View and Change Identity Details

Viewing the details of an Identity can help you see additional details such as Active Directory information, the applications an Identity has access to, and the responsibilities they've been given within Permission Assist.

To view the details of an Identity, select an account in the Identities list. The Identities / Details page is displayed. 

Directory Info

When opening the Identities / Details page the Directory Info is displayed by default, which provides more detailed directory source information about the account (see picture below). 

 

Change an Identity Type

Within Permission Assist, Identities can be classified as specific types such as employee, service account, vendor account, and so on. Identity types can be helpful for sorting/searching, and are also used by Permission Assist to create recommendations. The Identity type is displayed within the Directory Info area on the right side of the page. 

To change an Identity's Type, complete the following steps:

  1. On the Identity Details page, select Directory Info.

  2. Select the Type link within the Directory Info area (displayed on the right side of the page). The Change Type window appears.

  3. Select the drop-down field and then select a new type from the drop-down list.

  4. Select the Change button.

     

Organization Chart

Selecting Organization Chart allows you to view the Identity's supervisors and direct reports, if applicable (see picture below).  To view the details of a supervisor or direct report, select their name. 

 

 

Also Known As

Selecting Also Known As allows you to view a list of employees that have been consolidated with this Identity. Sometimes, employees will have multiple Active Directory accounts to accommodate various situations; for example - their standard account, an admin account for one or more applications, an account for when they visit Branch A, and so on. In the past, Permission Assist considered each of these accounts as separate Identities. Now, you can have all of these accounts associated a single primary account - all considered a single Identity. 

In the example shown below, Abel Solomon is a Human Resources Specialist. Abel has a standard Active Directory account, but he also has an additional admin account that is used to access sensitive permissions within specific applications. Using the "Also Known As" feature within the Identity Details page, you can associate the admin account with Abel (see picture below).

Consolidate Identities

To consolidate identities, complete the following steps:

  1. On the Identity Details page, the Also Known As option (if it's not already selected), and then select the + Add an Identity link in the upper right corner of the Also Known As area on the right. The Create "Also Known As" window appears (see picture below).

  2. Select the Choose an identity to associate field and then select the Identity you want to add under this Identity.

  3. Select the Associate button. The new Identity appears in the Also Known As list. Permission Assist now considers these a single Identity, which allows Permission Assist to match application users to Identities more consistently and also allows for more appropriate recommendations, reports, and workflows. 

 

Detach Identities (from the primary Identity):

  1. While viewing the Also Known As area for the primary Identity, place your cursor over the Identity you want to detach. 

  2. Select the detach icon (see picture below).

    The Are You Sure? message appears.

  3. Select the Detach button. The Identity is removed from the Also Known As list and is now considered an independent primary Identity.

 

Detach Identities (from the associated Identity):

  1. While viewing the Also Known As area for the associated Identity, select the Detach this identity from... link in the upper right corner (see picture below).

    The Are You Sure? message appears.

  2. Select the Detach button. The primary Identity is removed from the Also Known As list.

     

Responsibilities

View Responsibilities Associated with an Identity

Selecting Responsibilities on the Identity Details page allows you to see which Permission Assist roles are inactive (red circle with a line through) or active (green check mark) for the identity (see example below).

 

For additional information about each of the role responsibilities, refer to the table below.

Role:

Description:

Administrator

This role becomes active when the identity belongs to the Administrator group within the System Configuration > System Authentication area.

Security Team

This role becomes active when the identity belongs to the Security Team group within the System Configuration > System Authentication area.

Application Manager

This role becomes active when the identity is added to the Application Managers field within an application (Manage > Applications > select the application > Responsibilities tab).

Area Reviewer

This role becomes active when the identity is the assigned reviewer for a Reviewable Area within an application (Manage > Applications > select the application > Reviewable Areas tab).

Provisioning 

This role becomes active in either of the following cases:

  • When the identity belongs to the Provision Team group within the System Configuration > System Authentication area.

  • When the identity is assigned to the Provision Engineers field within an application (Manage > Applications > select the application > Responsibilities tab).

Reporting

This role becomes active when the identity belongs to the Reporting Only group within the System Configuration > System Authentication area.

Supervisor

This role becomes active when the identity is defined as a supervisor in the Manage By field and assigned direct reports within Active Directory. This role also becomes active when an Identity is assigned the role of Review Supervisor for an application user and the application is included in an open review.

Set On Behalf Of Reviewers for Supervisors

If you have supervisors who either don't typically review the permissions of their direct reports or who may be out of the office during a review, the 'On Behalf Of' feature allows you to either temporarily or permanently shift review responsibilities to another person. 

To assign a reviewer to act 'On Behalf Of' a supervisor, complete the following steps:

  1. Within the Responsibilities area, select the "On behalf of" supervisor is disabled option (see picture below).


    After selecting this option, the option turns green (see picture below).

  2. Select the Always Reviews field and then select one of the following options:

    Never Reviews

    Selecting this option will permanently reassign all review items to a new identity. After selecting this option, select the Select identity field and then select the person who will be reviewing items on behalf of the supervisor. If you have any open reviews and you want this supervisor's items to be reassigned to the new supervisor/reviewer, select the Reassign all open review items to the new user option.

    Temporarily is not reviewing

    Selecting this option will allow you to temporarily reassign items to a new identity. After selecting this option, select the Select identity field and then select the person who will be reviewing items on behalf of the supervisor.

    Select the date field to select the day the supervisor returns. If you have any open reviews and you want this supervisor's items to be reassigned to the new supervisor/reviewer, select the Reassign all open review items to the new user option.

  3. Select the Save button

Entitlement Role Owner

This role becomes active when the identity becomes the "Owner" of an entitlement role.

 

 

Entitlement Roles

View Entitlement Roles Associated with an Identity

Selecting Entitlement Roles on the Identity Details page displays a list of Entitlement Roles in which the Identity is included (see picture below). To view more detailed information about one of the Entitlement Roles, select the Entitlement Role within the list. 

 

Applications

View Applications Associated with an Identity

A list of applications associated with the Identity is displayed in the Applications list on the right side of the page. In order for the application to show up in this list, an application user must be matched to the Identity within the Application Users tab.