Review details¶
The Reviews / Details page allows you to view more detailed review information. Some of the information within this area can be changed depending on the status of the review.
To open the Reviews / Details page:
-
Go to the Manage menu and select Reviews. The Reviews list is displayed.
-
Select the review you want to view. The Reviews / Details page is displayed.
Refer to the following sections for more information about each tab.
Overview tab¶
The Overview tab provides an executive summary of the review and includes information that may be helpful for auditing purposes such as the date the review was started, the number of applications included, total number of identities, total number of review items, and so on. This tab is not available when reviews are in a "Draft" status.
The information on this tab cannot be changed, but the report summary can be printed by selecting the Export button in the upper-right corner of the tab.
The Comments area at the bottom of the page allows you to add comments to the review.
Applications tab¶
The Applications tab on the Reviews / Details page provides a list of all applications and separation rules included in the review. When a review is in "Draft" status, you can add or remove applications and separation rules as needed. After a review is started, this tab is locked and is only available for viewing.
Settings tab¶
The Settings tab on the Reviews / Details page allows you to specify a name for the review and choose options that will determine the general process of the review such as the type of review, who will be required to approve items, and so on.
| Field | Notes | Description |
|---|---|---|
| Name | This field can be changed until the review is Completed. | Allows you to change the name of the review (up to 250 characters). |
Requirements¶
Review type¶
Note
This option can be changed while the review is in Draft status. It cannot be changed after a review has started.
Select one of the following types:
| Type | Description |
|---|---|
| User - All Permissions | Allows the reviewer to see every permission assigned to the user. If this review type is selected, the reviewer will see the following: Entitlements - this area displays the name of the application role or group to which a user is assigned, if applicable. If the application doesn't have roles or groups, this section is not displayed. Permissions - this displays all permissions assigned to the application user including both the role/group level permissions (if applicable) and any permissions that may fall outside of that role/group. If the user has not been assigned any permissions, this section is not displayed. |
| User - Entitlements and Overrides | Allows the reviewer to verify that users are assigned to the correct application role/group and identifying any privileges that have either been overridden at the user level or are explicitly declared at the user level. This type of review is helpful when your goal is to streamline privileges and limit the number of identities that have privileges outside of a role/group. Entitlements - this area displays the name of the application role or group to which a user is assigned, if applicable (no specific privileges within the group are displayed). Permissions - this displays any permissions that aren't inherited from groups. All users (regardless of whether they are assigned to a role or not), are included in this review; however, this type of review does not allow you to review all detailed privileges for each group. If you complete this type of review, you may need to also complete a "Groups - Declared" review in order to meet certain auditing requirements. |
| Groups | Allows the reviewer to review each of the application groups including all permissions within the group. This type of review is helpful when the applications you are reviewing assign privileges solely based on groups, when you want to ensure your group permissions are set up properly, or when your goal is to streamline permissions and limit exceptions. This type of review does not allow you to review which users have been assigned to the group; it only allows you to review the groups within an application and the privileges associated with that group. We recommend completing this review type prior to completing your User reviews to meet auditing requirements. |
Pre-approval conditions¶
Note
These options can be changed while the review is in Draft status; they cannot be changed after a review has started.
If you would like Permission Assist to help with the review, you can select one or more of the following options to determine whether an item is eligible for pre-approval.
When an item is pre-approved, it means Permission Assist has analyzed the item according to both the system criteria (built into Permission Assist) and the selected criteria (the options described below) and has determined the item meets that criteria.
System requirements for pre-approval
The following criteria must be met for an item to be eligible for pre-approval. These are required by Permission Assist and cannot be changed:
- The application user must have been reviewed manually at least one time (pre-approvals are not allowed during the first review)
- The application user must be active. Disabled users cannot be pre-approved
- The application user must have a matched identity
- The matched identity must be active. Users associated with disabled or removed identities cannot be pre-approved
Each option you select below will be an additional requirement that must be met for an item to be eligible for pre-approval. For example, if you select both the "Permissions have not changed..." and the "No permissions are overprivileged..." options, then the item cannot be pre-approved if either the user has any new permissions or if the user's permissions exceed the permissions allowed by their associated access models.
| Option | Description |
|---|---|
| The user/group was approved in the previous review | When this option is selected, the review item must have been approved by all required reviewers in the previous review. If the item was flagged and sent to remediation, it cannot be pre-approved. |
| Permissions have not changed since the previous review | When this option is selected, the user's permissions must be exactly the same as in the previous review. If the user has any new or changed permissions, the item cannot be pre-approved. |
| No permissions are underprivileged according to the access models | When this option is selected, the user must have all of the permissions that are allowed according to the associated access models. If the user is missing permissions that the access models allow, the item cannot be pre-approved. |
| No permissions are overprivileged according to the access models | When this option is selected, the user's permissions cannot exceed what is allowed according to the associated access models. If the user has more permissions than the access models allow, the item cannot be pre-approved. |
Review item filters¶
Note
These options can be changed while the review is in Draft status; they cannot be changed after a review has started.
This area is used to filter the list of review items based on either identity or application user "type." For example, if you are required to review administrative accounts on a regular basis, the filters can be used to only show users that have an "Administrator" type.
To add a filter rule, complete these steps:
-
Make sure your application users and Identities have a defined type.
- For Identities: the rules within the directory source often define the type, but the type can also be set within each individual identity
- For application users: the type can be set within each application user
-
Select one of the following options:
- all - when this option is selected, all review items are included in the review by default. This option is great for situations where you want to include most of the users within the application, but want to exclude just one or two types of users. For example, when you want to see all review items except vendor accounts
- none - when this option is selected, no review items are included in the review unless you add rules to include them. This option is great for situations when you only want to review a very specific sub-set of users. For example, when you only want to review service accounts
-
For each filter rule you want to add, complete the following steps:
a. Select the Add Rule link.
b. Select the appropriate options for each field of the rule as described below:
Field Description The [matching identity] Select one of the following options: matching identity - this field is set to "Identity" by default. When this option is selected the list of review items is filtered based on the identity type. application user - if you want to filter the list of review items based on a specific type of application users, select this field and pick application user from the list. is of type [Employee] This field is set to "Employee" by default. Select the type of Identities or application users you want to see (or not see) within the review. Options include: Unknown, Employee, Service Account, Vendor, Shared, Mailbox, Client, Temporary, Administrator.
Comments¶
Note
These options can be changed until the review is Completed.
Select the situations in which a reviewer must enter a comment. One or more options may be selected.
| Option | Description |
|---|---|
| Force comments when flagging review items | When this option is selected, the reviewer who sends the item to remediation will be required to enter a comment. If an item is flagged, comments can be helpful for communicating with the provision team what needs to change and why. They can also be helpful documentation for audit purposes. |
| Force comments when approving users overprivileged according to access models | When this option is selected, reviewers will be required to enter a comment if they approve an item in which the user's permissions exceed what their associated access models allow. Comments can provide helpful information for audit purposes, especially in cases where a user has more permissions than what their access model allows. |
Reviewers¶
For each review, you have the option of including a variety of reviewers including the Security Team, Application Managers, Supervisors, and more. The options in this area allow you to determine both which reviewers are required and the degree to which each role is required.
Note
These options can be changed while the review is in Draft status. They cannot be changed after a review has started.
To add a required role:
-
Select the Insert review requirement for field and then select the role you want to require from the list.
-
Select the Add Rule link. A requirement is added.
-
For each required role, fill in each of the fields as needed to define the review requirements:
Field Description At least [one] This option is not available when adding rules for Supervisors, Area Reviewers, or any of the Defined Managers. When adding a new requirement, this field is set to "one" by default which means that at least one person within this role is required. Some roles allow you to add two roles. To require two people within the role, select this field and then select two from the list. is/are [always] This field allows you to determine whether the reviewer is always required or conditionally required. The Security Team must always be an optional reviewer (that rule cannot be removed). You can add an additional rule for the Security Team to make them required if needed. Always - By default, this field is set to "always", which means a person in this role must review items and take action to approve or flag them in order for the items to be completed. Conditionally - When this option is selected, a person in this role is required to review items, but only if certain conditions are met. Required This field is set to "required" and is the only option available for Security Team members; however, some roles may be considered either required, optional, or required if present. Required - every item assigned to the role must be completed by someone in that role without any exceptions. Optional - reviewers can log in to Permission Assist and see the items for their role; they can also approve or flag items; however, the items they approve or flag will not be considered complete until the required reviewer(s) mark the items as approved or flagged. Required if present - people within the role are only required to respond if they have been assigned to an item. Items that do not have a person within the role will be escalated to the Security Team. when the application This field appears when the "is Always" field is changed to "conditionally". By default, this field is set to "application" which means that the role is required to respond when an application has a certain priority level. If you would like the role to respond only when a user has access to privileges of a certain priority, select this field and then select privilege from the list. has a priority/risk rating of none This field appears when the "is Always" field is changed to "conditionally". By default, this field is set to "none" which means the role is required to respond when the application or privilege has a priority/risk rating of "None" or higher. Select this field and then select a priority level from the list to change the threshold.
Timelines¶
| Field | Notes | Description |
|---|---|---|
| Timelines | The start date, end date, and automatic start option can be changed while the review is in Draft status. Only the end date may be changed after a review has started. | These fields allow you to define the expected start and end dates, which are used when sending pre-start notifications. If the "Automatically start the review on the planned start date" option is selected, Permission Assist will automatically start the review on the date specified. The review will remain open until it is manually completed (Permission Assist will not automatically complete the review on the end date). |
Notifications¶
Before start¶
Note
The "Before Start" notification options may be changed until the review is started. Notifications cannot be sent if the review is in an "Error" status.
| Option | Description |
|---|---|
| Email reviewers a pre-start notice of an upcoming review on... | When this option is selected, each reviewer receives a notification to let them know a review will be started soon. If start and end dates are defined in the Timelines area, the notification also includes the start date and the expected completion date of the review. If the review is in "Draft" status, Permission Assist will send the pre-start notification at 6:00am on the date specified in the date field. If the review is started prior to the date specified, the notification will not be sent. |
On start¶
Note
The "On Start" notification options may be changed until the review is started. Notifications cannot be sent if the review is in an "Error" status.
| Option | Description |
|---|---|
| Email reviewers summarizing their responsibilities on review start | When this option is selected, each reviewer receives an email notification to let them know the review has started. Only reviewers who are required to review items will receive a notification. If the reviewer has outstanding review items, a notification listing their responsibilities is sent. If all of the reviewer's items have been pre-approved, a different notification is sent confirming that status. |
During review¶
Note
The "During Review" notification options may be changed, as needed, until the review is Completed. Notifications cannot be sent if the review is in an "Error" status.
| Option | Description |
|---|---|
| Email reviewers a summary of their remaining responsibilities every... | When this option is selected, each reviewer with outstanding items receives a notification. Only reviewers who are required to review items will receive a notification. Notifications will continue to be sent at the day/time specified until the reviewer has no outstanding items remaining. |
| Email supervisors when an organizational change results in new responsibilities | When this option is selected, supervisors will receive an email notification if they are assigned additional review responsibilities due to an organizational change. Organizational changes that prompt this notification are based on changes within your directory services application (such as Active Directory). Email notifications will only be sent if Supervisors are required to review items. |
On completion¶
Note
The "On Completion" notification options may be changed, as needed, until the review is Completed. Notifications cannot be sent if the review is in an "Error" status.
| Option | Description |
|---|---|
| Email security team members when all of the review items have been completed | When this option is selected, Permission Assist will check to see if any outstanding review items remain. If all items in the review have been completed, an email notification is sent to the security team. Notices are sent each weekday at 7:00am. |
Pending responses tab¶
Note
This tab is available after a review has been started. When the review is either being created or is in Draft status, the Pending Responses tab is locked (unavailable).
The Pending Responses tab on the Reviews / Details page displays a list of all reviewers that have outstanding review items. Selecting a name within the list opens a details panel on the right side of the page, which shows a list of the applications the reviewer is associated with and the pending responses for each application.
This tab also allows you to send email reminders to everyone in the Pending Responses list or to a specific reviewer within the list.
Send email reminders¶
The Pending Responses tab on the Reviews / Details page allows you to send email reminders to either one reviewer or to all reviewers with outstanding review items.
To send an email reminder to all reviewers with outstanding items, select the Send Reminders button.
When sending reminders to everyone, the system will send a separate email to each person in the list.
To send an email reminder to a specific reviewer, select the person you want to send a reminder to, and then select the Send Reminder button in the details area.
Print a review summary report¶
The review summary may be printed for auditing purposes and is available in either PDF or Excel formats.
From the reviews list, select the review for which you want to print a report. The Reviews Detail page appears with the Overview Tab displayed. Select the Export button in the upper-right corner of the Overview tab and then pick either Excel or PDF.
Reports tab (print review reports)¶
The Reports tab on the Reviews / Details page quickly provides all the reports you need for review management and auditing purposes. These reports can be printed either while the review is in an Open status or after the review is Completed.
To print a report, select the report you want to print, and then select the Export button. For reports that contain a large amount of data, the report will continue to build in the background, allowing you to continue your work. When the report becomes available for downloading, Permission Assist will alert you by displaying a notification indicator next to the Reports menu on the menu bar.
If the zipped file has not been downloaded within 15 minutes of being generated, an email notification is sent as a reminder. Only one email notification is sent, and it will only be sent if the file is not downloaded within 15 minutes.
For more detailed information about each of the available reports, refer to the Standard Reports section of the documentation.