- Created by Dev Raj Gautam, last modified on Sept 07, 2023
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 13 Next »
Overview of JIT Recertification Flow Item
The Just-In-Time (JIT) Recertification Flow is an efficient tool designed to assist administrators in managing resource access during role changes within a team. This flow becomes particularly relevant when a team member transitions to a new role, necessitating a review of their access assignments to resources linked to their previous position.
The Challenges with Old Methods
Traditionally, employee role changes required full audits to reevaluate their access permissions. However, this approach could present a risk in that an audit of an employee's access might not be scheduled to occur in a timely manner. Additionally, the number of employee transfers and role changes occurring at any given time could be significant for large organizations. In these cases, running full organizational audits is impractical, resource-intensive, and time-consuming, slowing down operational efficiency.
Automating Recertification with JIT
The JIT Recertification Flow offers a modern solution by automatically initiating a business request for resource recertification. This approach obviates the need for a full-scale audit. The automation is managed by a specific recertification policy, which provides a detailed framework for the process.
Advantages of Using JIT Recertification Flow
Using JIT Recertification Flow provides multiple benefits:
Enhanced Security: Timely review and revocation or update of access permissions minimize security risks.
Operational Efficiency: Automating the process expedites recertification, thus contributing to increased operational efficiency.
Real-world Use Cases
Consider a situation where an employee from the Marketing Department moves to a role in Human Resources. With JIT Recertification Flow in place, as soon as the role change is registered in the system, a business request for recertification is automatically initiated. The system would follow the guidelines set out in the recertification policy to determine which permissions should be reviewed, altered, or revoked.
Key Information
When choosing a recertification policy, it's important to ensure that it applies to all resources, not just a single one. For example, if a policy only targets a particular person, it's ineffective because the event won't generate a recertification for another person in the same flow event. It is crucial to have a policy that applies to all resources for effective recertification. The target of the policy tied to the recertification flow item must include all possible resources. Typically, special recertification policies are created for the JIT recertification flow item, which is usually shipped with the product and should not be included in other normal audits. If you want to change the default policy, please make sure you meet the requirements discussed here.
Recertification Policy: Recertification policies determine the type of access information that needs to be reviewed and validated for each user. Read More
Target: Recertification targets configure who/what to recertify. Targets are added to the policy. Read More
Item Scope Type: Item Type Scope will determine which data/access the policy will recertify. Targets are added to the policy. Read More
How to Configure the JIT Recertification Flow Item
To customize the JIT recertification flow item, kindly follow the instructions given below. However, it is important to consider the information provided in the Key Information section before making any changes.
Please Log in to EmpowerID with the necessary permissions.
On the navbar, expand Low Code /No Code Workflow and No Code Flows.
Click on the Flow Items Activities tab to view a list of flow item activities in the system.
Type "Just in Time Person Access Summary Recertification" in the search box and click search. Then, click on the icon to view the details of the recertification flow item.
As you look into the details view, you'll notice additional information such as the Item Type Action, Scope Type, and Threshold. It's important to note that the action type for this particular flow item is Just-in-Time Person Access Summary Recertification, which we'll explore further. To customize the flow item to match your needs, please make sure to provide appropriate values considering the form fields outlined below for your reference.
Fields
Description
Item Type Action
Choose the Item Type Action. Item Type Actions represent actions that can occur against an item.
Scope Type
To specify the resource items that the flow item should target, you need to select a scope. Scopes are boundaries and criteria that help to select resources. For instance, you can define a scope type "all non-RBAC group accounts for person" that selects group accounts associated with a person which are not bound by Role-Based Access Control (RBAC) .
Item Collection Filter
Provide a SQL Where clause to filter the items returned by the scope type. This where clause will be appended to the Item collection Query of the Scope Type.
Threshold Item Count
You can set a threshold to define the limit for the number of business request items to be created. Suppose the number of business request items exceeds the threshold or the specified limit. In that case, the business request item generation will be considered an "Over Threshold Switch" item type request.
Over Threshold Switch to Item
When the number of business items exceeds the previously specified threshold count, the system will create an item based on the "Over Threshold Switch to Item" setting instead of generating business request items. Usually, this item will be a bulk action item, such as deleting all management roles and group memberships or removing all SAP group memberships.
Name
Provide a unique and descriptive identifier for the.
Display Name
Please provide a user-friendly label or "Display Name" that appears in the application's user interface representing the flow item.
Description
Please provide a brief explanation of the flow item.
Fulfillment WF JSON
Please provide a JSON containing custom data to pass on to the fulfillment workflow. This may include information such as ServiceNow ticket numbers or target persons.
Click on the Item Type Actions tab to view the item type actions.
Type "Just in Time Person Access Summary Recertification" in the search box and click search. Click on the icon to open the details for the item type action.
You can find details of the Item Type action, including fulfillment workflows and approval policy. The default workflow for the Approval Fulfillment WF is FWPersonJITRecertification. You can customize the approval policy and fulfillment workflows to suit your requirements. Ensure that they fulfill their intended purpose. Details regarding the form fields are outlined below for your reference.
Fields
Description
Item Type
Please select the Item Type. Item Types are the individual resources that can be requested.
Name
Provide a unique and descriptive identifier for the Item Type.
Display Name
Please provide a user-friendly label or "Display Name" that appears in the application's user interface.
Locale Key Unique Name
Provide the locale key for the name.
Usage Description
Please provide a brief explanation of the item type action.
Locale Key for Description
Provide the locale key name for the description.
Approval Fulfillment WF
Please choose a fulfillment workflow for approval. This workflow will handle all necessary actions once the business request item is approved.
Rejection Fulfillment WF
Please select a workflow to execute when the business request item is not approved.
Fulfillment Delay
Please indicate the delay in hours for the fulfillment workflow to run upon approval or rejection.
Approval Policy
Select the approval policy for the item type. You are defining when there is a JIT recertification Business Request with one or more resource items; approval Flow policies manage the necessary approval steps before granting access.
Category For External ITSM
Please provide the category for external ITSM.
ByPassGlobal Approval
This setting is selected by default, which specifies whether the system should bypass the global approval policy.
Click on the FWPersonJITRecertification, which opens the ViewOne page for the workflow. View One pages are designed to facilitate the viewing and managing of the corresponding objects in EmpowerID.
Locate the Request Workflow Parameters tab and click on the icon.
Provide the appropriate value for the Target Attestion Policy ID, which is the recertification policy ID, and click on Save. When assigning a new value to the recertification policy, it is important to ensure that you have either created a new policy or used a shipping policy type that applies to all resources for effective recertification. Additionally, the policy tied to the recertification flow item must include all possible resources as its target. Please take into consideration the key information mentioned earlier.
IN THIS ARTICLE
- No labels