Our 7.1.1 release continues to build on many of areas of improvement we have made across the 7.x releases including enhancing the user experience, delivering analytics to make informed decisions, and reducing the complexity of Identity Governance and Administration.
As we look at our recent releases we have provided innovations such as the new user access review making it easier to understand if access is appropriate, quick start deployments, and analytics that make your processes easier to manage, while enhancing some of the screens in the product to be simpler and easier to use.
So, what about 7.1.1?
Segregation of Duties, made simple
Management of Segregation of Duties (SoD) rules and processes can be hard; when you try and scale it to hundreds or thousands of applications it can feel impossible. To meet the every increasing risk and compliance requirements of many organizations SOD management at this scale is being demanded by audit and the business. To achieve this businesses are defining SoD matrix, a set of access classifications that cannot be held in combination. These organizations are then classifying their access and in this way are able to have simple dynamic SoD detection based on access classification.
To help our customers, RSA has provided a SOD solution including a recommended practice and two new product capabilities in this area.
New SoD Remediator Experience
Working with our customer design partners, RSA has significantly enhanced the remediator experience to reduce the level of effort needed to make decisions when a violation occurs. The experience provides more analytics and data while also allowing bulk actions and reassignments to take place when needed.
SoD Recommended Practice
This recommended practice talks you through our solution for implementing SoD detection, including building the classifications matrix and implementing it within our platform.
Advanced SoD Analysis rules
The new advanced rule process allows for a third data element to be considered when detecting SoD violations. This is needed when using a classification model to detect true violations and remove false positives. For example, you could say that having front office access together with back office access is a violation, but if they have that access in two different applications or countries, it might not be. The advanced rule capabilities allow you to make these correlations .
Continued evolution of the New Reviewer Experience
After RSA released the new Access Reviews experience in 7.1, we wanted to continue to enhance reviews based on the feedback from our customers. In 7.1.1 we have added several changes based on your input.
Give your reviewers more insight into the access they review, build your own custom views of data to highlight areas of risk or provide importance context to reviewers such as critical or privileged entitlements.
Give your reviewers the time to complete their review successfully, take into account weekends and holidays when setting the amount of time they have to complete a review. All review types now allow you to specify the calendar they use when setting the timing of the review.
Pending Revoke, Automatically Marked Revoke
Reviewers are always frustrated when things don’t make sense. In 7.1 when we added categories into the review we provided a category called “Pending Revoke”. This means the items in this category are already in the process of being removed. Then reviewers asked “Why do we have to mark them as revoke again?” The default now is that everything in this category is immediately marked as revoked in the review.
Diagnostics & Heuristics
Collecting and testing key performance indicators
How successful am I being? How many applications have I onboarded? How many requests have I processed? What are the trends on my system? Is the way I configured the system the best way?
These are the types of questions we want to answer with this feature, which collects over 130+ data points daily to give you a better understanding of the successes and trends in your system.
These are things like the number of users, application, entitlement, orphan accounts, or time it takes to collect the data, approve a request, or complete a review. You can also provide the data to RSA, where we can give you with deeper insights looking at best practice and your status against other similar customers.
7.1.1 provides a number of new trending dashboards allowing you to visualize the trends in key areas such as reviews, requests, rules, and roles. Customers can create their own as well, leveraging a new public view against the diagnostics and heuristics data.
So, as you can see, there are some great innovations in this release and these are just some of the highlights. Check out the release notes for full details and look out for the RSA Identity Governance and Lifecycle quarterly webinar series here where we will give more insights into what’s coming in the future!
In the recent RSA Identity Governance and Lifecycle 7.1.1 Service Pack Release we have added some new web services. In previous releases you could use the findApprovals, getApprovalDetails, and performApproval web services to interact with approvals. In this release the following web services have been introduced to interact with any type of work item including approvals:
The getWorkItemsForUser web service returns high level details for the work items including the work item IDs. The getWorkItemDetails takes a work item ID and returns more details including what actions can be taken. The actions that are returned are based on the transitions modeled in the workflow. The performWorkItem web service is used to complete the work item using the provided action and comment.
The approval-specific web services will be deprecated in a future release. Any implementations based on this should be updated to use the more generic work item web services.
Lastly, the new web service findReviews has be introduced in this release. This allows you to search for reviews by name or other search criteria. The web service returns details about the reviews based on the requested columns. In particular, the review ID is returned which is needed for other calls like getReviewStatus, refreshReview, setReviewState, and updateUnreviewedItems.
As part of the release we are excited to introduce advanced Segregation of Duty (SOD) violation analysis capabilities that make it even easier for global organizations to identify and remediate where this risky access truly exists in their organization.
To scale at the enterprise level, across thousands of applications and hundreds of millions of entitlements, Segregation of Duty policy analysis needs not only examine if access on one side of the equation is in violation with access that is on the other side (for example, the ability to submit a check request and the ability to approve a check) but also inspect deeper and across business processes to determine if there is a false positive violation present or there is truly a violation and inappropriate access.
In this example, a user should not have the ability to submit a check and approve a check in the payroll expense system and accounting system. However, they may have the ability to approve a check request in the contractor management and vendor management systems. If organizations look at just the ability to submit and approve checks as violations, false-positives would be detected. This will lead to an overhead to cleanup before violations are sent to business users or policy managers or even having to create thousands of rules – which is unmanageable!
With this new and advanced SOD detection and correlation analysis, organizations can create a few number of rules that look across the enterprise and evaluate if the access is truly a violation. This is an advanced analysis that can look across the entire global set of applications and entitlements and determine not only if there is access that is truly in violation (based on a common business interface / application relationship), but also to reduce and virtually eliminate the number of false positives that can be typically be presented when just looking at two sides of the equation.
This analysis is performed at the business application level and determining if entitlements across both sides are in violation based on a “correlation” between the applications. That correlation is where the applications are considered part of the same business process, such as if they interface with each other. Following the example, instead of creating hundreds of rules to look for a submit and approve toxic access combinations, organizations can create a single rule that looks for these access types, using a correlation to identify where access should be considered a violation and access that is found on one side (but no correlating access on the other), is not a violation.
Otherwise without the correlation of the business applications the potential for several false positive violations surface. This creates a burden on the team to clean up before sending out violation to address or if not cleaned up before, creates a mess of information that is inaccurate and creating the potential for appropriate access to be inadvertently removed.
Organizations can effectively analyze across their enterprise applications where risky access exists and truly represents a SOD policy violation; therefore, reducing risk by quickly getting access violations in-front of the right people for review and remediation. In concert with this advanced analysis, a simplified and streamlined new policy violation review and remediation user experience has also been added.
For additional information on this update – please check out this additional context:
Have you ever wanted to be able to review and remediation multiple access violations at once? Have you ever wanted to be able to see how widespread access violations were across a grouping of users, business units, or applications? Have you ever wanted a streamlined, intuitive, and single screen to review and remediate access violations in your organization?
As part of the release we have introduced a new streamlined, intuitive, and simple policy remediation experience that allows you to address the above questions. This new remediation experience follows the streamlined experience of the Risk Based Reviewer Experience; which, based on customer feedback, delivers a very successful and intuitive user review experience that has reduced risk in their organizations.
Some notable highlights for this new remediation experience
For additional information on this update – please check out this additional context:
The log artifact is a new feature in RSA Identity Governance and Lifecycle Version 7.1.1 that will aide in the gathering of log information in the event that a support ticket is created. It is an administrator-only feature that can gather the most widely used log files when troubleshooting problems in the application, thereby reducing the time to identify the root cause of an issue. It is designed to work on a node-by-node basis and will work for different architectures such as Hard Appliance, Software Bundle with remote database, and Clusters, along with the different application servers we support. The page can be found under the Admin > Diagnostics menu.
It is located on the Log Artifact tab.
The following is a description of the different areas of the page:
When in progress the Current Status will contain the current step.
Once completed the zip file will be available for download
Upon completion of the process the status section will show the pertinent information about what was chosen for this invocation. As detailed in the picture we will store the zipped file on the server and it will stay there until the next invocation of the process. To store the file locally just press the Download button.
See the following video which demonstrates the use of the feature.
RSA Identity and Governance Release 7.1 introduced a new interface for user access reviews, to provide a better user experience and improve efficiency in performing reviews with help of analytics-based prioritization and identification of high risk access and violations.
To continue enhancing the enriched user experience, the Display Views feature for the new user interface (for user access and rule remediation reviews) is introduced in Identity Governance and Lifecycle Service Pack Release v 7.1.1.
With the introduction of Display Views, you now have ability to organize review items in multiple ways to meet your requirements.
Here are some of the capabilities added to support Display Views in version 7.1.1.
Select multiple display views in review definition
The system now supports using display views in the legacy as well as the new user interface (for user access and rule remediation reviews). When more than one display views are selected in the review definition, the resulting review in the new user interface lists the display views in the left panel above Guidance and Analysis.
Custom display views
You can now define custom display views that can be used for the legacy user interface as well as the new user interface. The process to create custom display views is same as that for the legacy user interface. When custom display view definitions are used with new user interface:
For additional information, follow the online help pages.
Here is a video on display views.
This blog describes what all diagnostics data is collected in RSA Identity Governance and Lifecycle V7.1.1 and how it can be useful to customers.
The diagnostic data collection in RSA Identity Governance and Lifecycle is turned on by default and collects system information daily. The frequency of data collection is configurable (see Admin > Diagnostics in the product help). Customers should review the schedule for diagnostic gathering to ensure it does not conflict or delay nightly collections. With this feature enabled, statistical information is gathered about the product components like reviews, rules, access request, AFX, roles, reports, as well as information related to the deployed environment and the applications that are configured.
Trends related to the change in the application configurations can be assessed by looking at the application parameters like the number of accounts, users, orphan accounts, users with multiple accounts, roles, entitlements over time. Assessment of sudden increase in data volume or spikes can be tied to symptoms like application slowness and performance degradations. Admins can use the historical data to explain such anomalous behavior or trace and tighten rouge jobs that could be the cause.
Deployment related information can similarly be used to get the big picture of the type of Database configured (remote/local), number of “Remote Agents” deployed, number of AFX servers, number of nodes in cluster. This information can be used to compare any deviations from the recommended configuration by RSA and corrective actions can be taken.
AFX related information like the number of connectors, daily status, number of active running connectors, and count of fulfillment request sent in a day, including failures. These can be used to understand the trend and make necessary changes including tuning of the end points to adjust the overall performance.
Health of collectors can be learned from the trend in time taken for collections to complete, frequency of collection, and number of collection failures. This information will help in tuning the collection schedule and avoid redundant collections.
Out of the box Reports/Charts in 7.1.1 are provided for the following components:
Weekly and Monthly views are available for customers to include in their dashboards to get their statistics.
The public view PV_TELEMETRY_DATA is also provided so customers can develop their own reports and charts against the diagnostic information gathered.
Diagnostics data use for troubleshooting:
The complete set of data collected can be downloaded from the UI as a zip file containing a set of JSON files, which can be shared with RSA while reporting issues on the product. This data will be used by RSA to diagnose the reported issues and troubleshoot /fix them. Also the data will help RSA understand how customers are using the product and if the scale of objects defined is different from other customers. This will improve the time to resolve issues while reducing the number of meetings with customers. The likelihood of root causing a problem at first level of support (CS) would increase as the data is more intuitive.
See V7.1.1 Diagnostics overview video in the attachments.