Q: Is this an independent license key - if we were to stay on an earlier version of Third Party Risk Management, is it feasible to install this?
A: It is bolted onto your RSA Archer license. You will need to be running at least 6.6 P5 for this functionality to be leveraged.
Q: What does MSI stand for?
A: Microsoft Installer.
Q: So the VPS API connects over HTTPs...with TLS1.2? How does the services authenticate to the portal?
A: When the service starts each reaches out to the portal to establish a client id and secret which are stored encrypted in the configuration. This communication is HTTPs with TLS 1.2.
Q: Open ports are for inbound and/or outbound from an on-prem customer?
A: Inbound for 5001, outbound for 443.
Q: Does the vendor portal service for on-prem need to be on a server on the dmz or can it be within the dmz?
A: Yes. It provides a mechanism to require the fields before submit in the portal without requiring them to save content in Archer.
Q: So the service self registers with the portal?
A: That is correct. The portaldatastore json file has a path to provision in the portal. The first publish will instantiate an individual instance in the portal. You could effectively have several instances present in your ACP, but they will only be registered in the portal if an attempt to publish has been made from the instance in question AND licensing is in place for that instance.
Q: Can we use our own questionnaires in addition to the out-of-the-box questionnaire?
A: Absolutely! It is possible to re-create the custom object in an application/questionnaire outside of Engagement Risk Assessments.
Q: Does this require the use of the Contacts application?
A: Yes this does require information from the Contacts information. Data points from that application are sent to the vendor portal and used in the vendor portal emails sent to your third party contact.
Q: Can you push questionnaires to either an existing vendor specific instance of Archer and vendor portal while establishing the vendor portal and testing it?
A: Ultimately, the end goal would be to potentially remove the need to have a vendor-specific instance of Archer by leveraging the portal. That being said, you could elect to use a hybrid approach of both. Using vendor portal would not prevent the ability to sync content between a vendor-specific instance and your internal instance.
Q: Does this generate questionnaire one third party at a time or multiple?
A: The custom object button would initiate a single vendor portal record generation at a time, however there is the concept of a bulk create through API. The contacts identified on the individual record being published will be attached/created in the vendor portal upon record generation.
Q: Will requiredfield json set to true require all fields be populated in the vendor portal even if the layout from the internal instance has not set them as required?
A: Yes. It is a mechanism to require answers to all fields before the vendor can submit it without requiring the fields to be populated in Archer before it can be saved.
Q: Will there be a summary of steps that will be reviewed for a Hosted instance to set up the vendor portal? Or should I reach out to my account rep?
A: Most of the steps covered with the service are for On-premises customers. As a hosted customer you just need to reach out to your account rep for an updated license key. The RSA Operations will apply that key. You will need to get the updated Third Party Risk Management Use Case package to get an example of the custom object. Wes is going to demonstrate customizing that code for any other application. Once your new key is applied the onboarding is automated by your first publish request.
Q: Does the vendor portal services have to be in a DMZ for on-prem?
A: I have not been bound to deploying in a DMZ. It's largely going to depend on the level of access to the external internet. There will be a need for the Archer instance to communicate with the service as well as the service communicating with the vendor portal. The VMs demo'd from have external internet access and thus had no issues with the communication with each other and the portal.
Q: Are bypass steps shown in the demo required? Or only if you want to use a proxy?
A: These are required so that the publish request from an Archer context is routed to the vendor portal Service.
Q: It seems these are additional required fields per app/questionnaire for this to work?
A: That is correct. There are certain pieces of information that we need on the portal side to generate/assign the portal record and to generate the underlying notification upon successful generation.
Q: Can we be able to add more fields in the custom object?
A: Potentially down the road that could be possible. It should be noted that the fields being referenced are for buildout of the core components of the portal record. These are not representative of the fields/questions for vendor input on the portal side. The fields that vendors will interact with would be those that are part of the portal Layout on the Archer side.
Q: Does it sync records regardless of completion or does the portal need a submit to sync it back to the local instance?
A: The service only syncs submitted content. There is an backlog item to sync other items such as progress so that can be viewed in Archer.
Q: How does it know what questions to sync?
A: Within the custom object you will reference a layout ID (your portal layout). The text, date, numeric, values list, and attachment fields that are present on that layout would be created as "questions" in the portal record. That is why we recommend having a separate portal layout to include only those things you wish to see in the portal record rather than every field you see in Archer.
Q: Is there a UAT environment for testing?
A: There is only one portal environment but you can publish from a Dev Archer instance. For testing you would most likely publish the assessments to yourself as the external contact.
Q: Follow-up re UAT; if we perform a UAT will we be logging assessments against our licensed number?
A: The license is not for the number of assessments its for the number of vendors. So you can publish as many assessments to yourself and it will only count as one. Also the vendor count is per instance so your Dev and Prod would have different counts.
Q: Follow-up RE UAT; so our license would have 50 free vendors for our non-prod environments in addition to PROD?
Q: What if there are fields on the questionnaire you don't want to show on the portal?
A: You can build a distinct "portal layout" that includes only the fields you wish to publish out to the vendor. You will reference that layout ID in the custom object so it knows which fields to create values for on the portal side.
Q: Can the custom object be configured to push updates to an already published assessment such as adding a new contact or cancelling the assessment if needed?
A: Currently you cannot publish an assessment a second time until it is received from the vendor.
Q: Will there be any security documentation for the vendor portal component and prerequisites?
A: There is a vendor portal Service guide on the community which includes security considerations and prerequisites: https://community.rsa.com/docs/DOC-112891
Q: Will there be any mechanism for managing the vendor portal file repository, or do we have to manage that manually?
A: The vendor portal service manages the files in the repository automatically. Once the content is successfully synced, the files are removed.
Q: You noted that we can receive attachments form the portal- can we also send attachments and images outbound to the portal?
A: Currently there is no functionality to pass attachments outbound. That is being considered for future inclusion.
Q: What if your questionnaire has a whole optional section? In some cases you need the answers answered and other times you do not?
A: At present question show/hide rules are not honored on the portal side. It's a WYSIWYG approach with this initial offering, so you would need to have the layout designed in a static fashion for what you wish to publish.
Q: Is there an ETA for when the vendor portal will be able to handle DDEs?
A: No ETA yet, but it is one of the top items to tackle next.
Q: Hypothetically, can the Custom Object be coded/triggered to republish if the assessment is not completed 100%?
A: It can, however keep in mind that you can only have one "live" version of an assessment out in the portal. You would be blocked from publishing again for that particular record until it has been submitted from the portal side. At that point, you could elect to "re-publish" it, though it will constitute a new record on the portal side. The publish will include previously supplied detail (it will send over text entries, values lists, dates that have already been supplied), however we cannot send attachments out.
Q: Do all the questions have to be hard coded in the Custom Object?
A: The questions included are tied to the layout id you provide in the custom object. You do not need to specify the question field ids separately.
Q: Do syncs happen regardless of record "completeness" from the portal?
A: The vendor/respondent can send the assessment back without completing all of the questions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.