4.4 Reviewing access privileges (Reviewer’s experience)

Sharon Kisluk
Sharon Kisluk
  • Updated

Access to digital assets must be reviewed to ensure that only people who actually need access, get access. This greatly decreases the asset’s vulnerability to attacks and abuse. Industrial and government standards and regulations require periodic reviews of privileged or sensitive access to help you stay secure.

Note: Access privileges are the specific actions you can perform on the asset (such as edit, copy, delete).
             Assets can be files, folders, databases, drives or applications.

You've got mail!

If you got an email (or Slack message) like the one below, you are required to complete an access review.

1_Review_email-short-660x200.jpg

Access review workflow

The reviewer’s access review process looks like this:

Reviewer_Experience_Workflow.png

Click the here button in the message to launch the review.

Logging into Authomize

In some organizations the summary page will open automatically and ask you to log in. In others, you will need to register first before you can log in (for more information see the SSO section below). 

Once you’ve logged in, an access review summary page opens. To start the review process,
click Get_Started_Button.png.

2-3_Authomize_login_1300x600.png

Based on the link that you received you might be directed into the campaign directly or into the personal reviewer dashboard.

Review dashboard

At the top of the page you will find a message directing you to the campaign that you should review first, since its review date is about to pass (or may have already passed).

Below you will find a list of all the campaigns that are pending your decisions

It’s possible to use the toggle at the top of the table to switch the view and see a list of all completed campaigns that were assigned to you, those include reviews that you have submitted or non completed reviews if the campaign itself was marked as completed by the admin.

Verify access privileges

When starting an access review, a review dialog opens to show you:

    1-in-circle.png   an Access list (of assets, roles and groups) whose users you are asked to confirm
            or a list of Team members whose access privileges you need to confirm
            Note:  These are different views of the same list. You can toggle between Users and Access
                        from the summary page (Users-Access_Toggle.png).

    2-in-circle.png   you can pick an entry from the list or review them sequentially
            the entry under review is listed up top, along with the type of entity it is

    3-in-circle.png  in the case of an Access list, pane 3 lists the people who currently have access
           in the case of a Team members list, pane 3 lists what each member can access

    4-in-circle.png   an additional context pane opens when > or + Add Justification is clicked

Go through the entire list (be it Access or Team members) until you have reviewed all the entries on the right (in pane 3). Note that the type of privilege the team member has on each asset is listed in the privilege column.

The account column provides information about the exact user account that grants this identity access to the asset or group membership.

Click Keep or Revoke for each entry. You can explain your decision by clicking + Add Justification

Note: You can go back and change your Keep/Revoke decision, until submitting your review.

5_Verify_Access_Annotated-numbered-3.jpg

5_Verify_User_Access_annotated_numbered.png

Click Continue_Button.png  to jump to the next review. If you leave in the middle, the review restarts where you left off (and nothing is lost). When you have completed the review (“Your progress” is 100%), click Submit_Review_Button.png.

Submit_Review.png

When all Revoke decisions must be justified

In some campaigns, “Revoke” decisions cannot be submitted without written justification.

Justification_needed.png

If you missed a “Revoke” justification, in such a campaign, the campaign will be incomplete.

Multiple justification

The access review process can potentially be tedious and repetitive, costing the company resources and fatiguing the reviewers. This is where automation and intuitive user experience come in.

Reviewers can provide multiple-entitlements with the same justification, which can be useful if entitlements can be grouped in some way and all deserve the same explanation.

To do this, hit Keep All or Revoke All:

Keep_All-Revoke_All.png

When you do this, a new pop-up appears, asking if you are sure and asking you to provide a justification:

Bulk_Decision.png

Type anything and click Submit. You’ll see all of the entitlements got updated with the decision and with the justification. You can now edit any justification by clicking View Justification next to the entitlement.

This option is only available if the campaign owner enabled this in your organization. If you are not seeing those buttons, it means that the option is disabled.

=============================================

Background Info

Nudges and Escalation

The review request email has a completion date. If you do not make timely progress, Authomize will automatically send you a “nudge”:

Nudge_1.png

If you do not complete it on time, Authomize may be used to escalate or assign the review to someone else.

Reviewer Context

Reviewers need to be able to make educated decisions during an access review. This is important to ensure least privilege: stale, redundant accesses are removed while accesses needed for work is kept. It is also important to ensure no rubber stamping is taking place (rubber stamping is the practice of approving access automatically without proper consideration).

To this end, Authomize provides a Context Panel feature with much more information about reviewed entitlements.

During the review experience, click on any entitlement on the left side of the table:

Reviewer_Context_1.png

The context Quick View panel opens, with all the information Authomize has on the entitlement:

  1. Authomize’s recommendation and reasoning.
  2. The identity that accesses the asset, is a member of the group or can assume the role.
  3. The asset or group they have access to.
  4. The role and privileges they have over them.

Reviewer_Context_2.png

You can make decisions right on the panel, or close it by clicking the x icon on the top right corner.

Note: In the near future, the last usage date will be displayed on the top left corner.

SSO (Single Sign-On)

If your organization has an SSO system in which Authomize is configured, you will automatically be transferred to your review.

If SSO is not configured, you’ll get Authomize login credentials in an email or Slack message. The first time you log into Authomize, change your password after entering the email and password provided.

Terms used in the entitlements dialog & elsewhere

Access privilege The specific action you can perform on the asset (such as edit, copy, delete) Authorize displays the privilege in the same way that it appears in the downstream application.

Access to

The name and type of entity. If it is an asset, there is a link to the asset itself.

Asset Any object that has permissions (file, folder, database, drive, application ...)

Entitlement

Entitlements or access privileges provide users with the ability to perform actions on different assets (such as edit, copy and delete).

Group

A collection of users.

Keep

Button that marks the entitlement to remain as-is.

Least privileged

Provide no more authorizations than necessary to perform required functions

Revoke

Button that marks an entitlement to be revoked.

Role

A function in an organization that has access privileges. Users may gain access privileges from their roles. 

SSO

An authentication scheme that allows a user to log in with a single ID to any of several independent software systems.

Usage

How often the entitlement is used. Possible options - unused (not any usage or unknown), frequently (more than 100 times), rarely (less than 100 times).

+ Add Justification

Button to add justification note for the entitlement (will be seen by the campaign owner and auditor).

Summary

Access to apps, assets, groups and roles is granted to people in the organization so they can do their jobs. Most organizations use hundreds of apps across different business units and entities. With so many apps it is very easy to lose track of who has access to what, causing massive security risks. That is Authomize’s job: helping organizations stay least privileged in a complex landscape.

Authomize is used to set up Access review campaigns. Authomize finds the relationships between assets, identities and groups and sends access lists to reviewers for approval. Reviewers can be managers, asset owners or group owners. Access privileges that were revoked by reviewers are aggregated by the campaign owner and sent to the IT department for further action.

Share this

Was this article helpful?

0 out of 0 found this helpful