Tools
Clear redundant roles
Description
A high level profile can contain or grant application permissions. On the other side, application permissions can contain or grant low level permissions. All of them are referred to generally as roles.
Some users could have been granted both high level profiles and application permissions or low level permissions.
In that case, low level roles can be removed from the Soffid database, as they are inherited through role inheritance rules.
This tool identifies any low level roles granted to users at the same time that its owner high level role, and removes them.
Screen overview
Related objects
Actions
Introduction
A brief description of this process.
Next |
Allows you to browse to the Filter roles step. |
Filter roles
Allows you to filter a subset of roles to apply the process.
Undo |
Allows you to return to the previous step without applying any changes. |
Next |
Once you search for the proper Roles, you can click the Next button to browse to the Preview result step. |
Preview result
Displays a list with the subset filtered of roles.
Undo |
Allows you to return to the previous step without applying any changes. |
Next |
Allows you to run the Clear redundant roles process to the subset of roles & accounts there are in the list. |
Disable inactive users
Description
Probably there are some users that do not need access to any information system. Using this tool you will be able to identify them and act upon them.
The process is a two step process:
- Filter out the universe of users to analyze.
- Select the actions to perform on these users.
The available actions are the following:
- Send an email.
- Disable the user.
- Remove accounts from the target system.
It's usual to initially use this tool for only a subset of your users.
For instance, you can send a message when the password is reaching the expiration date, disable the user when no login has been made in the last 90 days or completely remove its accounts when the identity has been disabled for 30 days.
Screen overview
* Send an email message: Send To: #{userName} #{attributes.manager} issuers@soffid.com
Related objects
Actions
Introduction
A brief description of this process.
Next |
Allows you to browse to the Filter roles step. |
Filter users
Allows you to filter a subset of users to apply the process
Undo |
Allows you to return to the previous step without applying any changes. |
Next |
Once you search for the proper Users, you can click the Next button to browse to the Criteria result step. |
Criteria
Allows you to establish the action to perform on these users.
Undo |
Allows you to return to the previous step without applying any changes. |
Next |
Once you search for the proper Users, you can click the Next button to browse to the Criteria result step. |
Preview result
Displays a list with the subset filtered of users.
Undo |
Allows you to return to the previous step without applying any changes. |
Next |
Allows you to run the process to the subset of users there are in the list. |
Disable inactive accounts
Description
Probably there are some accounts that are no longer used. Using this tool you will be able to identify them and act upon them.
The process is a two step process:
- Filter out the universe of accounts to analyze.
- Select the actions to perform on that accounts.
The available actions are the following:
- Send an email.
- Disable the user.
- Remove accounts from the target system.
It's usual to initially use this tool for only a subset of your accounts.
For instance, you can send a message when the password is reaching the expiration date, disable the account when no login has been made in the last 90 days or completely remove it when the account has been disabled for 30 days
Screen overview
* Send an email message: Send To: #{userName} #{attributes.manager} issuers@soffid.com
Related objects
Actions
Introduction
A brief description of this process.
Next |
Allows you to browse to the Filter roles step. |
Filter accounts
Allows you to filter a subset of accounts to apply the process
Undo |
Allows you to return to the previous step without applying any changes. |
Next |
Once you search for the proper Accounts, you can click the Next button to browse to the Criteria result step. |
Criteria
Allows you to establish the action to perform on these accounts.
Undo |
Allows you to return to the previous step without applying any changes. |
Next |
Once you search for the proper Accounts, you can click the Next button to browse to the Criteria result step. |
Preview result
Displays a list with the subset filtered of accounts.
Undo |
Allows you to return to the previous step without applying any changes. |
Next |
Allows you to run the process to the subset of accounts there are in the list. |
Role mining
Description
Soffid’s role mining feature applies data mining technology to create business profiles based upon current application permissions in order to minimize the number of roles to be managed and maintained with the relevant cost saving.
In this context, Soffid allows the administrator to select different role management strategies:
- More roles with fewer permissions.
- Fewer roles with more permissions.
- Balanced approach.
Once you configure the role mining strategy, you will run the Role mining process (Scheduled task)
Screen overview
Custom attributes
Scope
- Description: a brief description to identify the operation.
- Groups: This component allows you to add groups to the list. Those groups will be evaluated with the role mining process.
- Applications: This component allows you to add applications to the list. Those applications will be evaluated with the role mining process.
Parameters
- User entitlement management cost How much does it cost to assign a role to a user?
- Role entitlement management cost: How much does it cost to assign a role to a profile?
- Role management cost: How much does it cost to create a role?
- Status:
- Preparation
- Scheduled
- Review
- Finished
Results
- Name: name for the new role.
- Description: a brief description.
- Actual Users: actual users number.
- Permission: roles number.
- Benefit: benefit to be obtained.
- Cost: current cost.
- Status:
- Proposed.
- Accepted.
- Rejected.
Reports
- Permissions per role
- Users per role
- Entitlement changes
Actions
Role mining query actions
Query |
Allows you to query the role mining process through different search systems, Basic and Advanced. |
Add or remove columns |
Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved the next time Soffid displays the page. |
Add new |
Allows you to add a new role mining process in the system. You can choose that option on the hamburger menu or by clicking the add button (+). |
Delete |
Allows you to remove one or more role mining processes by selecting one or more records and next clicking the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. |
Download CSV file |
Allows you to download a CSV file with the basic information of all role mining processes. |
Merge |
Allows you to merge two identities when you identify that is necessary. First of all, you need select two identities. Second, you need to click the hamburger icon and select the merge action. Then Soffid will display a window where you need to select the correct value for each standard and custom parameter. Finally, you need to apply changes to save the updates, or back to cancel that action. |
Role mining scope
Save |
Allows you to save the scope defined. It will be mandatory to select some groups and information systems before continuing. When the role mining process is created, the default status will be Preparation. |
Add Groups |
Allows you to add new groups to be evaluated. You need to click the add groups button (+) and search the proper groups, then click the Add group button. |
Add Applications |
Allows you to add new applications to be evaluated. You need to click the add application button (+) and search the proper groups, then click the Add application button. |
Undo |
Allows you to quit without applying any changes. |
Next |
Allows you to browse to the Parameter step. It will be mandatory to select some groups and information systems before continuing. |
Parameters
Start |
If you click the start button, Soffid will change the process status to Scheduled. |
Undo |
Allows you to quit without applying any changes. |
Result
Next |
If you click the Next button, Soffid will browse to the Reports tab. |
Undo |
Allows you to quit without applying any changes. |
Reports
Download |
Allows you to download a report with the permissions matrix. |
Apply changes |
If you click the Apply changes button, Soffid will make the changes in the roles of users and entitlements. |
Undo |
Allows you to quit without applying any changes. |