Skip to main content

Recertification policies

Description

Soffid allows you to establish some policies to define the scope of the recertification process.

Menu option

Main Menu > Administration > Configuration > Security settings > Recertification policies

Screen overview

image-1653572713094.png

Custom attributes

  • Name: name to identify the policy
  • Type: list of available recertification types.
    • User entitlements: the recertification process will be conducted to review user access rights.
    • Role definitions: the recertification process will be conducted to review the relationship between roles.
    • Share account entitlements: the recertification process will be conducted to review access rights to shared accounts.
  • Filter: this allows you to define a script to identify the grant list to which to apply the recertification process. The grant object (*1) is always available. You can use the Enumeration SoDRisk to compare:
    • SOD_LOW
    • SOD_HIGH
    • SOD_FORBIDDEN
    • SOD_NA
  • Step 1 expression: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process in the first level.
  • Step 2 expression: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process after the first level of approval.
  • Step 3 expression: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process after the second level of approval.
  • Step 4 expression: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process after the third level of approval.
  • Mail Template: this allows you to define a template to send an email to the people in charge to approve or deny. Be in mind, that to work fine, the review process link must be ${url}

(*1) grant object is a com.soffid.iam.api.RoleAccount object.

Examples

Some sample scripts for the filters and approval steps are shown below

Filter

Return all grants with risk.

return grant.sodRisk != null 
	&& grant.sodRisk != es.caib.seycon.ng.comu.SoDRisk.SOD_NA;

Steps

account = serviceLocator.getAccountService().findAccountById(grant.accountId);
StringBuffer sb =  new StringBuffer();
for (owner : account.ownerUsers) {
  if (sb.length() > 0)
    sb.append(" ");
  
  sb.append(owner);
}
if (sb.length() > 0) 
  return sb.toString();
else 
  return "admin";
com.soffid.iam.api.Role role = serviceLocator.getApplicationService().findRoleByNameAndSystem(grant.roleName, grant.system);
StringBuffer sb =  new StringBuffer();
List owners = role.getAttributes().get("owner");
if (owners != null) {
	for (owner : account.ownerUsers) {
    	if (sb.length() > 0)
    		sb.append(" ");
        
        sb.append(owner);
	}
}

if (sb.length() == 0) 
	return "admin";
else 
	return sb.toString();

Mail template

image-1653470454738.png

Actions

 Recertification policies query

Add new

Allows you to add a new Recertification policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new it is necessary to fill in the required fields.

Delete

Allows you to remove one or moreRecertification policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the Recertification policies to add or update the attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the basic information of all Recertification policies. 

Add or remove columns

 Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved for the next time Soffid displays the page to the user. 

 Recertification policies details

Apply changes

Allows you to save the data of a new policy or to update the data of a specific policy and quit. To save the data it will be mandatory to fill in the required fields.

Save

Allows you to save the data of a new policy or to update the data of a specific policy. To save the data it will be mandatory to fill in the required fields.

Delete

Allows you to remove a specific policy. You can choose that option on the hamburger icon.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Undo

Allows you to quit without applying any changes. 



https://download.soffid.com/doc/console/latest/uml/es/caib/seycon/ng/comu/SoDRisk.html