Review Non-conforming Assignments

How to review non-conforming assignments, i.e. approve or decline the suggestions made by Usercube after every synchronization. The aim is to handle the differences between the values from the managed systems and those computed by Usercube's role model.

Overview

Integrators must review three main types of non-conforming entitlement assignments:

• Non-conforming roles: Usercube finds roles assigned to users in the managed systems that no rule in the role model can justify.
• Unreconciled properties: Usercube's role model computes property values that are different from the values in the managed systems.
• Unauthorized accounts: no rule from the role model can justify their actual assignment to an identity.

Unreconciled properties, unauthorized accounts and non-conforming roles are part of non-conforming assignments. The global aim of the review is to handle the gaps between the existing assignments (real values) and the conforming assignments (theoretical values computed by Usercube from the role model rules).

A high number of non-conforming assignments can come from an issue in configuration rules.

Non-conforming roles and unauthorized accounts can be mass reviewed through automation rules.

Participants and Artifacts

This operation should be performed in cooperation with application owners who are in charge of applications' entitlements (technical side), and/or managers who know their team's entitlements (functional side).

Input	Output
Provisioning (required)	Complying assignments

Pre-existing assignments vs. non-conforming assignments

The assignments specified as non-conforming during the very first execution of the role model are called pre-existing assignments. Pre-existing assignments are tagged differently from other non-conforming assignments by the SavePreExistingAccessRightsTask because they can indicate that:

• The rules are not optimal yet.
• Data in the managed system needs more cleanup.

Obviously, pre-existing assignments can also prove to be exceptions to the rules, like non-conforming assignments, and need to be validated as such.

Review Non-conforming Assignments

While there can be dependencies between the review of non-conforming roles and unreconciled properties, there are no absolute requirements regarding the sequential order of the non-conforming assignment review:

• Review non-conforming roles.
• Review unreconciled properties.
• Review unauthorized accounts.

Risks can be defined to highlight the most sensitive accounts/permissions, in order to establish a priority order in the review of non-conforming assignments.