Group entitlement

Introduction

You can create group entitlement certification campaign to certify group application accesses.

Steps to guide you with example

  1. Create campaign
  2. View campaign
  3. Edit campaign
  4. Pause and resume campaign
  5. Cancel campaign

1. Create campaign

Navigate to Applications -> Access certification -> Create campaign

  • General setup
    Specify campaign name, optionally add description, select Group entitlement campaign type, and priority.

    3442
  • Scope
    Select applications to review accesses in this campaign. All groups that are entitled to the selected applications will be included. To filter this campaign's scope to limited no. of groups, use Include only option to select specific groups, or use Except for option to select all entitled groups except for specified groups. If groups are added in Include only section. Then, Except for configuration will be ignored.

    - Scope applications
    
        [block:image]
    

    {
    "images": [
    {
    "image": [
    "https://files.readme.io/6770592-scope_applications.png",
    "6770592-scope_applications.png",
    3438,
    1968,
    "#000000",
    null,
    "64f9cd2e1806250012947934"
    ]
    }
    ]
    }
    [/block]

    - Scope groups
    
        [block:image]
    

    {
    "images": [
    {
    "image": [
    "https://files.readme.io/6ea8d50-scope_groups.png",
    "6ea8d50-scope_groups.png",
    3438,
    1970,
    "#000000",
    null,
    "64f9cd2fa98f9c0f30fb49d1"
    ]
    }
    ]
    }
    [/block]

  • Reviewer settings
    Select reviewer to certify accesses for groups. There are 2 options to select reviewer.

    - **Application owner**: a review notification will be send to the owner of each application in the campaign.
    
        [block:image]
    

    {
    "images": [
    {
    "image": [
    "https://files.readme.io/063adc0-application_owner_reviewer.png",
    "063adc0-application_owner_reviewer.png",
    3432,
    1964,
    "#000000",
    null,
    "64f9cd317e3617000cb42695"
    ]
    }
    ]
    }
    [/block]

    - **Specify reviewer**: search an user and add single reviewer for all groups in the campaign.
    
        [block:image]
    

    {
    "images": [
    {
    "image": [
    "https://files.readme.io/b97ac7d-custom_reviewer.png",
    "b97ac7d-custom_reviewer.png",
    3436,
    1966,
    "#000000",
    null,
    "64f9cd337f5b820f9b0062b9"
    ]
    }
    ]
    }
    [/block]

    You can choose to log reviewer's decisions to know about each group's entitlement. There will no change in groups' entitlements. Otherwise, you can choose when reviewer's decisions should take effect.
    
    - **When the campaign ends**: Rejection will trigger revocation of entitlement and deprovision of account according to the lifecycle policy for application once campaign will end.
    
    - **Immediately**: Rejection will trigger an immediate revocation of entitlement and deprovision of account according to the lifecycle policy for application.
    
    - **Let the reviewer decide**: Reviewer can decide to revoke entitlement immediately or when campaign will end.
    
  • Campaign supervisor settings
    If you wish to add other users to help you to track the progress of campaign. Then, you can add one or more users as supervisor of the campaign. They can track the progress of the campaign along with you.

    3438
  • Schedule
    You can either start campaign immediately or select a start date and time along with a frequency to re-run the campaign. Duration of the campaign should be between 1 to 365 days for reviewer to certify accesses.

    - Schedule immediately
    
        [block:image]
    

    {
    "images": [
    {
    "image": [
    "https://files.readme.io/f60e286-schedule_immediately.png",
    "f60e286-schedule_immediately.png",
    3438,
    1968,
    "#000000",
    null,
    "64f9cd3522fa910013d7df27"
    ]
    }
    ]
    }
    [/block]

    - Schedule later on
    
        [block:image]
    

    {
    "images": [
    {
    "image": [
    "https://files.readme.io/ab021d6-schedule_later_on.png",
    "ab021d6-schedule_later_on.png",
    3440,
    1970,
    "#000000",
    null,
    "64f9cd3664f5a0000c628e90"
    ]
    }
    ]
    }
    [/block]

  • Reminder and campaign end
    If you wish to set reminder for reviewers. Then, you can specify the number of days to send daily reminders to reviewer before campaign ends. You can define the action for unreviewed entitlements after the campaign ends.

    - **Take no action**: There will be no change in the entitlements.
    
    - **Approve all**: All entitlements will be approved automatically.
    
    - **Reject all**: All entitlements will be rejected automatically.
    
    [block:image]
    

    {
    "images": [
    {
    "image": [
    "https://files.readme.io/0315a1c-reminder_campaign_end.png",
    "0315a1c-reminder_campaign_end.png",
    3442,
    1968,
    "#000000",
    null,
    "64f9cd37464550001a663bad"
    ]
    }
    ]
    }
    [/block]

2. View campaign

You can select a campaign to view its configuration details and progress.

3438
  • Campaign results by reviewer

    2132
  • Campaign results by entitlement

    2126

3. Edit campaign

You can edit description and priority of the campaign.

3438

4. Pause and resume campaign

You can pause the campaign.

3446

Once campaign is paused. Then, reviewers will no longer see campaign to certify the entitlements.

3446

You can also resume the campaign.

3442

Once campaing is resumed. Then, reviewers will start seeing campaign again to certify the entitlements.

3442

5. Cancel campaign

You can cancel the campaign.

3444

Once campaign is cancelled. It will be no longer available for review.

3446

πŸ’Ž

Aakash Prajapati, IBM Security