User Stories - Certifications

Last modified 27 Sep 2023 08:18 +02:00
Table of Contents

This document contains user stories for upgrade of design of certifications. It is prepared for planning of development of midPoint version 4.9. Some user stories described here may be already implemented.

1. Access removal vs certification triggered by business user

The removal of access can be addressed by directly removing a certain access (your own, someone’s specific, or access of a group of people) or by requesting certification of the access.

If I perform the access removal myself, it should be a standard removal. However, if I want to ask someone else to remove the access or make a decision about it, it needs to be handled as a certification.

Who can remove the access - access removal::

  • end user himself

  • business user to other people

    • manager to his subordinates

    • privileged employee (helpdesk operator, IAM admin, security officer) to specific / any employee

  • application owner may ask for certification of accesses to his application

    • all accesses

    • subset of them

      • one specific role for all / subset of people

      • any access for subset of people

  • security officer wants to start certification campaign for specific set of accesses

  • business manager may need to ask application owner / or application engineer to tell whether specific set of users should have access to his application.

2. Access removals

Access can be revoked from a user directly or through certification. This chapter focuses on user stories for direct access removal.

Only direct assignments can be removed. Additionally, these direct assignments must not be assigned by policy or rule. Midpoint GUI should distinguish if assignment is assigned directly/indirectly and if the assignment is assigned by any rule.

2.1. Standard access removal by business user

This is basic user story for access removal. Trigger may be some business request (e.g. licence fees paid by the access) or something else. This is the most straightforward way how to remove access.

User Story

AS a business user,
I WANT TO remove one of my accesses / of accesses of my subordinates or other people who I can manage,
SO THAT I can fulfill a request to remove the access.

Acceptance Criteria

  1. midPoint should allow to open the user whose access is to be removed.

  2. midPoint should allow the user to log reason why he/she is removing the access.

  3. midPoint should record the access removal with the reason

  4. The access should be found easily in "all accesses" view

  5. the user should easily identify whether the assignment was assigned directly and whether it was not assigned via policy.

  6. The assignment can be removed only when it was assigned directly and not assigned by policy/rule.

  7. If approval is configured for the role/service assigned, the approval case for removal should be triggered.

2.2. Standard access removal by privileged employee

This is basic story of removal a member from a role, service or org.

The user must be able to distinguish whether he can remove the member - whether he was assigned directly and not via rule/policy.

See removal of multiple user from a role.

2.3. "UNDO" during access removal

As access removal is sometimes irreversible, the business user who directly removes access should have an option to undo the access removal in case of mistake. The undo operation should be limited to some time interval (e.g. 5 minutes). midPoint can postpone the removal for that time-period.

User Story

AS a business user,
I WANT the ability to undo access revocations within a specific time interval
SO THAT I can easily reverse my decision if needed.

Acceptance Criteria

  1. midPoint should provide an "undo" function within a defined time window after revoking access.

  2. When I use the "undo" function, the access that I previously revoked should be reinstated as it was before.

  3. The "undo" option should be available only for a specified period after access revocation.

  4. The "undo" time interval should be configurable by engineer.

  5. If the user does not use the "undo" function within the defined time frame, the access removal should become permanent.

  6. The "undo" feature should be user-friendly and intuitive for business users to utilize effectively.

  7. The ability to "undo" access removal should not conflict with any certification or approval processes in place.

2.4. Removal of multiple users from a role

User story

AS a role owner,
I WANT to remove multiple users from the role on one page. SO THAT I can keep the list of members of the role clean.

The option is available on the role page, but is not intuitive.

Acceptance criteria

  1. midPoint should provide interface for business users to remove members of the role easily (maybe the '-' minus sign)

  2. midPoint should distinguish between direct and indirect assignments and should provide an option how to remove indirect assignment.

By delete option on group membership a business user with higher privileges (e.g. helpdesk) can delete user unintentionally while removing him from an assignment.
User Story

AS a helpdesk operator or owner of a role, who does not know difference between "unassign" and "delete" of the group member
I WANT to remove multiple users from a role,
SO THAT I don’t make mistake by selecting wrong option.

Acceptance criteria

  1. midPoint should not provide option to delete users when listing in

2.5. Microcertification - triggered by business user

Definition and starting of certification campaign is too complicated for business user. We should allow business users to define some easy and specific campaigns.

User Story

AS a business manager,
I WANT TO ask owner of specific system or application or its engineer to certify access of my people to his application,
SO THAT I will know whether the access is still necessary from technical perspective.

Acceptance criteria

  1. Midpoint should provide user interface available for definition of (one-time) certification campaign which business user can define a start.

    1. Business user can specify access (role(s), application) and list of users for certification.

    2. Business user can specify certifier who will perform the certification

  2. The user interface should be user-friendly for business users. Should not use midpoint specific terminology.

  3. The options should be limited with easy usage as priority.

  4. Midpoint can provide templates for such campaigns - defined by engineers.

    1. Business user can specify just the role (or service) and who will perform the certification

3. Certifications based on events

3.1. Triggering certification of assignments when specific metric is achieved

User Story

AS an IAM administrator,
I WANT TO automatically trigger certification campaign when specific metric is achieved,
SO THAT I can improve operational efficiency and increase compliance.

Examples

  • Triggering certification of assignment of Office365 when we are reaching license limit.

  • Triggering certification of users which added more than X accesses within last week

Acceptance Criteria

  1. the certification campaign can be triggered by specific dashboard value or other configurable metric, that can be set by IAM administrator

  2. midPoint should provide option for definition of minimal interval between the triggered runs - not to run the same certification too often

  3. midPoint should provide configuration option for starting the certification automatically or notifying IAM administrator who can start the campaign based on his decision

3.2. Mistake in certification

User story

AS an IAM user who made a mistake in a certification,
I WANT TO correct my mistake,
SO THAT the user won’t get the access removed.

3.3. Users excluded from certifications (VIP users):

User Story

AS a Role Manager or IAM Administrator,
I WANT TO define a specific set of users who will be excluded from the standard certification process (exclusion list),
SO THAT these users' access rights will not be affected or modified during regular certifications.

This can include top management, auditors, specific users whose accesses I do not want to modify (the VIP users). For example, if I were to certify accesses to a specific application, the application owner will not be able to revoke access for CEO or CSO.

Acceptance Criteria

  1. midPoint should provide an interface to specify and modify the list of users who should be excluded from the standard certification process.

  2. This interface should be available to specific users only.

  3. When performing a standard certification, midPoint should display users in the exclusion list, but should not allow modification of their access.

    • This way, users performing certification will not be confused.

  4. midPoint should ensure, that certified assignments of the users in the exclusion list are not impacted by the certification results

  5. Modification of the exclusion list should be auditable providing a clear record of excluded users and the justification for being excluded.

  6. Application of the exclusion list should be optional for each certification definition.

3.4. #TODO - how to view inducements #

3.5. Remove induced assignment - how to certify this ?

#I want to remove access of the user, but that access was assigned by induced role → how should this to be handled #

4. Microcertifications

MidPoint should provide options for certification of individual objects (e.g. users) based on specific events or event triggered manually. So not generating large certification campaign, but triggering certification of individual objects (mostly users and their accesses).

4.1. Certification of individual objects

User Story

AS an IAM user,
I WANT TO have an option to certify access rights of individual users,
SO THAT I can easily review and validate access (assignments) of an individual through a user-friendly interface.

Acceptance Criteria

  1. midPoint should provide a interface for showing the requested certification of one user

    1. interface should be easier than

  2. IAM user should be able to perform certification with minimal number of steps. Ideally in 3:

    1. open the certification request

    2. read the certification details of that object in one page

    3. approve, reject the certified assignment(s)

  3. midPoint should provide requested information in business language not using midpoint-specific terminology (e.g. delta)

  4. IAM user who performs certification should see all certifications he/she perfomed

    1. the history has limit configurable by IAM engineed - e.g. 1 year

4.2. Certify multiple users on one page

User Story

AS and IAM user,
I WANT TO have an option to certify acces rights of individual users on one page, SO THAT I can easily review and validate access (assignments) of an individual through a user-friendly interface.

Acceptance Criteria

  1. midPoint should provide option to perform certification decision on the certification campaign page (or simmilar page) if the user has enough privileges

4.3. Certification Dashboard

Midpoint should provide dashboard with certification statistics.

4.4. Manual trigger of certification of individual objects

User Story

AS and IAM administrator, Role manager or Security officer,
I WANT TO have an option to manually trigger certification of individual object (mostly user),
SO THAT I can request their certification easily without additional complex configuration.

Acceptance Criteria

  1. midPoint should provide user interface for creating certification request of individual objects.

  2. while creating certification request the requestor should select from predefined options to whom the certification will be sent and other details.

4.5. Automatic trigger of certification of individual objects

User story

AS and IAM administrator, Role manager or Security officer,
I WANT TO define automatic start of certification of individual object (mostly user),
SO THAT I can request certification easily without additional complex configuration.

Examples

  • ask manager to certify user that has risk level increased over specific threshold

  • ask original manager and new manager to certify assignments of the user who moved in organizational structure

4.6. Postpone microcertification

If the microcertification is raised right after user is moved from one or. unit to another, old manager may hesitate to remove user access. It is good to postpone the certification of the user’s accesses of that transition period.

Not sure, whether is better to start the certification later, or enable manager feature to postpone the certification. Maybe enabling to postpone is better.

User Story

AS a manager of a user who moved from my organizational unit to another,
I WANT TO postpone his access certification for transition period (few weeks or a month) SO THAT he can keep the old accesses while moving work and I will not forget to remove his accesses.

Acceptance Criteria

  1. midPoint should enable approver option to postpone the certification request for the defined period

  2. midPoint should notify the approver when the defined period for postpone is over

  3. IAM engineer can configure how many times and for how long the certification can be postponed

  4. IAM administrator can see all the postponed and delayed certifications

4.7. Triggering certification of users who did not log-in for specific period of time

User Story

AS an IAM administrator,
I WANT TO periodically trigger a certification of users who have not logged in for a specific period of time,
SO THAT we can regularly review user accounts or accesses of inactive users and ensure appropriate security measures.

Examples

  • certify users who have not logged in to Active Directory for last 6 months

  • certify all roles providing access to SAP of the user who has not logged to SAP for last 1 year

Acceptance Criteria

  1. midPoint should provide option for definition of period of inactivity of the user

  2. the certification of the user may be initiated automatically when the user is not logged in for specific period of time

  3. midPoint should provide option for configuring not only users but also accounts - if the user did not log into specific system

  4. the access is certified by user’s manager or system owner

  5. midPoint should provide option to define users or systems that will be excluded from this microcertification

4.8. Overview of microcertifications

User Story

AS and IAM administrator, Role manager or Security officer,
I WANT TO have good overview of all microcertification cases created in the system and their state,
SO THAT I can monitor and manage the certifications and therefore keep the security and compliance.

Acceptance Criteria

  1. midPoint should provide authorized users searchable interface for overview of such microcertification requests, with their actual state and history.

  2. user interface of microcertifications should be different from certification campaigns

4.9. Certification triggered by business users

Removal of access may be triggered ad-hoc by business users as certifications.

See Access removal vs certification triggered by business user in Approvals Design Notes for difference when direct access removal and certification is to be used.

See Access Removal in User Stories - Approvals for more details about how to handle access removals.

User Story

AS an application or resource owner,
I WANT TO request removal of access of some users from my application,
SO THAT I can remove accesses as soon as they lost business reason for their existence.

User Story

AS a business manager or project manager,
I WANT TO ask Application owner/engineer to tell me, whether the application role XYZ is relevant for the specified set of tasks in the application and if not, then what should they obtain instead,
TO provide my subordinates sufficient privileges for specifies set of tasks they have to perform.

Acceptance Criteria

  • The application owner may be able to remove (request removal of) accesses of specific users that have access to his application by asking a certification of this access.

  • midPoint provides field for explaining business reason of the certification request.

  • midPoint provides option for communication between relevant parties to be stored in the certification request.

4.10. Certification campaign - remove "reduce" operation

Reduce operation is not understood by users (and nor by me). It should be removed from approval options.

Following options should be available for approvals: * Accept * Revoke * Not decided * No response