Reviewing access privileges (Reviewer’s experience)

Access to digital assets must be reviewed to ensure that only people who actually need access, get access. This greatly decreases the asset’s vulnerability to attacks and abuse. Industrial and government standards and regulations require periodic reviews of privileged or sensitive access to help you stay secure.

Note: Access privileges are the specific actions you can perform on the asset (such as edit, copy, delete).
             Assets can be files, folders, databases, drives or applications.

You've got mail!

If you got an email (or Slack message) like the one below, you are required to complete an access review.

1_Review_email-short-660x200.jpg

Access review workflow

The reviewer’s access review process looks like this:

Reviewer_Experience_Workflow.png

Click the here button in the message to launch the review.

Logging into Authomize

In some organizations the summary page will open automatically and ask you to log in. In others, you will need to register first before you can log in (for more information see the SSO section below). 

Once you’ve logged in, an access review summary page opens. To start the review process,
click Get_Started_Button.png.

2-3_Authomize_login_1300x600.png

Verify access privileges

When starting an access review, a review dialog opens to show you:

    1-in-circle.png   an Access list (of assets, roles and groups) whose users you are asked to confirm
            or a list of Team members whose access privileges you need to confirm
            Note:  These are different views of the same list. You can toggle between Users and Access
                        from the summary page (Users-Access_Toggle.png).

    2-in-circle.png   you can pick an entry from the list or review them sequentially
            the entry under review is listed up top, along with the type of entity it is

    3-in-circle.png  in the case of an Access list, pane 3 lists the people who currently have access
           in the case of a Team members list, pane 3 lists what each member can access

    4-in-circle.png   an additional context pane opens when > or + Add Justification is clicked

Go through the entire list (be it Access or Team members) until you have reviewed all the entries on the right (in pane 3). Note that the type of privilege the team member has on each asset is listed in the privilege column.

Click Keep or Revoke for each entry. You can explain your decision by clicking + Add Justification. You can change your decision until you click Save or Continue or leave.

Note: You can go back and change your Keep/Revoke decision, until submitting your review.

5_Verify_Access_Annotated-numbered-3.jpg

5_Verify_User_Access_annotated_numbered.png

Click Continue_Button.png  to jump to the next review. If you leave in the middle, the review restarts where you left off (and nothing is lost). When you have completed the review (“Your progress” is 100%), click Submit_Review_Button.png.

Submit_Review.png

Nudges and Escalation

The review request email has a completion date. If you do not make timely progress, Authomize will automatically send you a “nudge”:

Nudge_1.png

If you do not complete it on time, Authomize may be used to escalate or assign the review to someone else.

Background information

Access to apps, assets, groups and roles is granted to people in the organization so they can do their jobs. Most organizations use hundreds of apps across different business units and entities. With so many apps it is very easy to lose track of who has access to what, causing massive security risks. That is Authomize’s job: helping organizations stay least privileged in a complex landscape.

Authomize is used to set up Access review campaigns. Authomize finds the relationships between assets, identities and groups and sends access lists to reviewers for approval. Reviewers can be managers, asset owners or group owners. Access privileges that were revoked by reviewers are aggregated by the campaign owner and sent to the IT department for further action.

SSO (Single Sign-On)

If your organization has an SSO system in which Authomize is configured, you will automatically be transferred to your review.

If SSO is not configured, you’ll get Authomize login credentials in an email or Slack message. The first time you log into Authomize, change your password after entering the email and password provided.

Terms used in the entitlements dialog & elsewhere

Access privilege The specific action you can perform on the asset (such as edit, copy, delete) Authorize displays the privilege in the same way that it appears in the downstream application.

Access to

The name and type of entity. If it is an asset, there is a link to the asset itself.

Asset Any object that has permissions (file, folder, database, drive, application ...)

Entitlement

Entitlements or access privileges provide users with the ability to perform actions on different assets (such as edit, copy and delete).

Group

A collection of users.

Keep

Button that marks the entitlement to remain as-is.

Least privileged

Provide no more authorizations than necessary to perform required functions

Revoke

Button that marks an entitlement to be revoked.

Role

A function in an organization that has access privileges. Users may gain access privileges from their roles. 

SSO

An authentication scheme that allows a user to log in with a single ID to any of several independent software systems.

Usage

How often the entitlement is used. Possible options - unused (not any usage or unknown), frequently (more than 100 times), rarely (less than 100 times).

+ Add Justification

Button to add justification note for the entitlement (will be seen by the campaign owner and auditor).

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.