Certification - process
Certification process should contain following steps:
-
Campaign definition
-
Certification
-
Remediation
-
Summary
TODO - we need also define what should be in certification template
1. The process
The certification campaign can be specified, started and even analyzed by "advanced" business user. It means, that security officer should be able to start new certification or certification campaign.
The campaigns should be started from previously prepared certification templates. These templates (our certification definitions) should be prepared by engineers.
1.1. Campaign Definition
User interface should be understandable for an advanced business user (simplify the terminology). The user just selects from a predefined template and then determines which individuals need certification, what to be certified and other parameters.
Definition of certification campaign should consist of following steps:
-
object type, list of objects.
-
This step can also be omitted (if dealing with all individuals with a specific assignment).
-
Assignments (select desired ones).
-
Attributes (and their selection)
-
even extended attributes can be selected here (should be defined in template)
-
-
Content of the role (inducements within business role)
-
Specific assignment - role owner/approver
The certification may be complex: E.g. certification of business roles - may require certification of all inducements and attribute "description" and approver as well .
Select who will perform the certification tasks.
E.g. it may be the manager of the individual or owner of the role that is being certified.
Here a set of buttons should be defined. Additional . * "Extend validity." - button for extending validity of an assignment * "Limit validity" - if the assignment is unlimited, the user can limit the validity. * Allow "I don’t know" response. (our button Not decided)
-
If attributes are being certified, it may happen, that he wants to provide possible new values for specific attribute
This option can tell what to do with unanswered certification items.
-
Normal - standard operation. Unanswered questions are untouched
-
Agressive - the unanswered certified assignments are removed
-
deadline till which the certification campaign finishes.
-
Until closed by the author.
-
Automatic - what midPoint can remove will be removed
-
Report - midpoint prepares remediation report
-
what should be in the report ? Revoke or also undecided ?
-
-
Hybrid (?) - what is decided will be revoked automatically, other will be reported in the remediation report
1.2. Certification
The user interface should be easy to use. TODO - how should user interface look like ?
The interface should be different for certification campaign and microcertification.
We are displaying direct assignments only. Each manager will have quite a lot of direct assignments to answer. It would make the overview too complex if he has indirect assignments as well.
We will need to display assignments assigned by policy, but we need to explain that this is by some policy. These assignments (although they can’t be removed) must be shown as it should be confusing for users if missing.
User interface should be easy to use also for certification of user validity (e.g. whether the user still works) and some his attributes.
1.3. Remediation
Automatic/manual / hybrid
TODO - must be discussed
1.4. Summary
Now the cerification campaign is done. One page nas show some statistics of the campaign.
?dashboard ? or what else ? Some dashboard displaying basic information - what it was about.
-
Basic report from the certification campaign (basic).
-
CSV/Excel - with all responses, for further processing. (users can process it manually - flexibility)
For more sophisticated environments, an engineer can modify it.
-
-
Remediation report