Review Details

The Reviews / Details page allows you to view more detailed review information. Some of the information within this area can be changed depending on the status of the review.

To open the Reviews / Details page:

1. Go to the Manage menu and select Reviews. The Reviews list is displayed.

2. Select the review you want to view. The Review Details page is displayed.

Refer to the following sections for more information about each tab.

 

Overview Tab

The Overview tab provides an executive summary of the review and includes information that may be helpful for auditing purposes such as the date the review was started, the number of applications included, total number of identities, total number of review items, and so on. This tab is not available when reviews are in a "Draft" status.

The information on this tab cannot be changed, but the report summary can be printed by selecting the Export button in the upper right corner.

The Comments area at the bottom of the page allows you to add comments to the review.

 

Applications Tab

The Applications tab on the Reviews / Details page provides a list of all applications and separation rules included in the review. When a review is in "Draft" status, you can add or remove applications and separation rules as needed. After a review is started, this tab is locked and is only available for viewing.

 

Settings Tab

The Settings tab on the Reviews / Details page allows you to specify a name for the review and choose options that will determine the general process of the review such as the type of review, who will be required to approve items, and so on. 

Field	Notes	Description
Name	This field can be changed until the review is Completed.	Allows you to change the name of the review (up to 200 characters).

 

REQUIREMENTS

Field/Option	Notes	Description
Diligence	The Diligence type can be changed while the review is in Draft status. It cannot be changed after a review has started.	Select one of the following options: Full - If this option is selected, every item within the review will need to be personally approved or flagged for remediation. Quick - If this option is selected, Permission Assist will automatically pre-approve an item if the item was previously approved by all required reviewers and if permissions have remained the same since the last review. If an item is Pre-Approved it will show up in the Review Items Taskboard as follows (see picture below):   A reviewer can remove Pre-Approval status at any time by selecting the Remove Pre-approval button (see picture below) within the detail panel. An item cannot be pre-approved if: they have a permission outside of the Entitlement Role (if applicable) the application user has a new permission elevated since the last review, even if it is within the Entitlement Role the application user has a new permission that wasn't approved in the last review the application user is disabled it does not have a matched identity or if the matched identity is disabled or removed
Review Type	This option can be changed while the review is in Draft status. It cannot be changed after a review has started.	Select one of the following types: Type Description User - All Permissions Allows the reviewer to see every permission assigned to the user. If this review type is selected, the reviewer will see the following: Enlistments - this area displays the name of the application role or group to which a user is assigned, if applicable. If the application doesn't have roles or groups, this section is not displayed. Permissions - this displays all permissions assigned to the application user including both the role/group level permissions (if applicable) and any permissions that may fall outside of that role/group. If the user has not been assigned any permissions, this section is not displayed. Sample Review Item Details for an Application User: User - Enlistments and Overrides  Allows the reviewer to verify that users are assigned to the correct application role/group and identifying any privileges that override or fall outside of the assigned role/group. This type of review is helpful when your goal is to streamline privileges and limit the number of employees that have privileges outside of a role/group. If this review type is selected, the reviewer will see the following: Enlistments - this area displays the name of the application role or group to which a user is assigned, if applicable (no specific privileges within the group are displayed). If the application doesn't have roles or groups, this section is not displayed. Permissions - this displays any permissions that are different than the group-level permissions. If the user does not have any permissions that are different than those within their assigned role/group, this section is not displayed. All users (regardless of whether they are assigned to a role or not), are included in this review; however, this type of review does not allow you to review all detailed privileges for each group. It also does not allow you to see all of a user's permissions that could have potentially been assigned (It displays only the permissions that are different from the user's assigned role); therefore, if you complete this type of review, you may need to also complete a "Groups" review and/or a "User - All Permissions" review (depending on the application) in order to meet certain auditing requirements. We recommend completing a Groups review first to ensure groups are set up properly. After the Groups review is complete and all items have been remediated, the User Enlistments and Overrides review will allow you to review individual users to see the differences. Ideally, the Group and User Enlistments and Overrides reviews would be completed by different reviewers both to maintain separation of duties and to minimize the amount of time each set of reviewers spends completing the review. For example, you may have the Application Managers complete the Groups review and the Supervisors complete the User Enlistments and Overrides review (or vice versa depending on how your organization assigns responsibilities). If an application does not use roles or groups, or if you are not using the available roles/groups, we recommend completing a "User - All Permissions" review. Sample Review Item Details for an Application User: Groups Allows the reviewer to review each of the application groups including all permissions within the group. This type of review is helpful in either of the following scenarios: When the applications you are reviewing assign privileges solely based on groups such that individual permissions cannot be changed When you want to ensure your group permissions are set up properly When your goal is to streamline permissions and limit "exceptions to the rule" This type of review does not allow you to review which users have been assigned to the group; it only allows you to review the groups within an application and the privileges associated with that group. Therefore, we recommend completing this review type prior to completing your User reviews (of either type) in order to meet your auditing requirements Sample Review Item Details for a Group:

 

COMMENTS

Option	Notes	Description
Comments	These options can be changed until the review is Completed.	Select the situations in which a reviewer must enter a comment. One or more options may be selected.

 

REVIEWERS

For each review, you have the option of including a variety of reviewers including the Security Team, Application Managers, Supervisors, and more. The options in this area allow you to determine both which reviewers are required and the degree to which each role is required.

Note: These options can be changed while the review is in Draft status. They cannot be changed after a review has started.

To add a required role:

1. Select the Insert review requirement for field and then select the role you want to require from the drop-down list.

2. Select the Add Rule link. A requirement is added.

3. For each required role, fill in each of the fields as needed to define the review requirements:

   Field	Description
   At least [one]	NOTE: This option is not available when adding rules for Supervisors, Area Reviewers, or any of the Defined Managers. When adding a new requirement, this field is set to "one" by default which means that at least one person within this role is required. Some roles allow you to add two roles. To require two people within the role, just select this field and then select two from the drop-down list. Selecting two people ensures that at least two people within the role review each item.  For example, if you have 5 people within your Security Team, and you want to ensure that at least 2 of the 5 review each item, set this field to "two".
   is/are [always]	This field allows you to determine whether the reviewer is always required or conditionally required. NOTES: The Security Team must always be an optional reviewer (that rule cannot be removed). You can add an additional rule for the Security Team to make them required if needed. All other roles may be considered either always or conditionally required.   Always - By default, this field is set to "always", which means a person in this role must review items and take action to approve or flag them in order for the items to be completed. Conditionally - When this option is selected, a person in this role is required to review items, but only if certain conditions are met. For example, if you want a Department Manager to review any permissions that are risk-rated "high" or higher, set this field to conditionally and complete the other fields as needed. NOTE: Permissions must be risk rated before the review is started.
   Required	This field is set to "required" and is the only option available for Security Team members; however, some roles may be considered either required, optional, or required if present. Required - When a role is considered required, every item assigned to the role must be completed by someone in that role without any exceptions. For example, if you add a rule to include Application Managers as required and you have 10 applications within the review - all 10 applications must be reviewed by an Application Manager without exception. If 2 of those 10 applications do not have an assigned Application Manager, an Application Manager will need to be assigned to those 2 applications before the review items for those application can be fully completed. Optional - If a role is considered optional, they can to log in to Permission Assist and see the items for their role; they can also approve or flag items; however, the items they approve or flag will not be considered complete until the required reviewer(s) mark the items as approved or flagged. Required if present - When this option is selected, people within the role are only required to respond if they've been assigned to an item. Items that do not have a person within the role will be escalated to the Security Team, and the Security Team member's action to either approve or flag the item allows the item to be considered complete. For example, if you add a rule to include Reviewing Supervisors, and 3 items within the review don't have a reviewing supervisor (for example, service accounts, vendor accounts, or users without a matched Identity) those 3 items will be escalated to the Security Team. At that point, the Security Team could either take the place of the "required if present" role and complete the items as needed, or they can reassign the items to another supervisor and the Reviewing Supervisor could complete the items.
   when the application	This field appears when the "is Always" field is changed to "conditionally".  By default, this field is set to "application" which means that the role is required to respond when an application has a certain priority level (defined in the "has a priority of" field) . If you'd like the role to respond only when a user has access to privileges of a certain priority, select this field and then select privilege from the drop-down list.
   has a priority/risk rating of none	This field appears when the "is Always" field is changed to "conditionally".  By default, this field is set to "none" which means the role is required to respond when the application or privilege has a priority/risk rating of "None" or higher. If you'd like the Security Team to review applications or privileges of a specific priority or higher, select this field and then select a priority level from the drop-down list.

 

FILTERS

This area is used to filter the list of review items based on either Identity or application user "type." For example, if you are required to review administrative accounts on regular basis, the filters can be used to only show users that have an “Administrator” type.

 

To add a filter rule, complete these steps:

1. Make sure your application users and Identities have a defined type.

   For Identities: the rules within the directory source often define the type, but the type can also be set within each individual identity.

   For application users: the type can be set within each application user.

2. Select one of the following options:

   • all - when this option is selected, all review items are included in the review by default. This option great for situations where you want to include most of the users within the application, but want to exclude just one or two types of users. For example, when you want to see all review items except vendor accounts.

   • none - when this option is selected, no review items are included in the review unless you add rules to include them. This option great for situations when you only want to review a very specific sub-set of users. For example, when you only want to review service accounts.

3. For each filter rule you want to add, complete the following steps:

   1. Select the Add Rule link (see picture below).

      

   2. Select the appropriate options for each field of the rule as described below:

      Field	Description
      The [matching identity]	Select one of the following options: matching identity - this field is set to "Identity" by default. When this option is selected the list of review items is filtered based on the Identity type (defined using the rules within the directory source or within the individual identity). application user - if you want to filter the list of review items based on a specific type of application users, select this field and pick application user from the list.
      is of type [Employee]	This field is set to "Employee" by default. Select the type of Identities or application users you want to see (or not see) within the review. Select one of the following options: Unknown Employee Service Account Vendor Shared Mailbox Client Temporary Administrator

 

 

 

TIMELINES

Timelines

The start date, end date and automatic start option can be changed while the review is in Draft status. Only the end date may be changed after a review has started.

These fields allow you to define the expected start and end dates, which are used when sending pre-start notifications. If the "Automatically start the review on the planned start date" option is selected, Permission Assist will automatically start the review on the date specified. The review will remain open until it is manually completed (Permission Assist will not automatically complete the review on the end date).

 

NOTIFICATIONS

Option	Notes	Description
On Start	On Start notification options may be changed until the review is started. When email notifications are sent, they will originate from the email address specified in the System Configuration > Email area. Notifications cannot be sent if the review is in an "Error" status.	Select any of the following options based on the automatic email notifications you want Permission Assist to send. Option Description Email reviewers a pre-start notice of an upcoming review on...      When this option is selected, each reviewer receives a notification to let them know a review will be started soon. If start and end dates are defined in the Timelines area (described above) the notification also includes the start date and the expected completion date of the review. If the review is in "Draft" status, Permission Assist will send the pre-start notification at 6:00am on the date specified in the date field. If the review is started prior to the date specified, the notification will not be sent. Email reviewers summarizing their responsibilities on review start                      When this option is selected, each reviewer receives an email notification to let them know the review has started. Only reviewers who are required to review items will receive a notification. If the reviewer has outstanding review items that need to be completed, the following notification is sent: If all of the reviewer's items have been pre-approved, the following notification is sent:
During Review	The "During Review" notifications options may be changed, as needed, until the review is Completed. When email notifications are sent, they will originate from the email address specified in the System Configuration > Email area. Notifications cannot be sent if the review is in an "Error" status.	Select any of the following options based on the automatic email notifications you want Permission Assist to send. Option Description Email reviewers a summary of their remaining responsibilities every... When this option is selected, each reviewer with outstanding items receives a notification. Only reviewers who are required to review items will receive a notification. Notifications will continue to be sent at the day/time specified until the reviewer has no outstanding items remaining. Email supervisors when an organizational change results in new responsibilities When this option is selected, supervisors will receive an email notification if they are assigned additional review responsibilities due to an organizational change. Organizational changes that prompt this notification are based on changes within your directory services application (such as Active Directory). Email notifications will only be sent if Supervisors are required to review items. [Sample notification is not available]
On Completion	The "On Completion" notifications options may be changed, as needed, until the review is Completed. When email notifications are sent, they will originate from the email address specified in the System Configuration > Email area. Notifications cannot be sent if the review is in an "Error" status.	Select any of the following options based on the automatic email notifications you want Permission Assist to send. Option Description Email security team members when all of the review items have been completed When this option is selected, Permission Assist will check to see if any outstanding review items remain. If all items in the review have been completed, an email notification is sent to the security team. Notices are sent each week day at 7:00am.  [Sample notification is not available]

 

 

 

Pending Responses Tab

NOTE: This tab is available after a review has been started. When the review is either being created or is in Draft status, the Pending Responses tab is locked (unavailable).

 

The Pending Responses tab on the Reviews / Details page displays a list of all reviewers that have outstanding review items. Selecting on a name within the list opens a details panel on the right side of the page, which shows a list of the applications the reviewer is associated with and the pending responses for each application (see picture below).

 

This tab also allows you to send email reminders to everyone in the Pending Responses list or to a specific reviewer within the list.

 

Send Email Reminders

The Pending Responses tab on the Reviews / Details page allows you to send email reminders to either one reviewer or to all reviewers with outstanding review items.  The email will originate from the email address specified in the System Configuration > Email area.

To send an email reminder to all reviewers with outstanding items, select the Send Reminders button as shown in the example below:

When sending reminders to everyone, the system will send a separate email to each person in the list.

To send an email reminder to a specific reviewer, select the person you want to send a reminder to, and then select the small paper airplane icon in the details area as shown in the example below:

 

Print a Review Summary Report

The review summary may be printed for auditing purposes and is available in either PDF or Excel formats (see picture below).

 

 

From the Reviews list, select the review for which you want to print a report. The Reviews Detail page appears with the Overview Tab displayed.
Select the Export button in the upper, right corner of the Overview tab and then select either Excel or PDF. 

 

Reports Tab (Print Review Reports)

The Reports tab on the Reviews / Details page quickly provides all the reports you need for review management and auditing purposes. These reports can be printed either while the review is in an Open status or after the review is Completed.

To print a report, select the report you want to print, and then select the Export button. For reports that contain a large amount of data, the report will continue to build in the background, allowing you to continue your work. When the report becomes available for downloading, Permission Assist will alert you by displaying a little white bell icon next to the Reports menu on the menu bar (see picture below).  

If the zipped file has not been downloaded within 15 minutes of being generated, an email notification is sent as a reminder. Only one email notification is sent, and it will only be sent if the file is not downloaded within 15 minutes.

For more detailed information about each of the available reports, refer to the Standard Reports section of the documentation.