Users could only request access that matched their job function Certifications could contain extra information to help certifiers make access decisions Service accounts could be treated differently than user accounts
University The Problem: • Staff/students have access to multiple
University campuses Access Request • Each person has a primary campus The Solution: • Admins can only manage access for people Identity who share the same primary campus Attributes: Primary_Campus Campuses
Case Study Extending Identities Identity Cubes Quicklink Population
University The Problem:
Beth (Admin) Primary_Campus: West Access Campuses: West
Request John The Solution: Primary_Campus: West Campuses: North, South, West Identity Rich Attributes: Primary_Campus: North Primary_Campus Campuses: North, East
Campuses Sue LCM: Select User
Primary_Campus: West Campuses: North, East, West Beth John Sue
Mixed The Problem: • Some tools require manager approval
Approval • Some tools require no approval Process • Omit unnecessary approvals The Solution: • Add extended attribute to roles • Populate during role creation Role Attribute: • Mark roles that do not need approval Approval_Free • Add approval assignment rule
applicable regulations Based • Run Q1 certification for high Certification priority SOX applications The Solution: • Add extended attributes to Application Applications Attributes: • Populate during onboarding SOX • Use exclusion rule to selectively SOX Priority certify PCI Run Time If not high priority, exclude
Manage The Problem: • Need better insight into application risk
application • Certify privileged and service accounts on stricter schedule risk The Solution: • Add extended attributes to accounts Account Attributes: • Privileged and Service sourced from account data Dormant • Dormant calculated from last login date
Privileged • Set risk score for each account attribute and calculate application risk scores Service • When certifying, identify privileged and service accounts
AD Group The Problem: • When requesting access, allow users to find AD
Group to request based on Windows servers Windows • During certification, display which Windows Servers servers a user’s AD group gives access The Solution:
• Add extended attribute to Entitlement Catalog Items
Case Study Extending Roles, Applications & Accounts
Synchronize The Problem: • ServiceNow application is definitive source for
Owners with owners of applications and roles ServiceNow • Synchronize application and role ownership in The Solution: IdentityIQ with that listed in ServiceNow Role: CID Application: CID Account: SYS_ID
![ComboFix - add to the security toolkit [TechRepublic]](https://imgv2-1-f.scribdassets.com/img/document/450739231/149x198/a64e001d48/1583682743?v=1)
