User Access Review
The user access certification means configuring and executing periodic user access checks. These checks should be an integral part of a larger strategy to improve security and ensure that users have only the required level of access. These reviews are also important for supporting regulatory requirements such as SOC-2 audits.
To implement user access certification, you will need to address the following:
| Topic | Description |
|---|---|
| Collect evidence of access | Collecting evidence of the access users have by using the connector and data synchronization tools to import data from the application, which OpenIAM needs to conduct certification. |
| Configure the certification | The certification configuration process requires defining the scope of the review and the reviewer workflow. Use the rows below to configure the certification based on its type. |
| * User based certification - Reviews all the access that users have. During the configuration, you will be able to determine which users should be included into the certification | |
| * Application + entitlements - Reviews a specific set of entitlements in an application or a group of applications. These are sometimes referred to as Micro-certifications. | |
| Execute the certification | This step allows starting the certification process and the reviewer will be notified on the ability to start the user access certification |
| Reports for Auditors | After the certification has been completed, the UAR manager will need to obtain reports from OpenIAM to attach those into audit documentation. This process can be found in sections, dedicated to reporting |
Note: Every run of a User Access Certification creates a new review campaign. Every campaign generates new set of data, being unique for the configurations chosen for a particular campaign. Hence, in the User Access Certification dashboard tab there might exist several campaigns with different data.