Good morning all,
We have a robust preventative SOD when access is requested through the correct channels (via ServiceNow). However, we are looking at remediating backdoor access.
I’ve written a Powershell script that does the following:
1 - gets all SOD policies
2 - runs the violation report for each policy
3 - for each violation, checks which entitlement has been mostly recently added
4 - revokes that entitlement
5 - emails user and Line manager of what has happened
We are still in the testing stage, but once complete, this script will hosted on a server, and run every hour.
I feel that this is a good solution, but I am wondering if I can get any feedback, and/or if anyone else has implemented something similar, what route that took.
As you already has a strong preventative SOD in place. That mean those backdoor access will not be too much.
And your approach is good in my point of view, but the only think I’m aware of is the decision making policy. If you have set of entitlements in both side in your SOD policies configuration would you always be able to check and detect the last entitlements ?
I would pefer a kind of Interactive forms+worklows where for each violation, you can assign an interactive form to the manager or the violation owner and it can decide which access should be removed and workflows will do it automatically.
Its the managers of the SOD policies who are either trying to back door access or are ignoring the tickets that are being created requesting them to make a decision.
Interactive forms are an interesting way, but can leave a violation active for periods of time. In my opinion, any violation should immediately resolved.
Your approach to handling SoD policy violations is quite comprehensive and is a good solution in my opinion.
However, one thing I might ask you to consider - setting up SoD email subscriptions in ISC
This would reduce the overhead of your PS script by ISC sending the report via email. Additionally, if the option ‘Send the report even when there are no violations’ is disabled, it could further reduce execution times for each cycle.
Hi @ksbagade
Its an interesting idea wrt to the setting up subscription.
The fundamental problem that I have with it, is that unless it is being run on a very frequent basis (my script is running hourly), the violation could exist for a significant period of time.
I don’t think that our auditors would be happy with that.
On top of that, i feel that its adding layers on complexity by trying to get a powershell script to respond to an inbound email containing a csv file (and by complexity, I mean I’ve no idea how to handle that off the top of my head)