Recertification

Recertification

Introduction to Recertification

What is Recertification?

The Recertification addon provides the functionality to review access rights to make sure the users have access only to what they need.  This process increases security and makes the recertification process auditable and compliant.

Soffid uses this functionality to mitigate access risk, reduce review times, and reduce the cost. 

Recertification allows you to take immediate action to correct inconsistent or unauthorized permissions to prevent unwarranted access. These changes will be implemented in real-time with your IAM provisioning solution on the source systems.

Soffid will use three different concepts:

1. Recertification policies: to determine the type and scope of the recertification process and the users involved in it.

2. Recertification campaign: to identify the groups and information systems to look for roles or accounts to recertify.

3. Recertification to do: worklist with the pending recertification to do.

Features

* Mitigates access risks.

* Reduces review times.

* Enacted changes in real-time.

* Correct inconsistent or unauthorized permission.

How to install Recertification in Soffid

Installation

Download

Please download the Soffid Recertification add-on.

You could download it at the following link http://www.soffid.com/download/enterprise/ if you have a Soffid user with authorization, or in the following http://download.soffid.com/download/ by registering.

Upload 

1. Once the Recertification add-on is downloaded, please log in to IAM Console.

You need to be an administrator user of the Soffid console or a user with permission to upload addons.

2. In the Soffid console, please go to:

Main Menu > Administration > Configure Soffid > Global Settings > Plugins

3.  Then, click the add button (+) and pick the file and Soffild will upload the addon file.

For more information visit the Addons Getting started page.

4. Finally, when the addon is installed, it will be required to restart the Soffid Console.

5. Once the Soffid console is restarted, you could check the plugin was uploaded properly on the plugins page:

Main Menu > Administration > Configure Soffid > Global Settings > Plugins

6. To begin the recertification process a user with SOFFID_ADMIN permission must start it.

Recertification

Recertification

Recertification policies

Description

Soffid allows you to establish some policies to define the scope of the recertification process.

Menu option

Main Menu > Administration > Configuration > Security settings > Recertification policies

Screen overview

image-1653572713094.png

Custom attributes

(*1) grant object is a com.soffid.iam.api.RoleAccount object.

Examples

Some sample scripts for the filters and approval steps are shown below

Filter

Return all grants with risk.

return grant.sodRisk != null 
	&& grant.sodRisk != es.caib.seycon.ng.comu.SoDRisk.SOD_NA;

Steps

account = serviceLocator.getAccountService().findAccountById(grant.accountId);
StringBuffer sb =  new StringBuffer();
for (owner : account.ownerUsers) {
  if (sb.length() > 0)
    sb.append(" ");
  
  sb.append(owner);
}
if (sb.length() > 0) 
  return sb.toString();
else 
  return "admin";
com.soffid.iam.api.Role role = serviceLocator.getApplicationService().findRoleByNameAndSystem(grant.roleName, grant.system);
StringBuffer sb =  new StringBuffer();
List owners = role.getAttributes().get("owner");
if (owners != null) {
	for (owner : account.ownerUsers) {
    	if (sb.length() > 0)
    		sb.append(" ");
        
        sb.append(owner);
	}
}

if (sb.length() == 0) 
	return "admin";
else 
	return sb.toString();

Mail template

image-1653470454738.png

Actions

 Recertification policies query

Add new

Allows you to add a new Recertification policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new it is necessary to fill in the required fields.

Delete

Allows you to remove one or moreRecertification policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the Recertification policies to add or update the attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the basic information of all Recertification policies. 

Add or remove columns

 Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved for the next time Soffid displays the page to the user. 

 Recertification policies details

Apply changes

Allows you to save the data of a new policy or to update the data of a specific policy and quit. To save the data it will be mandatory to fill in the required fields.

Save

Allows you to save the data of a new policy or to update the data of a specific policy. To save the data it will be mandatory to fill in the required fields.

Delete

Allows you to remove a specific policy. You can choose that option on the hamburger icon.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Undo

Allows you to quit without applying any changes. 



https://download.soffid.com/doc/console/latest/uml/es/caib/seycon/ng/comu/SoDRisk.html

Recertification

Recertification campaigns

Description

Soffid allows you to define new campaigns to review the users' access rights and to assign who has to recertify or revoke their entitlements.

You can create a campaign related to a previously defined recertification policy. Depending on the policy type selected, you will have to fill in some required information to create a new campaign.

To create a new campaign, will be mandatory that one or more accounts for recertification exist.

When a campaign is created, the initial status will be Preparation. This status will change to Active automatically. The Finished status will be when the proper users approve or deny the recertifications

Menu option

Main Menu > Administration > Resources > Recertification campaigns

Screen overview

image-1653636505476.png

Custom attributes

Basic

Others

Actions

 Recertification campaigns query

Add new

Allows you to add a new Recertification policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new it is necessary to fill in the required fields.

Delete

Allows you to remove one or moreRecertification policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the Recertification policies to add or update the attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the basic information of all Recertification policies. 

Add or remove columns

 Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved for the next time Soffid displays the page to the user. 

 Recertification campaigns details

Click group

By clicking a record group, Soffid will display the group members' list.

Show details

Displays a detailed list with the recertification data for each user to recertificate.

Delete

Allows you to delete a recertification campaign. You can select this option on the hamburger menu. 

It is not allowed to delete a recertification process once it has been started.

Recertification details

Delegate

Allows you to delegate to another user the recertification by clicking a record group o by selecting one or more records, Soffid will display the group members' list.

Back

Allows you to delegate the operation to approve or deny the process. Once you click the delegate option, Soffid will allow you to select one or more users to delegate the process.

Recertification

Recertifications to do

Description

When a campaign is run, the pending recertifications will be displayed in the Recertifications to-do list of the proper user who has to Accept or Deny the recertification. The user who has to manage the recertification can delegate it as well to another user to manage it.

Menu option

Main Menu > Recertifications to do

Screen overview

image-1687763668120.png

Custom attributes

Recertifications campaign list

Recertifications to do list

Actions

 Recertifications campaign

Click recertification

If you click one campaign record, Soffid will display the recertifications to do list.

 Recertifications to do list

Pending endorsement

In the pending endorsement column, you can approve or deny the recertification for each user who appears on this list. You can approve or deny by clicking on the proper check

  • approve ->
  • deny       -> 

Apply changes

Allows you to save the recertifications accepted and denied. Before applying changes, you need to select for each recertification if you approve or deny it. Also, you can write a comment. 

Once you apply changes, the recertifications executed will be removed from the recertifications to do list.

Back

Allows you to quit without applying any changes.

Delegate

Allows you to delegate the operation to approve or deny the process. Once you click the delegate option, Soffid will allow you to select one or more users to delegate the process.

Browse user

By clicking the user, Soffid will open a new window with the user data.

Browse entitlement

By clicking the entitlement, Soffid will open a new window with the role data

Recertification Examples

Recertification Examples

Recertification Examples

Shared account entitlements