Recommendations for Optimal Approach to Managing Certification and Access Reviews

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Greetings to everyone,

I hope everyone is well. We are seeking recommendations for the following matter.

At the moment, RBAC implementation is presently underway, with certain applications already integrated and RBAC already established for those applications. The user access review team is conducting application-specific reviews, with the manager serving as the reviewer (given that the approver is always the manager when requesting any access).

The complexity of the data that requires review makes this task challenging. Business roles may have access to applications that are either required or permitted. The access review must encompass all the access that the user has on the application, whether through business+required, business+permitted, or additional entitlements that are not part of the RBAC. Reviewable items include Business, Permitted, Additional entitlements, and IT roles that are not obtained through the business role.

Upon analyzing the above requirements, we have identified some deficiencies in the certification process. Specifically, permitted roles are not included in the manager certification, as well as in the targeted certification (where we selected the source as the application). We have explored other certifications but have not obtained the desired results. We are currently investigating options to resolve this issue.

Our current strategy to achieve the desired outcome is as follows:

  1. Role membership: We will use the application name as a tag and exclude all non-application related bundles using the exclusion rule.
  2. Manager certification with the application as a filter: This will enable us to review additional entitlements that are not part of any bundles yet.

We would like to verify if this approach is the correct one or if there are any minimal configuration adjustments that can assist us in achieving the desired outcome more effectively.

Hi Ramireddy,

When you mention permitted roles, in this case are these soft or hard permitted roles? In other words, are these permitted roles explicitly requested as part of a business role request (hard) or are they detected via role detection (soft) after the business role has been assigned?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.