User Access Reviews
The user access review (aka User access certification and access attestation) functionality, provides for the configuration and execution of periodic user access certifications. These certifications should be an integral part of a larger strategy to improve security and ensure that users have only the required level of access. These reviews are also important for supporting regulatory requirements such as SOC-2 audits.
To implement user access reviews, you will need to address the topics listed below.
|Collect evidence of access||Collecting evidence of the access that user have can be achieved by using the connector and data synchronization tools to import data from the application which needs to reviewed to OpenIAM.|
|Configure the review||The review configuration process will require defining the scope of the review and the reviewer workflow.|
|Execute the review)||During this step,the review will be executed and the reviewer will be notified so that they can start to start review access|
|Reports for Auditors||During this steps, the user access review manager, will obtain reports from OpenIAM for inclusion in the documentation being sent to the auditors|
To configure a User Access Review (UAR), you must first determine the scope:
|Type of review||Description|
|User based review||Review all the access that users have. During the configuration, you will be able to determine which users should be included in the review|
|Application + entitlements||Review a specific set of entitlements in an application or a group of applications. These are sometimes referred to as Micro-certifications.|