Maintaining up-to-date user access rights is a paramount security challenge. Changes in the organizational structure, the transfer of users to other departments, changes in security policies, and other transformational processes within a company require the reassessment of the existing access rights. A regular review of user access is a key element of an effective access management system that helps minimize risks associated with unauthorized access to information resources.
MidPoint comes with a powerful feature called access certification that improves an organization’s security posture and compliance. This feature automates the process of regularly reviewing and validating user access rights, helping identify and address potential security risks, such as unnecessary access rights and outdated permissions. The whole documentation about the certification feature can be found at this link.
The webinar provided an overview of the certification access feature in midPoint. The participants became familiar with how midPoint can help keep security productat a high level by:
The feature demo presented the recently improved UI and its configurable options. With the newly implemented improvements, the certification process has become more flexible, clear, and demonstrative.
Please note: during the webinar, midPoint version 4.9.1-SNAPSHOT was used.
In case you missed the webinar or would like to refresh your memory, take a look at the presentation or watch the recording:
Questions from the webinar that were unanswered during the session or required more detailed responses:
1) What happens if a “reviewer” is inappropriate? (maybe their role changed recently or during the campaign). Can they be modified, who can do that?
A.: The only possibility for now is to edit the XML file of the existing campaign. Anyhow, this way requires a large amount of manual work to change the inappropriate review because the reviewer is written to each certification work item.
The other (theoretical) option is to write a script that will go through all work items within the campaign and change the inappropriate reviewer.
2) Can we add buttons to have more possibilities than just “Accept” or “Revoke” without the XML definition?
A.: “Accept” and “Revoke” responses are the default ones for certification items. The list of responses can be extended in the certification items collection view (either in the systemConfiguration → accessCertification or in the campaign definition). The configured responses (Reduce, Not decided, No response) will be displayed as a list of the menu items though.
Unfortunately, it is not possible to make this configuration through GUI, therefore it is needed to make it through XML.
3) Can we simulate a campaign before starting so that we know what will be certified and who will be the approvers?
A.: There is no possibility to simulate a certification campaign. Anyhow, when a campaign is created and started, it doesn’t affect any objects in midPoint or perform any changes. Therefore, there is no harm in creating and starting a campaign and analyzing the data you need.
4) Can we define a campaign to review the object only: attributes of the users, risk level or roles, …?
A.: No, the object itself and its attributes are not the subject of a certification campaign.
5) What happens if we revoke a role that was added automatically? For example, a template added a role but we decided to revoke it. Can we filter such elements?
A.: In case a role is added by a template, even though it was revoked and removed by the certification process, it will be assigned again after the next template processing.
But there is an option to configure the certification process, which will be run on every role addition. It is possible thanks to the certification policy action within the policy rule definition. For more information about this use case please follow the documentation.
6) What kind of objects can we certify? Only roles?
A.: An access certification campaign can be defined to certify assignments and/or inducements of all types that extend AssignmentHolderType (e.g., UserType, RoleType, OrgType). As for the object type of the assignment (inducement) target reference object, there can be such possibilities as: Role, Organization, Service, User, Policy, Resource.