Skip navigation
All Places > Products > RSA Identity Governance & Lifecycle > Blog > 2018 > February
2018

We have all been driving our car and at some point a light comes on the dashboard.  Sometimes it is a simple orange light like the windshield fluid.  We should top that up but I can keep driving without harm likely (unless I can no longer see the road).  The dashboard might similarly show me an orange check engine light.  This usually means you need to get your car into the shop but it isn't an immediate concern.  Alternatively, the same light might show red telling you a serious problem has occurred in your engine.  You need to stop driving now.  In the recent  RSA Identity Governance and Lifecycle 7.1 release, we have introduced a similar concept focusing on workflow system status.

The Admin->Workflow→Monitoring page will show you a real time view of the workflow system status.  This includes graphs for how hard it is working (Number of Items Serviced), if anything is backing up (Queue Size), and system status indicators.  The status indicators only show if there is an issue. Not only do the status indicators surface that there is a problem, they generally have a means to resolve the problem or at least get more details.  A status indicator will show a hand cursor if you can click it for more information to resolve the issue.  In addition to the visual indicators,  the system will send out admin errors with the appropriate status and information.  The administrators can configure Notification rules to email these events to the appropriate administrator.   

 

The system is configured to monitor the following conditions and surface workflow status indicators.

Verification (Count)

This status indicator determines how many changes are pending verification that are older than one month and less than 12 months.

Thresholds

  1. Warning - 100 changes
  2. Error - 500 changes
  3. Critical - 1000 changes

Resolution

This status indicator allows you to click through to a screen that shows the changes that we are trying to verify.  The verifications will be dealt with by future collections or an administrator can choose to cancel a change here to remove the verification.

Verification (Age)

This status indicator determines if there are any changes pending verification that are older than n months

Thresholds

  1. Warning - no warning by default
  2. Error - There are changes older than 6 months that havent been verified
  3. Critical - There are changes older than 12 months that havent been verified

Resolution

This status indicator allows you to click through to a screen that shows the changes that we are trying to verify.  The verifications will be dealt with by future collections or an administrator can choose to cancel a change here to remove the verification.

Queue Backup

This is a series of status indicator (one for each priority queue type) that will show if work 

Thresholds

  1. Warning - 1000 ms by default
  2. Error -      2*60*1000 ms by default
  3. Critical -  4*60*1000 ms by default

Stalled Workflows

This status indicator determines if there are any workflows marked as stalled.

Thresholds

  1. Warning - 0
  2. Error - 50
  3. Critical - 100

Workflows should not ever be marked as stalled.  So even one is being considered a warning.

Resolution

This status indicator allows you to click through to see the stalled workflow jobs.   In general, a stalled workflow needs to be examined more closely to see if there is some flaw in the business logic.  A stalled workflow indicates something took longer than expected.  From this screen you can also evaluate the workflow(s) to see if they can proceed. 

Database Connections

Thresholds

 

  1. Critical - Any exception thrown by the workflow engine that it can no longer communicate with the database

Resolution

Clicking this status indicator icon opens up dialog where an administrator can check if the workflow engine can communicate with the database. If the connection is successful, the status indicator is cleared and an admin error is logged for change of status.

For more information on this feature – please check out Workflow Priority Queues 

In the RSA Identity Governance and Lifecycle 7.1 release we have added a data archiving feature to allow for the removal of old data from the active system.  The feature will enabled administrations to reduce the size of the database, improve system efficiency and more effectively adhere to their data retention policies.   Once archived, the data will be removed in the next scheduled data purge session. 

 

Check out this post for an overview of the previously released data purge feature - New Feature:  Database Purge . 

 

For more information on this feature – please review this additional content

 

Introduction to Data Archiving 

Data Archive Planning 

Creating a Data Archive 

Troubleshooting Data Archive Failures 

How to Stop a Data Archive 

How to Resume a Suspended Data Archive Run 

Data Archiving: Administrator Experience 

In the recent RSA Identity Governance and Lifecycle 7.1 release we are very excited to announce the release of a new User Access Review experience. 

 

We have been engaged with many of our customers and partners to understand their key challenges with access reviews. From this engagement we set out to re-imagine our end-user review experience with a focus on three goals:

 

  • Incorporate risk concepts into the governance process.   Things like open violations, exceptional access, application criticality and privileged should all be incorporated into the decision to maintain or revoke access. 
  • Arm reviewers with more context.   Reviewers should have a wide range of context at their fingertips to understand the mountain of data they are often asked to review.
  • Make reviews easier.  We want reviewers to complete their reviews faster, provide a more meaningful experience and allow them to get back to their day jobs sooner.   

 

Some notable highlights for the new design experience:

 

Review Instructions – No longer will review instructions cover the table when open by default.

 

Progress Monitor – In the upper right side of the table we include in review progress indicator that also will highlight when the review is due.  The progress indicator provides real time feedback as the reviewer takes action on items within the review.

 

Analysis and Guidance Panel -   Prioritize your attention during a review by organizing your review items into useful categories.  Also see this separate post on the Analysis and Guidance Panel.

 

Column Level Filtering - Narrow down your review items by using one or more column filters.

 

Centralized Take Action Menu – Select many items and take action in 1 click.

 

Centralized Review Data – Expand the row to view more information about the user, entitlement and business source.

 

For more information on this feature – please check out this additional content. 

 

New User Access Review Experience - Review Components 

New User Access Review Experience - Table and Review Items 

New User Access Review Experience - Analysis and Guidance Panel 

New User Access Review Experience - Review Item Delegation 

New User Access Review Experience - Take Action Menu 

New User Access Review Experience - Expanded View 

New User Access Review Experience - View and Column Filters 

New User Access Review Experience - Table Options 

 

Achieve Business Agility with RSA Identity Governance and Lifecycle. 

Sean Miller

Workflow Priority Queues

Posted by Sean Miller Employee Feb 19, 2018

In the recent  RSA Identity Governance and Lifecycle 7.1 release, we have introduced priority queues in the workflow engine.  These are not exposed to end users but are designed to provide more throughput in processing workflows.  In particular, if a larger request is being processed, some other types of requests can still get through if they are deemed important enough rather than waiting in line.  In the past, the workflow engine processed things in a first come first served model.

in addition to help improve throughput, the priority queues will also help with isolating longer running work and identify potential problems.  For example, a very large role change that is committed can generate a number of indirect entitlement changes for all the role members.  These are now processed using a different priority queue than normal changes flowing through the system from explicit requests end users are making.  Similarly, changes related to SQL Select, SQL Execute, and Java nodes are processed by a different priority queue.  This will help workflow developers and administrators identify if there are long running custom logic that needs closer inspection.

 

The following priority queues are defined now:

  • Normal (Default) - explicit changes flow through this queue
  • Urgent - Requests of that represent user terminations or password resets are handled by this queue
  • Role - Requests that are role related (usually containing indirect entitlement changes) are handled by this queue
  • Custom nodes - Logic run as part of SQL Select, SQL Execute, and Java nodes are handled by this queue

 

The Admin->Workflow→Monitoring screen provides a real time view of what is going on in the workflow engine.  The priority queues are shown in this interface so you can see how each queue is performing and where there may be bottlenecks that need closer inspection.

For more information on this feature – please check out this additional content. 

Workflow Priority Queues 

As an addendum to the previous release of the Password Vault Integration feature in RSA Identity Governance and Lifecycle v7.0.2 we are happy to announce the release of additional support for collectors and connectors.  The password vault feature will allow RSA Identity Governance and Lifecycle to retrieve and rotate privileged credentials from CyberArk Application Identity ManagerTM (AIM). 

 

For a list of supported endpoints, please review the Connector & Collector Application Guides  or the supported endpoint data sheet - RSA Identity Governance and Lifecycle - Supported Collectors and Connectors   

 

For more information on this feature – please review this additional content. 

 

Active Directory Application Wizard Password Vault Configuration 

Password Vault Configuration - Active Directory Collector 

 

Reduce Identity Risk with RSA Identity Governance and Lifecycle

In the recent RSA Identity Governance and Lifecycle 7.1 release we have added a new Analysis and Guidance panel for User Access Reviews.  The Analysis and Guidance panel provides more context to the reviewer to (1) improve risk awareness, (2) identify outlier access, and (3) reduce the volume of decision making. 

 

The analysis and guidance panel allows the reviewer to easily filter their review results by different categories to allow them to focus on specific set of data.  For example; show only privileged access that contains violations or uncommon access (outliers) that contain violations.   The inclusion of the panel and various analysis are configurable at the review definition level. 

 

The analysis and guidance panel focuses on three main use cases

 

Improve Risk Awareness

  • Display all items with Violations
  • Display all items with Exceptional Access
  • Display all items that were previously revoked
  • Display all items for critical applications
  • Display all items that contain privileged access

 

Identify Outlier Access

  • Display all items that are not commonly held

 

Reduce the Volume of Decision Making

  • Display all items that are commonly held
  • Display all items that were recently approved
  • Display all items that have not changed since the last review

 

In addition the analysis and guidance panel filtering can be combined with table filtering to isolate all violations for privileged entitlements within a specific role or business unit.  

 

For more information on this feature – please check out this additional content. 

 

New User Access Review Experience - Analysis and Guidance Panel 

When RSA is looking at enhancing the product there are many factors that need to be taken into consideration. What is the benefit to our customers? What is the impact of making a change? What is the priority of this change verses others enhancements.

To help your idea be the more impactful it can be and get the visibility it deserves here are a few guidelines to help you define your idea.

  • What is the use case you are looking to solve?

 

Putting the use case in the title and detailing it at the start of your idea will help people to understand what you are looking to achieve. Define at a high level what it is that you are looking to do, if possible in business or non-technical way. This should not be details of specific technical changes in the product.

Providing the information this way allows us to look at all of the options to approach the idea.

Example: RSA Identity Governance & Lifecycle should have the ability to resend a request to AFX after it fails. This ability should be configurable from the UI.

  • What is the benefit you are looking to achieve?

 

Detail the benefits you could achieve by enhancing the product to meet this use case, is there a quantifiable benefit? How would it improve your life or the lives of your users? If it needed to meet a corporate objective or regulation?

Example: A retry mechanism we will reduce manual labour and possible errors that are part of making a manual change

  • Example of what would change in the product

Detail the changes you might see in the product to meet your enhancement use case. A lot of the Idea’s in Link today start with this type of information. It is very much needed but it also leads to questions like “What is the overall objective of what they are trying to do?” and “Is there a different way to do it that would add more benefit or be easier to implement?”

Another factor is other people might not understand your idea or its benefit and therefore will not vote for it!

Example(s): If the endpoint was down for some reason and now its back up and we want to resend the same request to AFX.

If the endpoint is down send the request to another AFX endpoint.

If the endpoint is down send a notification to an administrator and wait for them to select the retry option in the UI.

I hope this helps you create some cool new ideas that will help everybody in being successful in implementing and managing the RSA Identity Governance & Lifecycle platform.

Thank you very much for all of your support!