4.4 Reviewing access privileges (Reviewer’s experience)

Sharon Kisluk
Sharon Kisluk
  • Updated

Access to digital assets must be reviewed to ensure that only people who actually need access, get access. This greatly decreases the asset’s vulnerability to attacks and abuse. Industrial and government standards and regulations require periodic reviews of privileged or sensitive access to help you stay secure.

Note: Access privileges are the specific actions you can perform on the asset (such as edit, copy, delete).
             Assets can be files, folders, databases, drives or applications.

You've got mail!

If you got an email (or Slack message) like the one below, you are required to complete an access review.

03_AR_Message-2.png

Access review workflow

The reviewer’s access review process looks like this:

AR_Reveiwers_Experience.png

Click the here button in the message to launch the review.

Logging into Authomize

In some organizations the summary page will open automatically and ask you to log in. In others, you will need to register first before you can log in (for more information see the SSO section below). 

Once you’ve logged in, if an access review dashboard opens (because you have several access reviews waiting, click on the access review you want to perform. When the welcome message appears
click the Start Review button.

Review_due_soon_Notice.png

Welcome_Notice.png

When you click .Start Review  you will see a list of privileges to Keep or Revoke.

SOC-2-Review-Access.png

Review dashboard

At the top of the page you will find a message directing you to the campaign that you should review first, since its review date is about to pass (or may have already passed).

Below you will find a list of all the campaigns that are pending your decisions

It’s possible to use the Pending/Completed toggle at the top of the table to switch the view and see a list of all completed campaigns that were assigned to you, those include reviews that you have submitted or non completed reviews if the campaign itself was marked as completed by the admin.

Verify access privileges

When starting an access review, a review dialog opens to show you:

    1-in-circle.png   an Access list (of assets, roles and groups) whose users you are asked to confirm
            or a list of Team members whose access privileges you need to confirm
            Note:  These are different views of the same list. You can toggle between Identities and Access
                        from the summary page.

    2-in-circle.png   you can pick an entry from the list or review them sequentially
            the entry under review is listed up top, along with the type of entity it is

    3-in-circle.png  in the case of an Access list, pane 3 lists the people who currently have access
           in the case of a Team members list, pane 3 lists what each member can access

    4-in-circle.png   an additional context pane opens when > or + Add Justification is clicked

Go through the entire list (be it Access or Team members) until you have reviewed all the entries on the right (in pane 3). Note that the type of privilege the team member has on each asset is listed in the privilege column.

The account column provides information about the exact user account that grants this identity access to the asset or group membership.

Click Keep or Revoke for each entry. You can explain your decision by clicking + Add Justification

Note: You can go back and change your Keep/Revoke decision, until submitting your review.

SOC-2-Review-Annotated.png

Click Continue_Button.png  to jump to the next review. If you leave in the middle, the review restarts where you left off (and nothing is lost). When you have completed the review (“Your progress” is 100%), click Submit_Review_Button.png.

Submit_Review.png

Some Revoke decisions must be justified

In some campaigns, “Revoke” decisions cannot be submitted without written justification.

Justification_needed.png

If you missed a “Revoke” justification, in such a campaign, the campaign will be incomplete.

Nudges and Escalation

The review request email has a completion date. If you do not make timely progress, Authomize will automatically send you a “nudge”.

If you do not complete it on time, Authomize may be used to escalate or assign the review to someone else.

Context Panel

Authomize provides a Context Panel feature with much more information about reviewed entitlements.

During the review experience, click on any entitlement on the left side of the table:

The context Quick View panel opens, with all the information Authomize has on the entitlement:

  1. Authomize’s recommendation and reasoning.
  2. The identity that accesses the asset, is a member of the group or can assume the role.
  3. The asset or group they have access to.
  4. The role and privileges they have over them.

Quick_View_Sam-Malone.png

You can make decisions right on the panel, or close it by clicking the x icon on the top right corner.

Background Info

Access to apps, assets, groups and roles is granted to people in the organization so they can do their jobs. Most organizations use hundreds of apps across different business units and entities. With so many apps it is very easy to lose track of who has access to what, causing massive security risks. That is Authomize’s job: helping organizations stay least privileged in a complex landscape.

Authomize is used to set up Access review campaigns. Authomize finds the relationships between assets, identities and groups and sends access lists to reviewers for approval. Reviewers can be managers, asset owners or group owners. Access privileges that were revoked by reviewers are aggregated by the campaign owner and sent to the IT department for further action.

SSO (Single Sign-On)

If your organization has an SSO system in which Authomize is configured, you will automatically be transferred to your review.

If SSO is not configured, you’ll get Authomize login credentials in an email or Slack message. The first time you log into Authomize, change your password after entering the email and password provided.

Terms used in the entitlements dialog & elsewhere

Access privilege The specific action you can perform on the asset (such as edit, copy, delete) Authorize displays the privilege in the same way that it appears in the downstream application.

Access to

The name and type of entity. If it is an asset, there is a link to the asset itself.

Asset Any object that has permissions (file, folder, database, drive, application ...)

Entitlement

"Entitlements" or "Access Privileges" provide users with the ability to perform actions on different assets (such as edit, copy and delete).

Group

A collection of users.

Keep

Button that marks the entitlement to remain as-is.

Least privileged

Provide no more authorizations than necessary to perform required functions

Revoke

Button that marks an entitlement to be revoked.

Role

A function in an organization that has access privileges. Users may gain access privileges from their roles. 

SSO

An authentication scheme that allows a user to log in with a single ID to any of several independent software systems.

Usage

How often the entitlement is used. Possible options - unused (not any usage or unknown), frequently (more than 100 times), rarely (less than 100 times).

+ Add Justification

Button to add justification note for the entitlement (will be seen by the campaign owner and auditor).

Summary

Access to apps, assets, groups and roles is granted to people in the organization so they can do their jobs. Most organizations use hundreds of apps across different business units and entities. With so many apps it is very easy to lose track of who has access to what, causing massive security risks. That is Authomize’s job: helping organizations stay least privileged in a complex landscape.

Authomize is used to set up Access review campaigns. Authomize finds the relationships between assets, identities and groups and sends access lists to reviewers for approval. Reviewers can be managers, asset owners or group owners. Access privileges that were revoked by reviewers are aggregated by the campaign owner and sent to the IT department for further action.

Share this

Was this article helpful?

2 out of 2 found this helpful