Scribd
Upload
74 views41 pages

Certifications

Uploaded by

Saeed Nashar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views41 pages

Certifications

Uploaded by

Saeed Nashar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Certification Overview and Configuration

Fundamentals of IdentityIQ Implementation


Overview
Access Certification

• What are Certifications and Access Reviews

• Types of Certifications

• Certification Lifecycle

• Certification Configuration

• Targeted Identity and Event Based Certifications

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 3


Access Certification
• The process of automating the periodic review and approval of:
• Identity Access
• Role Membership
• Role Composition
• Account Group Membership
• Account Group Permissions

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 4


Certifications

Certifications/Access Reviews
Definitions
• Certifications
Access Reviews
• Define the certification campaign
• What is reviewed
• When
• By whom
• Comprised of one or more access reviews that share the
same parameters

• Access Reviews Access Review Details


• Provide a snapshot of the data to be certified
• Routed to the reviewer to take action

• Access Review Details


• Present the entities to be certified

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 5


Certification Types
Certification Campaigns Targeted Certifications
• Setup  Certifications • Identity Certifications
• Identities selected from
• Identity Search Results
• Identity Risk Score
• Policy Violation
• Event‐Based Certifications

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 6


Overall Certification Process
• Compliance or business analyst defines certification parameters
• IdentityIQ collects data
• Formats the information into interactive access reviews
• Routes access reviews to the appropriate reviewers
• Reviewers receive Access Reviews
• Approve/Revoke access
• Signs off on completed access review
• IdentityIQ takes action on revoked access
• Directly revokes access
OR
• Initiates work item

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 7


Certification Time Periods

Notification

Sign-Off
Staging

Revoke
Remediator

Remediation
Certifier

Active Challenge
System

Generation Staging

Access Review
Access
Access Review
Review

Certification

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 8


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 9
Certification
Configuration

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 10


Certification Configuration
Overview
• Select type of certification
• What to certify
• Configure parameters unique to certification type
• Certification contents
• Configure parameters standard to all certifications
• Schedule, Lifecycle, Notifications, Behavior, etc.
• Configure rules for business specific behavior
• Consider global configurations

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 11


What to Certify
Who certifies what?

Type Certifier Certifies


Manager Manager Direct reports
Application Owner Application Owner Identities accessing the application(s)
Entitlement Owner Entitlement Owner Identities accessing the application(s) (by
entitlement)
Advanced Selected per cert Population or group
Role Membership Manager* Identities who have role
Account Group Membership Account Group Owner* Identities who have account group
Role Composition Role Owner* Access encapsulated in role
Account Group Permissions Account Group Owner* Access encapsulated in account group

*or selected reviewer


Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 12
Certification Contents
Manager, Application Owner, Entitlement Owner, Advanced

Manager Application Entitlement Advanced


Owner Owner
Which/all applications P P P P
Certify Entitlements P P P P
Certify Accounts P P P
Include Roles P P P
Include entitlements not P P P
encapsulated in roles
(Additional Entitlements)
Include policy violations P P P

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 13


Certification Contents
Advanced Certification

Reminder: Populations and Groups are used to filter identities to be


included in an action (i.e. to be certified)
• Population: Set of users defined by a saved search query
• Group: Set of users defined by a single “group factory” attribute

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 14


Certification Configuration
Schedule and Behavior
• Schedule
• Run Once, Scheduled
• Duration and types of Phases
• Staging Period
• Active Period
• Challenge Period
• Revocation Period
• Automatic Closing (Rule, Revoke, Allow, Exception)
• Email notification parameters
• Certification Reminders and Escalation
• Revocation Reminders and Escalation
• Advanced
• Exclusion, Pre-Delegation, Sign-Off Approver Rules

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 15


Certification Configuration
Rules (Supplied by Implementation Team)
• Time Period Rules
• Active Period Enter Rule
• Challenge Period Enter Rule
• Revocation Period Enter Rule
• End Period Rule
• Closing Rule
• Escalation
• Escalation Rule for Expirations and Revocations
• Certification Control
• Exclusion Rule
• Pre-Delegation Rule
• Sign Off Approver Rule

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 16


Certification Configuration
Global Configuration
• Set default configurations
• Override on per-certification
basis
• Categories
• Presentation
• Lifecycle
• Behavior
• Decisions
• Bulk Actions
• Certification Contents
• Email Templates

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 17


Targeted Identity Certifications
Configuration
• Identity Based
• From Advanced Analytics
• Select from query result to define who to certify
• From policy violation work item
• Policy violator is certified
• From Identity Risk Scores (if risk configured)
• Select from set of users based on risk score
• Data Based
• Based on defined data change events
• Change in identity data defines who to certify

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 18


Targeted Identity Certifications
Certification Events
• Data change events
• New employee
• Manager change
• Department change
• Based on rule evaluation
• Configuration
• Setup  Certification  Certification Events

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 19


Targeted Identity Certifications
Configuring Certification Events
• Configure certification to run when event occurs
Configure
certification
options as usual

Define event
type that will
invoke a
certification

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 20


Certification
Generation
• Multi-host environment
• Runs on batch server
• Manager certification partitioning
• Improved generation performance
• Limit partitions to fewer than 50
• More information
• CompassIdentityIQ WhitepapersPartitioning Best Practices

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 21


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 24
Certification Completion and Monitoring
Fundamentals of IdentityIQ Implementation
Overview
Access Certification
• Making Certification Decisions
• Certification Completion
• Monitoring Certifications

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 27


Certification Completion

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 28


Managing Access Reviews
• My Work  My Access Reviews

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 29


Managing Access Reviews
Identity Access Reviews
View by Identities Segregated work Download to CSV

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 30


Access Reviews
Certifier Decisions

Approve –
No action taken

Revoke – Remediations
sent to remove access

Additional Information
• Role expansion
Bulk Decisions • Certification History
• Discouraged by • Allow Exception
auditors (if configured)
• Can be disabled
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 31
Access Reviews
Sharing Decision Making Responsibility

Delegate Reassign Forward


Unique to access reviews Unique to access reviews Applies to all work items

Delegate whole entity or single Reassign whole entity, single line Entire access review sent to new
line item item, or bulk owner
Workitem is sent to the New child access review created Retains previously made
delegate(s) and assigned to new owner(s) decisions, reassigns or
delegations
Can be recalled Can be recalled No option to recall

Access review owner retains Child access review owner Passes all responsibility to the
responsibility for all decisions assumes responsibility for new owner
decisions
See whitepaper on Compass: Delegation vs. Reassignment vs. Forwarding

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 32


Access Certification – Certification End
Users
• Certification ends
• When challenge period is over (if enabled)
• Sign off occurs
• Sign off is performed by the access review owner when
• All certified entities (Identity, Account Group, Roles) reach completed state
• Policy violations acted on
• All subordinate access review are completed
• Subordinate access reviews are manager/subordinate manager access reviews or reassigned or
delegated access reviews
• Electronic signature can optionally be enabled

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 33


Access Certification – Certification End
Electronic Signatures
• Available for
• Certification Sign-off
• Access Sign-off
• Report Sign-off
• Process
• Reauthenticate
• Formal meaning assigned
• Make objects immutable

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 34


Access Certification – Certification End
PerformMaintenance Task
• Runs periodically
• Checks for certification completion and sign-off
• Updates certification history
• Launches RemediationManager to process revokes
• Direct updates
• Tickets in service desk system
• IdentityIQ Workitem

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 35


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 36
Certification Monitoring

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 37


Certifications – Monitoring Progress
• Setup  Certifications
• Oversee progress of
certification campaign
• Modify in-flight certification

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 38


Certifications – Analytics

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 39


Certifications – Reporting

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 40


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 43
Next Step?

Practice
Exercises

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 44


Exercise Preview
Section 2, Exercises 6, 7, 8
• Continue to identify and correct issues with user’s access
• Exercise 6: Certification of PAM Application and Account Groups
• Exercise 7: Manager Certification with Rules
• Exercise 8: Certification by Populations and Groups

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 45

You might also like