Documentation

Access review

Compliance and governance

Suggest Edits

Overview

Entitle Access Review screen is a User Access Review (UAR) campaign management tool, designed to manage multiple distributed campaigns for the enterprise. Access reviews improve on permissions governance, and support compliance with multiple standards and certifications. Each review campaign is composed of multiple reporters (reviewers) reviewing separately a set of existing permissions in the organization. Each reporter decides whether to keep (Approve) each one of the permissions he is tasked to review or to revoke it (Deny) as the relevant user shouldn't have it going forward (over-permission).

This guide focuses on the main functionalities related to access review campaigns and reporting, utilizing the various features of Entitle's platform.

Please see User Access Review terms for terminology used throughout this section.

Overview screen

Overview is the main campaign management screen. It displays and allows you to manage multiple access review campaigns conducted within the enterprise, over different periods. The most recent campaign is displayed on top with all its details, previous review campaigns are listed below.

  • New access review - Create a new user access review campaign.
  • Manage templates - Create or modify user access review campaign template.
  • Delete review - Delete an access review campaign.
  • View review - View only the last access review campaign details. Review details include summary charts according to reporters and entitlements review progress, and a table with full details of the reporters and entitlements review progress.
  • Done - Finish an active access review campaign, even if not all the permissions defined were reviewed. After the campaign is done, its results can be only viewed, not changed.
  • Reports (tab) - View an access review campaign by the different organizational units' managers participating. The review summary table will present a summary of the review progress for each reporter.
  • Reporters status filter (dropdown filter when in Reports tab) - Filter the reporters participating in a review according to the status of their progress for a specific review: pending (didn't start the review), in progress, or done (finished their review).
  • Entitlements (tab) - View an access review campaign by the reviewed entitlements. The review summary table details the status of each one of the entitlements reviewed as part of the review campaign.
  • Entitlements status filter (dropdown filter when in Entitlements tab) - Filter the entitlements participating in a review according to the status of the review progress: pending (wasn't reviewed yet), approved (all is ok), denied (entitlement to be revoked), or flagged (marked as suspicious for future revisit).
  • Review (table line item) - in the Previous Reviews section, each line item represents a historic access review summary. Clicking on it will open a detailed review screen.
  • Delete (previous reviews table line item trash can icon) – Delete an access review campaign.

Conducting a new Access Review

  1. Click the New Access Review button in the Overview screen
  2. Choose a pre-configured template from the available options, name review, and describe future management and audit. In the example screenshot below, the "Gitlab" template is selected, focusing the review campaign solely on Gitlab users and permissions.
    1. The Immediate Revoke checkbox is enabled for the review owner to configure when the Force immediate revoke checkbox in the Org settings screen is unchecked. When enabled, the review owner can choose between immediate permissions revocation upon the reporter clicking Deny, and excessive permissions revocation when the review is done.
  1. After clicking the Create access review button, a new review campaign will be generated. The example campaign contains eight entitlements related to Gitlab, with one designated reviewer. The campaign status is set to pending since it has not yet started. Clicking the Activate button will start the review campaign.

  1. Upon activating a review, all the reporters are notified that they take part in an active review. As a reporter, go to the Report page to begin reviewing your entitlements.

    1. As a team manager, the Team members tab view provides an overview of the entitlements granted to your team members for the applications participating in the review campaign. Click one of the team member's table lines to start your review.

      1. Review the entitlements for each resource and take appropriate action (approve, deny, or flag for further review). Progress through the resources and your team members one by one until all entitlements have been reviewed. For a single resource's entitlements, you can use the upper checkbox near the resource name to select or deselect all entitlements for the resource and then approve or deny all of them in a single click.

    2. As an App owner, the Resources tab view provides an overview of the entitlements by the resources that are part of your App. Click a resource line in the resource table to start the review of the entitlements for this specific resource.

      1. Review the entitlements for each resource and take appropriate action (approve, deny, or flag for further review). Progress through the resources one by one until all entitlements have been reviewed. For a single resource's entitlements, you can use the Select all checkbox to select or deselect all the entitlements of the resource and then approve or deny all of them in a single click.
  1. Campaign Completion:
    Once all the entitlements have been reviewed, verify the campaign's status and decide when to conclude the review according to the allocated time and overall progress. Click Done to finish the review campaign. A completed campaign is kept on the Overview page for future review with an auditor or when governance evidence of the permissions status at a given time is needed.

📘

Note

Clicking Done is irreversible. You or any other reporter in the organization can't continue or modify a completed review, for compliance reasons.

Managing review templates

Upon clicking Manage templates in the Overview screen, the Access review templates management screen opens. In this screen, you can view and manage the various review templates used within your organization.

  • Edit (line item pencil icon) - Edit a single review template
  • Delete (line item trash can icon) – Delete a single review template

Create or edit a template

Clicking the New template or edit icon opens the template edit screen. Here, you can set all the review template's properties.

  • Delete - Delete the template. Future reviews can't be created based on the template, however past reviews that were created based on the template remain intact.
  • Save - Save editing changes done in the template definitions. Those changes will apply to future reviews created based on the template
  • Template description - Description which will be useful for future managing multiple templates for different use cases
  • (Reviewers) Managers - Will the template include organizational unit managers reporters (reviewers)
  • (Reviewers) Resource Owners - Will the template include Application owners reporters (reviewers)
  • Include Unclaimed entitlements - Include entitlements for accounts that are not connected to any user within Entitle. Those entitlements and users were provisioned outside and potentially before the rollout time of Entitle.
  • Immediate Revoke - When checked, any review denied permission will be immediately revoked. This setting is enabled or disabled as a result of the Force Immediate Revoke setting in the organization's settings page.
  • Exclude / Include Groups - Select the organizational groups of users to be reviewed based on the template. Exclude means all the users in the organization (IdP users) will be reviewed, excluding the selected groups of users. The default value of Any User means all the users in the organization (IdP users) are to be reviewed.
  • Integrations—Select the Integrations to be reviewed based on the template. The All Integrations default value means all the Entitle-defined applications used by the organization are to be reviewed. In the example below, only Okta and Zoom are to be reviewed within the template.

📘

Note

The the template's actual set of permissions to be reviewed is the result of all the selected integrations' permissions for all the selected users.

Updated about 1 month ago