Recertification

Recertification

What is the Recertification process?

What is the Recertification process?

Recertification is a business process consisting of a periodic assessment carried out internally by a company to verify that it continues to comply with the standards of a regulation, management system or its own internal processes, ensuring that its processes, knowledge, assets and data are kept up to date, with the highest possible quality and avoiding problems and information leaks. 

Each company decides which assets require greater focus and therefore greater control. This control can come from implementing workflows to control which people can perform which actions, who has authorisation over which data, or simply who is responsible for each asset.

Recertification is a manual, guided, or automated process to ensure that all individuals have the appropriate responsibility for their assets, and that users of those assets also have the correct access to them.

In summary, recertification is a control and updating mechanism for maintaining valid permits and certifications, adapting to changing standards and ensuring the competence or necessity of the right granted. 

Introduction to the Recertification addon

What is the Recertification addon?

The Recertification addon provides the functionality to review access rights to make sure the users have access only to what they need.

This Soffid's functionality increases security, mitigates access risk, reduces review times, reduce the cost and also becomes the process auditable and compliant.

Recertification allows you to take immediate action to correct inconsistent or unauthorized permissions to prevent unwarranted access. These changes will be applied in real time with our provisioning solution in the source systems.

Concepts

Soffid uses three different concepts:

1. Recertification policies: the first step is to define and configure the different recertification processes based on the type and scope of the recertification process and the users involved in it.

2. Recertification campaign: once we have the policies, we can create recertification campaigns for each of them, identifying the groups and information systems in which to search for roles or accounts to recertify.

3. Recertification to do: this is the list of pending recertification campaigns along with the internal tasks that still need to be completed.

How to install Recertification addon in Soffid

Installation

Introduction

To use an addon in Soffid, you must download and install it in the Console. There are two ways to do this.

1.  The first option is to use the Soffid 4 marketplace. You can download and upload it directly from the Licence and plugin page.

2. The second option is to download the file from the Soffid download page and then upload it to the Console.

Soffid 4 marketplace

Soffid 4 allows you to install and update plugins through the new Addons marketplace feature.

To access the marketplace, you must have a valid token to use Soffid and have configured the Console via https. Please check the License and plugin page.

1. Please log in to IAM Console.

You need to be an administrator user of the Soffid console or a user with permission to upload addons.

2. In the Soffid console, please go to the License and plugin page.

Main Menu > Configuration > Global Settings > License and plugin

3. Then, click the add button "Add new" button, open the "Soffid Addons" secction and select the "Instlla addon" option, Soffild will upload the addon file.

Image

image.png

image.png

image.png

image.png

4. Finally, when the addon is installed, the Consola has to be restarted, a popup will be displayed to perform this action, you can choose to do it now or later.

Image

image.png

5. Once the Soffid console has restarted, you can check if the plugin was correctly uploaded on the "License and plugins" page.

Main Menu > Configuration > Global Settings > License and plugin

6. Now, you can configure the addon.

Download an upload

1. You could download the addon at the following link http://www.soffid.com/download/enterprise/ if you have a Soffid user with authorization, or in the following http://download.soffid.com/download/ by registering.

The addons are in the Addon seccion.

Image

image.png

2. Once the addon is downloaded, please log in to IAM Console.

You need to be an administrator user of the Soffid console or a user with permission to upload addons.

3. In the Soffid console, please go to the License and plugin page.

Soffid 3: 

Main Menu > Administration > Configuration > Global Settings > Plugins

Soffid 4:

          Main Menu > Configuration > Global Settings > License and plugin

4.  Then, click the add button "Upload" and pick the file and click the "Select" button and Soffild will upload the addon file.

Image

image.png

image.png


5. Finally, when the addon is installed, the Consola has to be restarted, a popup will be displayed to perform this action, you can choose to do it now or later.

Image

image.png

6. Once the Soffid console has restarted, you can check if the plugin was correctly uploaded on the "License and plugins" page.

Main Menu > Configuration > Global Settings > License and plugin

7. Now, you can configure the addon.

Recertification policies

Description

Soffid allows you to establish some policies to define the scope of the recertification process.

Menu option

Main Menu > Administration > Configuration > Security settings > Recertification policies

Screen overview

image-1653572713094.png

Custom attributes

(*1) grant object is a com.soffid.iam.api.RoleAccount object.

Examples

Some sample scripts for the filters and approval steps are shown below

Filter

Return all grants with risk.

return grant.sodRisk != null 
	&& grant.sodRisk != es.caib.seycon.ng.comu.SoDRisk.SOD_NA;

Steps

account = serviceLocator.getAccountService().findAccountById(grant.accountId);
StringBuffer sb =  new StringBuffer();
for (owner : account.ownerUsers) {
  if (sb.length() > 0)
    sb.append(" ");
  
  sb.append(owner);
}
if (sb.length() > 0) 
  return sb.toString();
else 
  return "admin";
com.soffid.iam.api.Role role = serviceLocator.getApplicationService().findRoleByNameAndSystem(grant.roleName, grant.system);
StringBuffer sb =  new StringBuffer();
List owners = role.getAttributes().get("owner");
if (owners != null) {
	for (owner : account.ownerUsers) {
    	if (sb.length() > 0)
    		sb.append(" ");
        
        sb.append(owner);
	}
}

if (sb.length() == 0) 
	return "admin";
else 
	return sb.toString();

Mail template

image-1653470454738.png

Actions

 Recertification policies query

Add new

Allows you to add a new Recertification policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new it is necessary to fill in the required fields.
Delete

Allows you to remove one or moreRecertification policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
Import

Allows you to upload a CSV file with the Recertification policies to add or update the attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the basic information of all Recertification policies. 

Add or remove columns

 Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved for the next time Soffid displays the page to the user. 

 Recertification policies details

Apply changes

Allows you to save the data of a new policy or to update the data of a specific policy and quit. To save the data it will be mandatory to fill in the required fields.

Save

Allows you to save the data of a new policy or to update the data of a specific policy. To save the data it will be mandatory to fill in the required fields.

Delete

Allows you to remove a specific policy. You can choose that option on the hamburger icon.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Undo

Allows you to quit without applying any changes. 


https://download.soffid.com/doc/console/latest/uml/es/caib/seycon/ng/comu/SoDRisk.html

Recertification campaigns

Description

Soffid allows you to define new campaigns to review the users' access rights and to assign who has to recertify or revoke their entitlements.

You can create a campaign related to a previously defined recertification policy. Depending on the policy type selected, you will have to fill in some required information to create a new campaign.

To create a new campaign, will be mandatory that one or more accounts for recertification exist.

When a campaign is created, the initial status will be Preparation. This status will change to Active automatically. The Finished status will be when the proper users approve or deny the recertifications

Menu option

Main Menu > Administration > Resources > Recertification campaigns

Screen overview

image-1653636505476.png

Custom attributes

Basic

Others

Actions

 Recertification campaigns query

Add new

Allows you to add a new Recertification policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new it is necessary to fill in the required fields.
Delete

Allows you to remove one or moreRecertification policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
Import

Allows you to upload a CSV file with the Recertification policies to add or update the attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the basic information of all Recertification policies. 

Add or remove columns

 Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved for the next time Soffid displays the page to the user. 

 Recertification campaigns details

Click group

By clicking a record group, Soffid will display the group members' list.
Show details

Displays a detailed list with the recertification data for each user to recertificate.
Delete

Allows you to delete a recertification campaign. You can select this option on the hamburger menu. 

It is not allowed to delete a recertification process once it has been started.

Recertification details

Delegate

Allows you to delegate to another user the recertification by clicking a record group o by selecting one or more records, Soffid will display the group members' list.
Back

Allows you to delegate the operation to approve or deny the process. Once you click the delegate option, Soffid will allow you to select one or more users to delegate the process.

Recertifications to do

Description

When a campaign is run, the pending recertifications will be displayed in the Recertifications to-do list of the proper user who has to Accept or Deny the recertification. The user who has to manage the recertification can delegate it as well to another user to manage it.

Menu option

Main Menu > Recertifications to do

Screen overview

image-1687763668120.png

Custom attributes

Recertifications campaign list

Recertifications to do list

Actions

 Recertifications campaign

Click recertification

If you click one campaign record, Soffid will display the recertifications to do list.

 Recertifications to do list

Pending endorsement

In the pending endorsement column, you can approve or deny the recertification for each user who appears on this list. You can approve or deny by clicking on the proper check

  • approve ->
  • deny       -> 

Apply changes

Allows you to save the recertifications accepted and denied. Before applying changes, you need to select for each recertification if you approve or deny it. Also, you can write a comment. 

Once you apply changes, the recertifications executed will be removed from the recertifications to do list.

Back

Allows you to quit without applying any changes.

Delegate

Allows you to delegate the operation to approve or deny the process. Once you click the delegate option, Soffid will allow you to select one or more users to delegate the process.

Browse user

By clicking the user, Soffid will open a new window with the user data.

Browse entitlement

By clicking the entitlement, Soffid will open a new window with the role data

Recertification Examples

Recertification Examples

Recertification Examples

Shared account entitlements