User Stories - Certifications

Last modified 28 Nov 2023 18:22 +01:00

This document contains user stories for upgrade of design of certifications. It is prepared for planning of development of midPoint version 4.9. Some user stories described here may be already implemented.

1. Certification

1.1. Certification triggered manually by business user

Definition and starting of certification campaign is too complicated for business user.We should allow business users to define some easy and specific campaigns.

User Story

AS a business manager,
I WANT TO ask owner of specific system or application or its engineer to certify access of my people to his application,
SO THAT I will know whether the access is still necessary from technical perspective.

Acceptance criteria
  1. Midpoint should provide user interface available for definition of (one-time) certification campaign which business user can define a start.

    1. Business user can specify access (role(s), application) and list of users for certification.

    2. Business user can specify certifier who will perform the certification

  2. The user interface should be user-friendly for business users. Should not use midpoint specific terminology.

  3. The options should be limited with easy usage as priority.

  4. Midpoint can provide templates for such campaigns - defined by engineers.

    1. Business user can specify just the role (or service) and who will perform the certification

1.2. Triggering certification of assignments automatically when specific metric is achieved

User Story

AS an IAM administrator,
I WANT TO automatically trigger certification campaign when specific metric is achieved,
SO THAT I can improve operational efficiency and increase compliance.

Examples
  • Triggering certification of assignment of Office365 when we are reaching license limit.

  • Triggering certification of users which added more than X accesses within last week

  • Triggering certification of users who reached specific risk level.

Acceptance Criteria
  1. the certification campaign can be triggered by specific dashboard value or other configurable metric, that can be set by IAM administrator

  2. midPoint should provide option for definition of minimal interval between the triggered runs - not to run the same certification too often

  3. midPoint should provide configuration option for starting the certification automatically or notifying IAM administrator who can start the campaign based on his decision

1.3. Mistake in certification

User story

AS an IAM user who made a mistake in a certification,
I WANT TO correct my mistake,
SO THAT the user won’t get the access removed.

1.4. Users excluded from certifications (VIP users):

User Story

AS a Role Manager or IAM Administrator,
I WANT TO define a specific set of users who will be excluded from the standard certification process (exclusion list),
SO THAT these users' access rights will not be affected or modified during regular certifications.

This can include top management, auditors, specific users whose accesses I do not want to modify (the VIP users). For example, if I were to certify accesses to a specific application, the application owner will not be able to revoke access for CEO or CSO.

Acceptance Criteria
  1. midPoint should provide an interface to specify and modify the list of users who should be excluded from the standard certification process.

  2. This interface should be available to specific users only.

  3. When performing a standard certification, midPoint should display users in the exclusion list, but should not allow modification of their access.

    • This way, users performing certification will not be confused.

  4. midPoint should ensure, that certified assignments of the users in the exclusion list are not impacted by the certification results

  5. Modification of the exclusion list should be auditable providing a clear record of excluded users and the justification for being excluded.

  6. Application of the exclusion list should be optional for each certification definition.

2. Microcertifications

MidPoint should provide options for certification of individual objects (e.g. users) based on specific events or event triggered manually. So not generating large certification campaign, but triggering certification of individual objects (mostly users and their accesses).

2.1. Certification of individual objects

User Story

AS an IAM user,
I WANT TO have an option to certify access rights of individual users,
SO THAT I can easily review and validate access (assignments) of an individual through a user-friendly interface.

Acceptance Criteria
  1. midPoint should provide an interface for displaying the requested certification of one user

    1. interface should be easier

  2. IAM user should be able to perform certification with minimal number of steps. Ideally in 3:

    1. open the certification request

    2. read the certification details of that object in one page

    3. approve, reject the certified assignment(s)

  3. midPoint should provide requested information in business language not using midpoint-specific terminology (e.g. delta)

  4. IAM user who performs certification should see all certifications he/she perfomed

    1. the history has limit configurable by IAM engineed - e.g. 1 year

2.2. Manual trigger of certification of individual objects

User Story

AS and IAM administrator, Role manager or Security officer,
I WANT TO have an option to manually trigger certification of individual object (mostly user),
SO THAT I can request their certification easily without additional complex configuration.

Acceptance Criteria
  1. midPoint should provide user interface for creating certification request of individual objects.

  2. while creating certification request the requestor should select from predefined options to whom the certification will be sent and other details.

2.3. Automatic trigger of certification of individual objects

User story

AS and IAM administrator, Role manager or Security officer,
I WANT TO define automatic start of certification of individual object (mostly user),
SO THAT I can request certification easily without additional complex configuration.

Examples
  • ask manager to certify user that has risk level increased over specific threshold

  • ask original manager and new manager to certify assignments of the user who moved in organizational structure

2.4. Postpone micro-certification

If the micro-certification is raised right after user is moved from one or. unit to another, old manager may hesitate to remove user access. It is good to postpone the certification of the user’s accesses of that transition period.

Not sure, whether is better to start the certification later, or enable manager feature to postpone the certification. Maybe enabling to postpone is better.

User Story

AS a manager of a user who moved from my organizational unit to another,
I WANT TO postpone his access certification for transition period (few weeks or a month) SO THAT he can keep the old accesses while moving work and I will not forget to remove his accesses.

Acceptance Criteria
  1. midPoint should enable approver option to postpone the certification request for the defined period

  2. midPoint should notify the approver when the defined period for postpone is over

  3. IAM engineer can configure how many times and for how long the certification can be postponed

  4. IAM administrator can see all the postponed and delayed certifications

2.5. Triggering certification of users who did not log-in for specific period of time

User Story

AS an IAM administrator,
I WANT TO periodically trigger a certification of users who have not logged in for a specific period of time,
SO THAT we can regularly review user accounts or accesses of inactive users and ensure appropriate security measures.

Examples
  • certify users who have not logged in to Active Directory for last 6 months

  • certify all roles providing access to SAP of the user who has not logged to SAP for last 1 year

Acceptance Criteria
  1. midPoint should provide option for definition of period of inactivity of the user

  2. the certification of the user may be initiated automatically when the user is not logged in for specific period of time

  3. midPoint should provide option for configuring not only users but also accounts - if the user did not log into specific system

  4. the access is certified by user’s manager or system owner

  5. midPoint should provide option to define users or systems that will be excluded from this micro-certification

2.6. Microcertification triggered by business users

Removal of access may be triggered ad-hoc by business users as certifications.

See Access removal vs certification triggered by business user in Approvals Design Notes for difference when direct access removal and certification is to be used.

See Access Removal in User Stories - Approvals for more details about how to handle access removals.

User Story

AS an application or resource owner,
I WANT TO request removal of access of some users from my application,
SO THAT I can remove accesses as soon as they lost business reason for their existence.

User Story

AS a business manager or project manager,
I WANT TO ask Application owner/engineer to tell me, whether the application role XYZ is relevant for the specified set of tasks in the application and if not, then what should they obtain instead,
TO provide my subordinates sufficient privileges for specifies set of tasks they have to perform.

Acceptance Criteria
  • The application owner may be able to remove (request removal of) accesses of specific users that have access to his application by asking a certification of this access.

  • midPoint provides field for explaining business reason of the certification request.

  • midPoint provides option for communication between relevant parties to be stored in the certification request.

3. Reporting

3.1. Certification Dashboard

Midpoint should provide dashboard with certification statistics. The statistics should differ in certification campaigns and microcertifications. Microcertifications should be aggregated by time period. Campaigns can be aggregated by campaign name/type.

Examples of statistics for certification campaigns
  • Percentage of answers in campaigns

  • Counts of removed assignments per campaign or role

  • Response speed, per certifier

Examples of statistics for microcertifications
  • Responses per certification type

3.2. Overview of micro-certifications

User Story

AS and IAM administrator, Role manager or Security officer,
I WANT TO have good overview of all micro-certification cases created in the system and their state,
SO THAT I can monitor and manage the certifications and therefore keep the security and compliance.

Acceptance Criteria
  1. midPoint should provide authorized users searchable interface for overview of such micro-certification requests, with their actual state and history.

  2. user interface of micro-certifications should be different from certification campaigns

4. Other user stories

4.1. Certification campaign - remove "reduce" operation

Reduce operation is not understood by users (and nor by me). It should be removed from approval options.

Following options should be available for certifications:

  • Accept

  • Revoke

  • Not decided (or: I don’t know)

  • No response

  • Prolong assignment (Increase validity/ Set validity)

4.2. Certification of role definitions

In addition to the certification of user assignments, we must also support the certification of roles and their content.

In this, I assume the certification of the content of business roles, which will be performed by business role owners, as well as the certification of application roles, which will be done by application engineers. I consider the certification of business roles more important.

Was this page helpful?
YES NO
Thanks for your feedback