of the application name indicates the number of items that still need to be reviewed. When all items have been reviewed, this number is replaced by a green check mark.
Review Items List
After selecting an application, the review items associated with that application are displayed in the list on the right. Review items are sorted in alphabetical order by application username. Administrators and Security Team members will see all items within the application. Supervisors will only see items for employees that report to them.
Each review item has a bold heading which is the application username (or group name if you're completing a group review) as it appears in the application. If the item is an application user and Permission Assist was able to match the user with an Identity, the Identity name (and sometimes title) are displayed below the application username.
To select a review item, select the item you want to begin reviewing. The review item details area appears on the right side of the window.
Searching for and Sorting Review Items
Search |
Select the search field and enter the information to you want to search for within the selected application. To search for the same information within another application:
If you're completing a group review you can search for items by the group name. If you're completing a user review, you can search for items by application username or group name, full name, or job title. |
Quick Filters |
Quick filters allow you to view and sort information as follows:
When a quick filter is applied, a blue box appears around the filter to indicate it's currently being used to filter the list (see picture below). Each of the selected quick filter options are used in combination with each other. For example, using the sample image above the list would be filtered by both role and status. The list could be sorted further by selecting additional options. |
Review Item Details
After selecting a review item, the review item details area is displayed which allows you to review the information needed to either approve or flag the item for remediation (see picture below).
Item Information and More Actions
Item Number |
This area displays the review item number. This number corresponds to the # column in the review items list. |
Review Window |
If you would like more room to see the item details, select this button to open a new tab that displays the details of the item within a new window. The current tab stays open, allowing to you come back to the review and continue from where you left. If you approve or flag the item in the new window and go back to the previous window, the status of the item is not refreshed until you refresh the window or select a different item. |
More Actions |
This button allows you to reassign an identity, reassign the supervisor, add a reviewer, add comments, or start remediation. Refer to the More Actions section for more detailed instructions on how to use each of these options. |
Review Buttons
This area displays the status of the review item and allows you to take action on the item as needed to consider the item complete.
Status |
Description |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
Under Review |
The item still needs to be reviewed. To take action on the item, selecte of the following options:
If you've taken action on this item, and the item still appears to be under review, it means another reviewer is required to take action on this item before the item is considered complete. |
|||||||||
Approved |
The item is complete - all required reviewers have approved this task. |
|||||||||
Pre-Approved |
The item is complete - Permission Assist compared the permissions in this item to the permissions in the previous review and determined that either no permissions changed or permissions were removed. Permission Assist will never pre-approve items that are given additional or elevated permissions. Pre-Approval status can be removed by selecting the Remove Pre-approval button. Removing pre-approval status resets the item to the Under Review status, allowing you to either approve or flag the item. |
|||||||||
Flagged |
The item has been flagged, but the remediation has not yet started. To officially start the remediation process select the More Actions button - - and select Start Remediation. |
|||||||||
In Remediation |
A remediation request has been created and the Provision Team has received the request. After a Provision Engineer resolves the request, the request may or may not be sent back to the reviewer for final approval depending on how remediation workflow is set up for your bank (in the System Configuration > General Settings > Taskboards > Reviews area).
|
|||||||||
Remediation Complete |
This item has been remediated and is considered complete. |
|||||||||
|
When this warning is displayed, it means you've been restricted from reviewing your own permissions. You can still view the information, permissions, comments and actions, but you will not be allowed to approve or flag the permissions. |
|||||||||
|
When this warning is displayed, it means you are about to review your own permissions. Your System Configuration settings allow you to continue, if needed, by selecting the I understand and wish to continue button. |
Information Tabs
Info |
Displays more detailed information about the review item. If you are doing a User review information such as full name, status, email, last login date, etc. are displayed if the application has made that information available. If you are doing a Group review, information about the group is displayed. |
Privileges |
This tab allows you to view the privileges associated with this group or user. This tab is displayed by default after selecting an item. The "privilege dumbbells" within this area allow you to visually compare the privileges from the previous review to the privileges in the current review. If you are working on a user review and the user is matched to an Identity that is assigned to an Entitlement Role, the Role column allows you to compare the user's permissions fall to their assigned Entitlement Role. |
Reviewers |
This tab allows you to see the details about the reviewers of this item such as which roles are required and which are optional, the number of reviewers required in each role, and whether other reviewers have taken action on the item or not. |
Comments |
This tab allows you to view or add comments. When a number is displayed in parenthesis, it indicates the number of comments that have been added to the item. Refer to the "Add a Comment" topic for additional information. Comments are viewable by other Permission Assist users and cannot be edited or removed after they've been added. |
All actions taken on the item (ex. system actions or reviewer actions to approve, flag, reassign, and so on) are recorded for historical and auditing purposes. Selecting this button allows you to review a list of actions taken related to the current item (see picture below). |
Approving or Flagging a Review Item
To approve or flag a review item, review the information on the User Info and Privileges tabs to determine if any changes need to be made. If no changes need to be made, you can approve the item by selecting the Approve button - - in the review item details area. If changes are needed, you can flag the item by selecting the Flag button - - to begin the remediation process.
Privilege Dumbbells Explained
The privilege dumbbells provide visual cues to help you more quickly and easily compare permissions from the previous review to permissions in the current review. Color coding also helps alert you to elevations in permissions and important
In your first review, you will see only one column of privileges displayed under the Now column. For each subsequent review you will see two or, for user reviews, sometimes three columns based on whether the user is with or without a role.
Identity Without an |
Identity With an |
---|---|
The purpose of the dumbbell chart is help you make informed decisions about whether you should Approve or Flag this review item. It shows you exactly where a user has elevated privileges, where they are out of bounds compared to their role, and whether or not you've approved/flagged the review in the past.
Each bar in the dumbbell chart has a message associated with it. If you hover your cursor over the bar, a message is displayed (see picture below).
The following tables layout all of the possible combinations and accompanying messages:
Identity Without Role
Previously Approved? |
Previous Permission Value |
State |
Message |
Current Permission Value |
Yes |
Y |
|
Accepted in the previous review, and no additional changes occurred |
Y |
No |
Y |
|
No change occurred, but wasn't accepted in the previous review |
Y |
|
Y |
|
Less access is allowed |
N |
|
Y |
|
Less access is allowed |
|
|
N |
|
Access rights elevated since the previous review |
Y |
|
N |
|
No change occurred since previous review |
N |
|
N |
|
Less access is allowed |
|
|
|
|
Elevated access has never been accepted |
Y |
|
|
|
Less access is allowed |
N |
|
|
|
|
|
Identity With Role
Previously Approved? |
Previous Permission Value |
State |
Message |
Current Permission Value |
State |
Message |
Current Role Value |
---|---|---|---|---|---|---|---|
Yes |
Y |
|
No change occurred since previous review |
Y |
|
Allowed access in the matching role |
Y |
Yes |
Y |
|
Accepted in the previous review, and no additional changes occurred. |
Y |
|
Access rights accepted during previous review, but outside the matching role. |
N |
Yes |
Y |
|
Accepted in the previous review, and no additional changes occurred |
Y |
|
Access rights accepted during previous review, but outside the matching role |
|
No |
Y |
|
No change occurred since previous review. |
Y |
|
Allowed access in the matching role |
Y |
No |
Y |
|
No change occurred, but wasn't accepted in the previous review |
Y |
|
Elevated access outside the matching role |
N |
No |
Y |
|
No change occurred, but wasn't accepted in the previous review |
Y |
|
Elevated access outside the matching role |
|
|
Y |
|
Less access is allowed |
N |
|
Less access is allowed |
Y |
|
Y |
|
Less access is allowed |
N |
|
|
N |
|
Y |
|
Less access is allowed
|
N |
|
Less access is allowed |
|
|
Y |
|
Less access is allowed |
|
|
Less access is allowed |
Y |
|
Y |
|
Less access is allowed |
|
|
Less access is allowed |
N |
|
Y |
|
Less access is allowed |
|
|
|
|
|
N |
|
Elevated access allowed as it's allowed in matching role |
Y |
|
Allowed access in the matching role |
Y |
|
N |
|
Access rights elevated since the previous review |
Y |
|
Elevated access outside the matching role |
N |
|
N |
|
Access rights elevated since the previous review |
Y |
|
Elevated access outside the matching role |
|
|
N |
|
No change occurred since previous review |
N |
|
Less access is allowed |
Y |
|
N |
|
No change occurred since previous review |
N |
|
|
N |
|
N |
|
No change occurred since previous review |
N |
|
Less access is allowed |
|
|
N |
|
Less access is allowed |
|
|
Less access is allowed |
Y |
|
N |
|
Less access is allowed |
|
|
Less access is allowed |
N |
|
N |
|
Less access is allowed |
|
|
|
|
|
|
|
Elevated access allowed as it's allowed in matching role |
Y |
|
Allowed access in the matching role |
Y |
|
|
|
Elevated access has never been accepted |
|
|
Elevated access outside the matching role |
N |
|
|
|
Elevated access has never been accepted |
Y |
|
Elevated access outside the matching role |
|
|
|
|
Less access is allowed |
N |
|
Less access is allowed |
Y |
|
|
|
Less access is allowed |
N |
|
|
N |
|
|
|
Less access is allowed |
N |
|
Less access is allowed |
|
|
|
|
|
|
|
Less access is allowed |
Y |
|
|
|
|
|
|
Less access is allowed |
N |
Comments Tab
Each review item has a comments section where any reviewer can add additional information to the item as needed. Typically, comments are used to document the reason for approving or flagging an item, which helps the Provision Team understand the changes that need to be made.
NOTES:
-
Comments are viewable by other Permission Assist users.
-
Comments are saved for historical and auditing purposes; they cannot be edited or removed after they've been added.
Within the Comments tab you can:
More Actions
The More Actions cogwheel in the detail panel allows you to complete additional tasks such as:
Reassign Identity
If your System Configuration settings allow you to reassign Identities from the Review Items taskboard, the Reassign Identity option is enabled, allowing you to reassign the Identity on the review item.
To reassign an Identity, complete the following steps:
-
Select the More Actions button in the upper right corner of the review item details area, and select Reassign Identity (see picture below).
The Reassign Identity window opens, allowing you to reassign the user account for this application to a different identity (see picture below).
-
Select one of the following options:
Option:
Description:
Always assign the selected identity to this application user
Use this option to permanently reassign this identity to another user. Then, select the Select a new identity field and either type the name of the person or scroll down the list to select the person you want to assign to this identity.
Always leave this application user unassigned
Use this option if this identity should remain permanently unassigned.
For just this review, assign the selected identity to this application user
Use this option to temporarily reassign this identity to another user. Then, select the Select a new identity field and either type the name of the person or scroll down the list to select the person you want to assign to this identity. The user will be reassigned to the newly selected user for the current review, but will return to the previously matched user for future reviews.
For just this review, unassign any matched identity
Use this option to temporarily unassign this identity. The user will be unassigned for the current review, but will return to the previously matched user for future reviews.
-
Select Save. The actions are logged in the Activity tab.
Reassign Review Supervisor
If your System Configuration settings allow you to reassign supervisors from the Review Items taskboard, the Reassign Review Supervisor option is enabled, allowing you to reassign the supervisor for a review item. This can be helpful if, for example, the supervisor has left the organization or if the assigned supervisor does not participate in security audits such as C-level executives. Supervisors can be reassigned temporarily or permanently.
To reassign a supervisor, complete the following steps:
-
Select the More Actions button in the upper right corner of the review item details area, and select Reassign Review Supervisor (see picture below).
The Reassign Supervisor window opens, allowing you to reassign the user account for this application to a different identity (see picture below).
-
Select one of the following options:
Option:
Description:
Always assign the selected supervisor to this application user/group
Use this option to permanently reassign this user or group to the newly selected supervisor.
Always leave the supervisor unassigned for this application user/group Use this option to the supervisor should be permanently unassigned. Items that are permanently unassigned will be escalated to the security team for review.
For just this review, assign the selected supervisor to this application user/group
Use this option to temporarily assign this user or group to the newly selected supervisor. The item will be reassigned to the new supervisor for the current review, but will return to the previously matched supervisor for future reviews.
For just this review, unassign the supervisor
Use this option to temporarily unassign this supervisor. The item will be unassigned for the current review, but will return to the previously matched supervisor for future reviews.
-
If you are reassigning the item to a new supervisor, select the new supervisor from the Select a new identity field.
TIP: If you start typing the supervisor's first name, the list of identities is filtered to show people with similar names.
-
Select Save. The actions are logged in the Activity tab.
Add a Reviewer
There are times when you may want to invite others to the review process. In these cases, you can add a reviewer. Invited reviewers will be considered optional unless the review was set up to require a response from their assigned role. For example, if the review was set up to require supervisors, but the guest is invited to respond as a Division Manager - the invited reviewer will be able to mark the item as approved or flagged, but the item will not be considered complete until the Supervisor marks the item as approved or flagged.
-
Within the review item details area, select the More Actions button in the top right corner, and pick Add Reviewer (see picture below).
The Add Reviewer window opens, allowing you to invite another reviewer to take action on this item.
-
In the Select an identity field, type the name of the person or scroll down and pick the person you want to invite.
-
Select the role(s) this person will be filling in as (see picture below). When the added reviewer takes action on the review item, they will be able to meet the review requirements as the selected role. For example, in the picture below, Alton is being added as a Reviewing Supervisor. After she's added, she will be able to complete the supervisor's review requirements by marking the item as either approved or flagged.
-
Select Save. The actions are logged in the Activity tab.
Comments
The Comments option allows you to perform all the same actions as the Comments tab.