Using ComplianceCourier Certification Review Cycles€¦ · Using ComplianceCourier Certification...

Using ComplianceCourier Certification Review Cycles

Access Assurance Suite 8.3

Courion Corporation

1900 West Park DriveWestborough, MA 01581-3919

Phone: (508) 879-8400Domestic Toll Free: 1-866-Courion

Fax: (508) 366-2844

Copyright © Courion Corporation. All rights reserved.

Copyright © Courion Corporation 1996 – 2014. All rights reserved. This document may be printed or copied for use by administrators of software that this guide accompanies. Printing or copying this document for any other purpose in whole or in part is prohibited without the prior written consent of Courion Corporation.

Courion, the Courion logo, Access Insight, AccountCourier, CertificateCourier, PasswordCourier, ProfileCourier, RoleCourier are registered trademarks of Courion Corporation. The Courion logo See Risk in a Whole New Way, Access Assurance Suite, ComplianceCourier, and Enterprise Provisioning Suite are trademarks of Courion Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Any rights not expressly granted herein are reserved.

Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in technical Data and Computer Software clause in DFAR 52.227-7013 or the equivalent clause in FAR 52.227-19, whichever is applicable.

Courion Corporation reserves the right to make changes to this document and to the products described herein without notice. Courion Corporation has made all reasonable efforts to insure that the information contained within this document is accurate and complete. However, Courion Corporation shall not be held liable for technical or editorial errors or omissions, or for incidental, special, or consequential damages resulting from the use of this document or the information contained within it.

The names of additional products may be trademarks or registered trademarks of their respective owners. The following list is not intended to be comprehensive.

Adobe®, the Adobe® logo, Acrobat®, and Acrobat® Reader® are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

CA-TopSecret® and CA-ACF® are registered trademarks of Computer Associates International, Inc.

Citrix® is a registered trademark of Citrix Systems, Inc. in the United States and other countries.

HP-UX is an X/Open® Company UNIX® branded product.

Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

Microsoft Corporation®, Microsoft Windows®, Microsoft Windows NT®, Microsoft Excel,® Microsoft Access™, Microsoft Internet Explorer®, and SQL Server® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Microsoft is a U.S. registered trademark of Microsoft Corp.

Netscape® is a registered trademark of Netscape Communications Corporation® in the U.S. and other countries. Netscape Communicator®, Netscape Navigator®, and Netscape Directory Server® are also trademarks of Netscape Communications Corporation and may be registered outside of the U.S.

Novell® and the Novell products, including NetWare®, NDS®, GroupWise®, and intraNetWare® are all registered trademarks of Novell.

IBM®, Lotus®, Lotus Notes®, Domino®, i5/OS®, z/OS®, and RACF are registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

Oracle® and PeopleSoft® are registered trademarks of the Oracle Corporation. Oracle8i™ and Oracle9i™ are trademarks of the Oracle Corporation.

Remedy®, Action Request System®, and AR System® are registered trademarks of BMC Software, Inc.

SAP, the SAP logo, mySAP.com, and R/3 are trademarks or registered of SAP AG in Germany and in several other countries all over the world.

SecurID® and BSAFE® are registered trademarks of RSA Security Inc. All rights reserved.

Sun, Sun Microsystems, the Sun Logo, iPlanet are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Limited.

Copyright to STLport is owned by the following entities: Boris Fomitchev© (1999/2000), Hewlett-Packard Company© (1994), Silicon Graphics Computer Systems, Inc.© (1996/1997), and the Moscow Center for SPARC Technology© (1997).

All other products and companies mentioned in this document may be the trademarks of their associated organizations.

January 2014

Trademarks

1

Courion Corporation

Table of Contents

Chapter 1 - About ComplianceCourier Certification Review Cycles . . . . . . . . . . . . . . . . . . . . . . . 3

Multilanguage Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2 - Installing the Access Certification Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Installing the Access Certification Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring the Microsoft Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Configuring the Microsoft Active Directory Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Configuring the Microsoft ADO Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Executing the Database schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Editing the Connection Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installing the Micro-Certificates Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Installing the Utility in a Single-Server Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Configuring the Web.config to Display Micro-Certification Link in Access Insight . . . . . . . . . . . . . . . . . . 10Editing Global Configurations for Micro-Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 3 - Using the Global Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Default Global Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Default Global Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Editing Global Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Editing Global Options with Config Type as Complex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 4 - Configuring Review Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About Review Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Using Review Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Certification Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Opening the Access Assurance Portal Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Creating Review Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Certification Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Review Cycle Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Notes on Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Notes on Configuring Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Design Review Cycle View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Set Review Cycle Task Grid Behavior and Set Review Cycles Task Column Behavior . . . . . . . . . . . 26Select Detail View Type to Display for Rows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Select the Review Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Select the Actions to Apply to Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Schedule Review Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Closing the Certification Review Cycle Management Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Creating a Review Cycle by Copying an Existing Review Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Managing Review Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Editing or Viewing a Review Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Activating a Review Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Closing a Review Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Deleting a Review Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Data Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Modifying the Data Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 5 - Delegating Review Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Delegating Review Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Customizing the Search Control Window for Delegatee Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Default Values in the Restriction Global Option For Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

2

Courion Corporation

Reclaiming Delegated Review Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Viewing Delegated Review Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 6 - Configuring Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Adding a New Macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Editing or Deleting an Existing Macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 7 - Setting Up Email Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Editing a Default Email Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3

Courion Corporation

Chapter 1: About ComplianceCourier Certification Review Cycles

The Access Certification solution enables you to create ComplianceCourier Access Certification Review Cycles with worksheets where business users or IT resource owners can perform certification. These worksheets are grids which users can sort and filter to display the data in the most efficient way.

As with other screens you can hide these options for less technically proficient users. The information shown in the grid depends on how you configured the certification review cycles: the user could be certifying to a list of their direct reports, user entitlements on an in-house application, or user role assignments by job function. No matter what users are certifying to, there is a large, easy to read summary section displayed at the top. From here users can see critical summary information about the certification actions taken to date.

You can configure a review cycle to display a graphical summary of the decisions taken. If the number of rows to be displayed is large, the table pages over the decisions allowing the worksheet to be as responsive to user interaction as possible. Actions for each certification decision can be done individually or as a user defined selection of decisions. Each decision that is made is committed to the database immediately, allowing the user to make incremental progress without having to remember to save periodically. Once all certification decisions have been made, the user can submit the complete review cycle for certification. You can still access a submitted certification report from the task list in a read-only form; you cannot make other changes to certification review cycle decisions.

The terms review cycle, certification or certification review may be used interchangeably.

Figure 1 shows a My Certifications screen.

Figure 1: The My Certifications Screen

4 About ComplianceCourier Certification Review Cycles

Courion Corporation

Multilanguage Support

The multilanguage support feature is available with the Access Certification solution. For more information about how to use this feature, see The Access Assurance Suite Implementation Guide.

5

Courion Corporation

Chapter 2: Installing the Access Certification Solution

This chapter describes how to install the Access Certification solution in the following sections:

• “Installing the Access Certification Solution” on page 6

• “Executing the Database schema” on page 7

• “Installing the Micro-Certificates Manually” on page 9

Upgrading

Refer to the product Readme file for information about upgrading from a previous release.

6 Installing the Access Certification Solution

Courion Corporation

Installing the Access Certification Solution

The Access Certification solution is installed with the Access Assurance Suite as described in the manual Installing the Access Assurance Suite. You also need to configure an Active Directory domain with specific groups and an Active Directory target named Active Directory.

Note: If you are installing a new distributed installation of the Access Assurance Suite 8.0 or later, the Access Certification solution is installed with the Publisher Manager web service.

Configuring the Microsoft Active Directory Domain

The Access Certification solution has predefined certification rules. These rules rely on having an Active Directory domain with the following groups:

• Compliance Analysts

• Business Users

Configuring the Microsoft Active Directory Target

Configure an Active Directory Target named Active Directory. You can do this using the Connector Configuration Manager after installing the Access Assurance Suite (see the manual Configuring Password Management Modules (PMMs), Connectors, and Agents), or using the Express Connector Configuration Manager during the installation process (see the manual Installing the Access Assurance Suite).

Configuring the Microsoft ADO Target

Configure a Microsoft-ADO-3.0 target named ARM. This target should point to the database.

Executing the Database schema 7

Courion Corporation

Executing the Database schema

Follow these steps to create your database:

1. Open the [courion-installation-folder]\Courion.sql using a text editor, such as Notepad.

2. Change the default database name from Courion to your preferred database name as follows in Courion.sql:

:setvar DatabaseName “YourDBHere”

3. Run the Courion.sql script using sqlcommand at the command prompt:

sqlcmd –i [courion-installation-folder]\Courion.sql

Running this script creates all of the relevant tables, views and stored procedures for the database.

Note: Alternatively, you can go to Query and select SQLCMD Mode through the Microsoft SQL Server Management Studio to run the Courion.sql script.

Editing the Connection Strings

This section describes how to point the Access Certification solution to the database.

Follow these steps:

1. Configure the connection strings.

a. Open {$InstallDir}\CourionArms\CustomerConnStrings.config with Notepad++ or any other text editor.

b. Edit the following connection strings by uncommenting them, and pointing them to the database:

<add name="MetricRepositoryDefault" connectionString="Data Source=$$YOURSERVERHERE$$;Initial Catalog=$$YOURDBHERE$$;Trusted_Connection=True" providerName="System.Data.SqlClient" />

<add name="Default" connectionString="Data Source=$$YOURSERVERHERE$$;Initial Catalog=$$YOURDBHERE$$;Trusted_Connection=True" providerName="System.Data.SqlClient" />

c. Login to the portal to test that it is working. You should see a blank screen with no error message.

Note: To point the connection strings to the correct database, replace $$YOURSERVERHERE$$ with the name of the database server, and replace $$YOURDBHERE$$ with the name of the database. If the connection strings are not configured properly, an error message appears indicating that this is the case.

2. Encrypt the connection strings.

a. Run the following command first:

cd C:\Windows\Microsoft.Net\Framework\v4.0.30319

Then:


Courion Corporation

aspnet_regiis.exe -pef connectionStrings "C:\Program Files (x86)\Courion Corporation\CourionARMS\CustomerConnStrings.config”

b. Return to CustomerConnStrings.config in Notepad++ and see that it is encrypted.

3. Decrypt the connection strings if you ever have to change them.

a. Run the following command first:

cd C:\Windows\Microsoft.Net\Framework\v4.0.30319

Then:

aspnet_regiis.exe -pdf connectionStrings "C:\Program Files (x86)\Courion Corporation\CourionARMS\CustomerConnStrings.config”

b. Return to CustomerConnStrings.config and your text editor and see that it is decrypted.

Installing the Micro-Certificates Manually 9

Courion Corporation

Installing the Micro-Certificates Manually

When the Access Assurance Suite is installed with the Access Insight solution, review cycles may be created upon a policy violation. This section describes the requirements to set up micro-certificates manually that enable the creation of review cycles for a policy violation.

The Certificate utility assists with the generation, installation and verification of certificates that are used to authenticate and secure communication among the internal services. The utility executable, CertUtil.exe, is located in the CourionServer folder.

To provide custom certificates, use this utility to import the certificates into the correct certificate locations.

In a multi-server setup, use this utility to export the public keys and import them onto other systems.

Installing the Utility in a Single-Server Setup

Use this command to secure communication in a single-server setup:

CertUtil.exe stacked-setup

This generates and installs a server and client certificate with the default subject names CN=AccessAssuranceSuiteServer and CN=AccessAssuranceSuiteClient, The certificates are installed in the Trusted People location.

The Courion CA certificate authority is installed in the Trusted Root Certificate Authorities location.

Installing the Utility in a Multi-Server Setup

Follow these steps in a multi-server (distributed) setup:

1. On any server, generate the Certificate Authority certificate and the two issued certificates (for the client and server):

CertUtil stacked-setup

2. Export each generated certificate to its respective file:

CertUtil export --subject-name="CN=Courion CA (server generated)" --output=authority.cer

CertUtil export --subject-name="CN=AccessAssuranceSuiteServer" --output=server.cer

CertUtil export --subject-name="CN=AccessAssuranceSuiteClient" --output=client.cer

3. Copy the exported certificate files, CertUtil.exe, and CommandLine.dll to each server.

4. On each server, import the certificate files:

CertUtil import --input=authority.cer

CertUtil import --input=server.cer

CertUtil import --input=client.cer


Courion Corporation

By default, the micro-certification utility looks for certificates with the defaults. If you change the default names of the certificate or provide your own, then update the Access Insight Web.config.

<serviceCertificate findValue="AccessAssuranceSuiteServer" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" />

Configuring the Web.config to Display Micro-Certification Link in Access Insight

To enable the micro-certification feature and enable the link in Access Insight, configure the URL for the Certifications Data Service. The Certifications Data Service is part of the Access Assurance Suite, and is available at the following default location in a single-server setup: http://localhost/CourionArms/DataServices/Certifications.svc.

Uncomment the default AppSetting entry in the Access Insight Web.config:

<add key="CertificationProvider" value="http://localhost/CourionArms/DataServices/Certifications.svc"/>

If your Access Assurance Suite (AAS) is located on another system, update the value to match the location of the Certifications.svc file in AAS.

To create micro-certificates in case of a policy violation, refer to the manual Using the Access Insight Solution.

Editing Global Configurations for Micro-Certification

Global options for micro-certification enable you to control aspects of how the feature works, as specified:

• CertificationTypesToHide — Use this global option to hide the certification types that appear for micro-certification while creating a new review cycle. To create a new review cycle, refer to .“Configuring Review Cycles” on page 17.

• OrphanAccountManager — Specify a business manager. This business manager is the default reviewer of the account violation certifications for orphan accounts.

11

Courion Corporation

Chapter 3: Using the Global Configuration Manager

This chapter describes how to configure global options using the Global Configuration Manager, and includes the following sections:

• “Default Global Options” on page 12

• “Editing Global Options” on page 14

12 Using the Global Configuration Manager

Courion Corporation

Default Global Options

Global options enable you to control the display of fields for search results or restrictions that you can implement.

This section lists the default global options that are configurable. For specific details about the global options and how they affect Access Certification, refer to the individual chapters.

Default Global Options

Table 1 lists the default global options used in the Access Certification solution with a brief description about what each does.

Table 1: The Default Global Options

Global Option (CONFIG NAME)

Description More Information

FindCertificationReassigneeSearchOption

Configures the fields displayed in the SEARCH CONTROL popup to search for users to reassign.

CONFIG TYPE: Complex

“Configure Global Options for the Reassign Action” on page 29

FindCertificationReassigneeSearchRestriction


“Configure Global Options for the Reassign Action” on page 29

Findcertificationdelegatorsearchoption

Configures the fields displayed in the SEARCH CONTROL popup to search for users to delegate.


“Customizing the Search Control Window for Delegatee Search” on page 39

FindCertificationDelegatorSearchRestriction


“Default Values in the Restriction Global Option For Delegation” on page 39

AccessCertificationSystemURL

Points to the URL for a newly created and activated review cycle.

CONFIG TYPE: Text

Default Global Options 13

Courion Corporation

MicroCertificationReview The default length of time for the certification round to be active.

CONFIG TYPE: Text

CertificationTypesToHide For micro-certification “Editing Global Configurations for Micro-Certification” on page 10

OrphanAccountManager For micro-certification

CONFIG TYPE: Text

“Editing Global Configurations for Micro-Certification” on page 10

Table 1: The Default Global Options

Global Option (CONFIG NAME)

Description More Information


Courion Corporation

Editing Global Options

This section describes the general procedure to edit a global option.

To edit a global option, go to the Main menu and select GLOBAL CONFIGURATION MANAGER.

Figure 2: The Global Configuration Manager

The GLOBAL CONFIGURATION MANAGER appears as shown in Figure 2, and shows the default global options.

Editing Global Options with Config Type as Complex

To edit a global option with CONFIG TYPE as COMPLEX, select EDIT. For example, select EDIT for the FindCertificationReassigneeSearchOption global option. The EDIT VALUES window appears, as shown in Figure 3.

Figure 3: FindCertificationReassigneeSearchOption Global Option

Select EDIT COMPLEX VALUES. An EDIT COMPLEX VALUE editor appears as shown in Figure 4.

Editing Global Options 15

Courion Corporation

Figure 4: Edit Complex Value Editor

The EDIT COMPLEX VALUE editor contains a top panel with a bottom grid. The top panel displays the following fields:

• HEADING: Specify the header, such as Find Reassignee. This header appears in the search panel.

• KEYCOLUMN: Specify the unique field to search on in the table. For example, ProfileUID.

• RESTRICTIONCONFIGURATIONNAME: Enter the name of a default global option that implements a restriction. For example, enter FindCertificationReassigneeSearchRestriction. FindCertificationReassigneeSearchRestriction is a restriction global option that is available through the GLOBAL CONFIGURATION MANAGER, and contains a CLAUSE column that accepts a custom macro or a SQL clause. Define your restriction in the custom macro and reference the custom macro in the CLAUSE column. The restriction gets implemented when you search for a user using the SEARCH CONTROL window.

• ISSINGLESELECT: Reserved for future use. (The default value is true).

• ROWSPERRESULTPAGE: Enter the number of rows to display in the results grid.

• RESULTCOLUMNS: Enter a list of comma-separated fields from a table. For example, ProfileUID,FirstName.The fields you specify here appear in the results grid.

The grid displays the following columns:

• Order: Accepts an integer. The fields are displayed in the order specified.

• Visible: Accepts a boolean value of true or false. True shows a field and false hides it.

• Column-name: Accepts a string. Depending on the context, it identifies a field from a table or identifies an action.

• Label: Accepts a string. Enter a user-friendly alias for a field. This alias appears as the field name on the user windows.

• Control: Accepts a string. The data types supported are text, boolean, list and date time. Text displays a textbox, boolean displays a checkbox, list displays a drop-down list, date time displays date time control.


Courion Corporation

• Defaultvalues: Accepts a string. Specify the information you want to appear as default. For example, if the control data type is a list, the user is shown a drop-down list with default values. The values you specify populate the drop-down list.

• Clause: Accepts a custom macro name.

17

Courion Corporation

Chapter 4: Configuring Review Cycles

This chapter describes how to use the Compliance Analyst Interface to configure review cycles and includes the following sections:

• “About Review Cycles” on page 18

• “Opening the Access Assurance Portal Page” on page 19

• “Creating Review Cycles” on page 21

• “Managing Review Cycles” on page 33

• “Data Tables” on page 35

Note: Before you configure the global options described in this chapter, refer to the “Using the Global Configuration Manager” chapter for additional information about the Global Configuration Manager.

18 Configuring Review Cycles

Courion Corporation

About Review Cycles

Review cycles are regularly scheduled reviews of which users have access to specific systems and the resources on those systems. The compliance analyst creates and schedules the reviews. The managers or business users review the access information in the review cycle for which they are responsible.

Using Review Cycles

A compliance analyst determines what types of reviews need to take place and at what intervals, based on corporate policy. For example, it might be necessary to have a quarterly review of the management hierarchy. The compliance analyst would then create a review cycle consisting of people and their respective reporting structures. Once a review cycle is created and scheduled, a notification is sent to each of the managers, notifying them that it is time to review their direct reports.

The business users (managers in this example), then log into the Access Assurance portal to view the list of their scheduled review cycles, including the new review of their direct reports. Each manager sees only those employees that should be reporting to them. Each manager reviews the list of employees and certifies that each employee either does or does not report to that manager or that the person no longer reports to me, or is no longer with the company. There may be situations that require research (Example: Which Bob Smith is this?) or to delegate (Example: Jane Doe transferred to another department, and now reports to another manager.) Once the status of all employees have been certified, the manager can submit his decisions.

Once all managers submit all their decisions, the compliance analyst can close the review cycle. Similar workflows can occur for other types of review cycles.

Certification Types

The Access Certification solution includes the following certification types by default:

ACCESS LEVEL— An access level is a group of business entitlements. This certification type enables managers to review the access levels that are assigned to users. It can be configured for use by managers to review the access levels of their direct reports, or for use by resource owners to review the users who have been assigned access levels to applications, systems, or other resources for which they are responsible.

PEOPLE — This certification type enables managers to review the set of users that report directly to them. The organization can use this certification review cycle to certify that all users are assigned to the proper manager.

Sensitive Data — Review individuals who have access to files and folders on file shares. This certification type is designed to work with the Symantec DLP integration tool.

Opening the Access Assurance Portal Page 19

Courion Corporation

Opening the Access Assurance Portal Page

To open the Access Assurance Suite portal page:

1. Open a browser and navigate to the Access Assurance Portal login page:

http://your_server/courionarms/aspxcommon/LOgin.aspx

where your_server is the server name or IP address of the Courion Server.

The Login dialog box appears, prompting you to enter a user name and password, as shown in Figure 5. To access the Access Assurance Portal page, you need to login as a Compliance Analyst.

Figure 5: Access Assurance Portal Login Dialog Box

2. Enter a username and password and click LOGIN. The Access Assurance Portal page appears as in Figure 6.

Figure 6: Access Assurance Portal Page

From the Main menu, select REVIEWCYCLES.

The Access Assurance Portal for Review Cycles page appears as in Figure 7. The page you see may be different if the administrator has customized the portal page.


Courion Corporation

Figure 7: Access Assurance Portal for Review Cycles

From this page, you can create a review cycle or edit or view an existing one. To create a review cycle, you can either create a new review cycle, or copy an existing review cycle and re-name it.

The icon in the second column indicates whether you can edit a review cycle configuration:

• — Indicates that you can edit the review cycle configuration.

• — Indicates that you cannot edit the review cycle configuration, although you can view it.

The icon in the third column indicates whether a review cycle is completely configured:

• — Indicates that the review cycle configuration is complete (all required fields have been completed).

• — Indicates that at least one required field is not complete.

Click on the column header to sort on a column.

Click on the filter icon in the header and select a value from the drop-down list to filter on any column.

If there is more than one page of data, you can click on the Next Page icon or Previous page icon at the bottom of the page, or any of the numbers that appear between the two icons, to navigate to

a different page. If you are on the first or last page, the Previous or Next Page icon is grayed out. If there is only one page of data, these icons do not appear.

Creating Review Cycles 21

Courion Corporation

Creating Review Cycles

You can create a new review cycle or copy an existing review cycle and re-name it. You can also change the characteristics of the copied review cycle.

To create a new review cycle, use the Certification Review Cycle Management wizard and enter the appropriate information on each page of the wizard. These pages have the following icons:

• — Indicates a required field.

• — Indicates that you can hover the mouse over this icon to see more information about the field or section.

• — Indicates that you can expand or collapse a section by clicking on the icon.

After you provide the required information on each page, you can click NEXT to go to the next page of the Certification Review Cycle Management wizard or click BACK to go to a previous page. Click SAVE & EXIT to save this information and complete it later, and close the browser window. If you do not want to save your changes, you can click CANCEL.

Once you have entered information into all the required fields, you can click FINISH on the last page. You need to click FINISH before you can activate a review cycle.

To create a new review cycle, complete these sections of the Certification Review Management Wizard:

• “Certification Type” on page 21

• “Review Cycle Configuration” on page 22

• “Design Review Cycle View” on page 26

• “Schedule Review Cycle” on page 30

After you have created the review cycle, you can finish it and exit from the wizard:

• “Closing the Certification Review Cycle Management Wizard” on page 31

To create a review cycle by copying an existing review cycle, follow the steps in this section:

• “Creating a Review Cycle by Copying an Existing Review Cycle” on page 32

Certification Type

To create a new review cycle:

Click on the Create New icon on the upper left section of the Access Certification page. This starts up the Certification Review Management wizard. Figure 8 shows the first page of the wizard: Certification Type.


Courion Corporation

Figure 8: Certification Type

CERTIFICATION REVIEW CYCLE NAME — Enter the name that appears to the reviewers of this review cycle. The name can include letters, numbers, and non-alphanumeric characters. The name does not have to be unique, but should be descriptive, so that reviewers know what type of certification review it is.

CERTIFICATION TYPE FOR THIS CYCLE — Select a certification type from the drop-down list. The certification types are:

ACCESS LEVEL— An access level is a group of business entitlements. This certification type enables managers to review the access levels that are assigned to users. It can be configured for use by managers to review the access levels of their direct reports, or for use by resource owners to review the users who have been assigned access levels to applications, systems, or other resources for which they are responsible.

PEOPLE — This certification type enables managers to review the set of users that report directly to them. The organization should use this certification review cycle to ensure that all users are assigned to the proper manager.

Sensitive Data — Review individuals who have access to files and folders on file shares. This certification type is designed to work with the Symantec DLP integration tool.

REVIEW BY — Select a group that is responsible for the review from this drop-down list. The list typically includes Managers and Owners, but may include only Managers. It can also include other, previously configured groups.

Click NEXT. The Review Cycle Configuration Page appears.

Review Cycle Configuration

Figure 9 shows the Review Cycle Configuration Page.


Courion Corporation

Figure 9: Review Cycle Configuration

The Certification Type that you selected on the Certification Type page appears at the top of the Review Cycle Configuration page (in this example: Sensitive Data).

SELECT ASSETS TO INCLUDE — Select the assets you want to review. To select all assets, select the INCLUDE ALL AVAILABLE ASSETS radio button. To create and enable custom rules for specific assets using the Filter Builder, select the BUILD RULES TO ONLY INCLUDE SPECIFIC ASSETS radio button, and click the ADD NEW... button. The Filter Builder window appears as in Figure 10.

Figure 10: Filter Builder

This window displays all the data in the table associated with the certification type you selected. From this window you can add a new rule, which may contain multiple constraints that combine together to determine the search criteria that filters the data.


Courion Corporation

To add a new constraint to filter the data, click the ADD NEW icon in the upper left corner of the Constraints section of the window. A new row appears in this section of the page, as in Figure 11.

Figure 11: New Constraint

To create the new constraint:

• COLUMN NAME — Select a column name from the first drop-down list to use for the constraint. The list includes all column names in the table.

• OPERATOR — Select an operator for the constraint from the second drop-down list. The list includes the following operators:

IS — Equals (Column Is (value 1) returns all rows where the specified column is equal to (value 1)).

NOT — Not Equal (Column Not (value 1) returns all rows where the specified column is not equal to (value1)).

LIKE — Is Like (Column Like (value1) returns all rows where the specified column is like (%value1%) examples: “myvalue1” or “value1” or “value123”).

ONEOF — Is one of (a comma delimited list) (column oneof (a,b,c) returns all rows where the specified column is any of the values a or b or c)

NOTONEOF — The opposite of OneOf (column notoneof (a,b,c) returns all rows where the specified column is any value other than a or b or c – for example, it return all rows where the values in the specified columns are d or e or f.)

Notes on Operators

You can have as many constraints as you want, and these are logically “Anded” together. For example, if you create one rule with two constraints - where the first constraint states "Column1 Is <value_X>" and the other constraint states "Column2 Not <value_Y>" - then the filter includes all rows where the value of Column1 equals (Value1) AND the value in Column2 does not equal (value_Y).

You can create as many rules as you want, and the different rules are logically “ORed” together. For example, if you create two rules, each with one constraint, the first rule is for “Column1 Is (Value1)” and the second rule is “Column2 Not (Value2)” then the filter includes all rows where the value of Column1 equals (Value1) plus all the rows where the value in Column2 does not equal (Value2).

Assuming the data in these examples looks like the following:

Row number Column1 Column2

1 Value1 Value2

2 Value1 Value3

3 Value4 Value2

4 Value4 Value3


Courion Corporation

The first example (one rule with two constraints) returns the following values:

The second example (two rules, each with one constraint) returns the following values:

• TEXT FIELD — Enter a valid value for the constraint. The wizard does some validation on the text that you enter here or when the text displays in the grid. For example, if you filter on a column that is of the type BIT, you need to enter “true” or “false” into the text field. If you are using a date field as part of the constraint, you need to enter a valid date.

Notes on Configuring Constraints

• To delete a constraint, click the Remove icon next to the constraint.

• To add another constraint to the rule, click the ADD NEW icon again, and fill in the new row with information about the additional constraint. All constraints in a single rule are logically "Anded" together.

• After you build the constraint, click the DISPLAY RESULTS button to see how the filter is applied to the current data set.

• Click ADD TO REVIEW CYCLE to add the rule to the review cycle, and close the filter builder.

• Click the CANCEL button to close the filter builder without adding the rule to the review cycle.

• If you want to disable a rule without removing it from the review cycle, select the rule and click the DISABLE SELECTED button.

Note: If you need to enable a previously disabled rule, select the rule and click the ENABLE SELECTED button.

• To remove a rule completely from the review cycle, select the rule and click the REMOVE SELECTED button.

• To select or deselect all rules, click the SELECT\DESELECT ALL checkbox.

Click NEXT. The Design Review Cycle View page appears.

Row Number Column1 Column2

2 Value1 Value3

Row Number Column1 Column2

1 Value1 Value2

2 Value1 Value3

3 Value4 Value2


Courion Corporation

Design Review Cycle View

The Design Review Cycle View page has these sections:

• “Set Review Cycle Task Grid Behavior and Set Review Cycles Task Column Behavior” on page 26

• “Select Detail View Type to Display for Rows” on page 28

• “Select the Review Mode” on page 28

Set Review Cycle Task Grid Behavior and Set Review Cycles Task Column Behavior

Figure 12: Set Review Cycle Task Grid Behavior

Provide information about the Review Cycle Task Grid:

• SET NUMBER OF ROWS PER PAGE — Enter the number of rows that appear on a single page of the review cycle. You can enter any positive integer.

• ENABLE HIDING — Check this option to make the Hide Columns control available in the review cycle. This enables reviewers to hide columns they do not want to see. When this option is unchecked, the Hide Columns control is not available.

• ENABLE RESIZING — Check this option to enable reviewers to resize columns in the review cycle. When this option is unchecked, column size remains fixed.

• ENABLE SORTING — Check this option to enable reviewers to click on a column header in a review cycle to sort on a column. When this option is unchecked, reviewers cannot sort data.


Courion Corporation

• ENABLE GROUPING — Check this option to display the grouping bar in the review cycle. This enables the reviewer to move columns to and from the grouping bar to change the way the data is grouped. When this option is unchecked, the grouping bar does not appear in the review cycle.

Note: If you do not check this option, do not enable the GROUPED option in the Set Review Cycles Task Column Behavior grid.

• ENABLE FILTERING — Check this option to make column filtering and the Advanced Filter control available in the review cycle. The reviewer can use this control to create more complicated filters than with column filtering. When this option is unchecked, filtering is not available to the reviewer.

• ENABLE EXPAND COLLAPSE ALL GROUPING — Check this option to display the Expand All and Collapse All buttons in the review cycle. These buttons enable the reviewer to expand all or collapse all the grouped rows in a single click. By default, the feature is unchecked and the buttons are not available in the review cycle. This feature is disabled if the Enable Grouping feature is not selected

Provide information about the columns that are available for display in each review cycle in the Set Review Cycles Task Column Behavior table:

• LABEL — Edit the text field in the Label column to change the label that is displayed to the end user. Example: if the column is named "ProfileID" you might want it to display as "Employee Identification" to the reviewers.

• Order — Enter a new value in the Order column to change the order that a column is displayed, or select a value from the spin box. This does not change the database configuration; only the order in which the columns are displayed to the reviewers.

Note: If you enter the same value for more than one column, the column that appears first in the table is assigned that value. Any subsequent columns with the same value follow that one, in the order in which they appear on the grid.

• Width — Enter a value that determines the width weight of the column or select a value from the spin box. The value can be any positive number between 1 and 150. The default is 10.

When the review cycle control is first opened in the browser, it uses the full width of the browser window. The values assigned to the width weight for each column determine what weight is given to each column in relation to the others. If the width weight for all columns is 10, then all columns are the same width. If the width weight for all columns except one is 10, and one column has a width weight of 20, then that column is twice as wide as the rest of the columns. If the width weight for all columns except one is 10, and one column has a width weight of 5, then that column is half as wide as the rest of the columns.

• Visible — Check this option to make the column visible in the review cycle. The default is checked. If this option is not checked, the column does not appear in the review cycle.

Note: If you make a column not visible, the reviewers cannot see any data in that column.

• MOVEABLE— Check this option to enable the reviewer to change the location of the column. The default is checked. If this option is not checked, the reviewer cannot move this column.

Note: If this option is not checked, but the column is not the first or last in the review cycle, then the reviewer can move it by moving other columns before or


Courion Corporation

after it. This is useful if you want to group on a column and keep it grouped, if you want all columns fixed, or if you want at least the first or last column fixed.

• GROUPED — Check this option to group data on this column. The default is unchecked. If this is unchecked, the data is not grouped on the column. It is possible to group on multiple columns.

Note: Do not check this option if you have not checked the Enable Grouping option in the Set Review Cycle Task Grid Behavior section.

Note: You cannot group on the Comment column.

Select Detail View Type to Display for Rows

Figure 13: Select Detail View Type to Display for Rows

Select a control from the drop-down list. The Access Certification solution includes default controls that you can modify, add to, or delete during the configuration of the product. The controls enable business users to expand a panel for each row in the review cycle that contains relevant information for that row. A description of the information that appears in the Detail panel appears to the right of the control you select. If no controls are available for the type of review cycle you are configuring, the drop-down list is empty. If you do not select a control, no expandable control appears in the review cycle.

Select the Review Mode

Figure 14: Select the Review Mode and Actions to Apply to Decisions

Select the review mode for the certification worksheet:


Courion Corporation

MULTIPLE SELECTION — A toolbar appears in the certification worksheet that enables users to make bulk decisions. Users can select multiple rows and apply decisions through a single click. When used with worksheet filters and the Select All capability, this mode provides an efficient way to perform bulk decisions. This is the default mode.

SINGLE SELECTION — Decision buttons appear in each row of the certification worksheet. Clicking on a decision button applies the decision to that particular row. For small reviews this can be simple and efficient. This mode does not allow users to perform bulk actions.

Select the Actions to Apply to Decisions

Select which actions to Apply to Decisions are available to the reviewers, and how each action is displayed. The list of actions includes (as shown in Figure 14):

• Accept — Enables business users to review and accept a decision. For example, accept the application accessed by a direct report.

• Reject — Enables business users to reject a decision. For example, reject the application accessed by a direct report.

• Research — Enables business users to research on a decision. For example, research the application accessed by a direct report.

• Reassign — Enables business users to reassign a decision to another business user. For example, if a direct report of Manager A reports to Manager B, Manager A can reassign the decision to Manager B. For additional configuration, refer to “Configure Global Options for the Reassign Action” on page 29.

Note: A reassigned decision cannot be reclaimed by Manager A.

• Reset — Enables business users to reset any decision previously applied.

All actions are selected by default. You can modify the following options:

• Check the actions you want to make available and uncheck the actions that you do not want to be available.

• Select which decisions count toward submission.

• Modify the label for each action (optional).

• Select the location where you want the action to appear: on the Actions Menu or as a button directly on the Attestation control.

Once you have configured the Task Grid behavior, each column, the detail panel, and the actions, you can click NEXT to get to the last page of the wizard, or save and exit. If you make no changes, the default values are applied to the certification review cycle.

When you click NEXT, the Schedule Review Cycle page appears.

Configure Global Options for the Reassign Action

The FINDCERTIFICATIONREASSIGNEESEARCHOPTION global option enables you to customize the SEARCH CONTROL window. From the Main menu, select GLOBAL CONFIGURATION MANAGER to configure the global option.

The default values for the FINDCERTIFICATIONREASSIGNEESEARCHOPTION global option include:


Courion Corporation

HEADING — Find Reassignee - Delegatee

CONFIG TYPE — Complex

KEYCOLUMN — ProfileUID

ISSINGLESELECT — True

RESTRICTIONCONFIGURATIONNAME — FindCertificationReassigneeSearchOption

ROWSPERRESULTPAGE — 5

RESULTCOLUMNS — ProfileUID, FirstName, LastName, Location, Department, StartDate

The FINDCERTIFICATIONREASSIGNESEARCHRESTRICTION global option enables you to create a custom macro or SQL clause to implement a restriction for FINDCERTIFICATIONREASSIGNESEARCHRESTRICTION. The default values include:


NAME — Reassignment Find Reassignee

VISIBLE — False

LABEL — Employees

CLAUSE — Accepts a SQL clause or custom macro

DEFAULTVALUES — True

Schedule Review Cycle

Figure 15 shows the Schedule Review Cycle page where you can schedule the review cycle.

Table 2: FindCertificationReassigneeSearchOption Default Values for the Grid

Column-name

Order Visible Label Control

ProfileUID 0 True Employee ID Text

FirstName 1 True First Name Text

LastName 2 True Last Name Text


Courion Corporation

Figure 15: Schedule Review Cycle

Enter the following information in the Certification Review Cycle Management page:

• Select ACTIVATE MANUALLY or SCHEDULE. ACTIVATE MANUALLY is the default, and requires that you activate the review cycle as described in “Activating a Review Cycle” on page 33. If you select SCHEDULE, the review cycle occurs automatically on the start date you specify. You can also manually activate a scheduled review cycle.

If you select scheduled activation for a review cycle, True appears in the Scheduled Activation column of the Access Certification Review Cycles page. If you select manual activation, False appears in the Scheduled Activation column (see Figure 7 on page 20).

• START DATE — Enter a start date for the review cycle using the calendar control. The date cannot be earlier than the current date.

• END DATE — Enter an end date for the review cycle using the calendar control. The date cannot be earlier than the current date or the start date.

• PRIORITY — Select a priority for the review cycle from the drop-down list. Priorities are: High, Medium, or Low.

Closing the Certification Review Cycle Management Wizard

Once you have entered valid values for each field, you can click SAVE & EXIT or FINISH. SAVE & EXIT closes the Certification Review Cycle Management wizard without validating that all required fields are filled in. FINISH saves and closes the wizard, and also validates that all of the following conditions are met:

• The Name is supplied on page one.

• Type is selected on page one.

• Reviewer is selected on page one.

• Either “Include all available assets” is selected, or “Build rules to only include specific assets” is selected, and you have one or more rules defined and enabled on page two.


Courion Corporation

• Start date is specified on page four.

• End date is specified on page four.

• Priority is specified on page four.

When the validation is complete, the review cycle is saved, the Certification Review Cycle Management wizard closes, and you are returned to the Summary Page.

Note: You cannot activate a review cycle until you have clicked FINISH in the Certification Review Cycle Management wizard.

Creating a Review Cycle by Copying an Existing Review Cycle

To create a review cycle by copying an existing review cycle, follow these steps:

1. Select the review cycle you want to copy from the list of review cycles on the Access Certification Poral page by clicking on the radio button next to the review cycle name (see Figure 7 on page 20).

2. Click on the Create Copy icon on the upper left section of the page.

3. A confirmation message box appears. Click YES to copy the review cycle.

The new review cycle appears in the list of review cycles with the name “Copy of xxx,” where xxx is the name of the original review cycle. You can then edit the new review cycle to change the name, the start or end date, add new rules, or change other characteristics. See “Editing or Viewing a Review Cycle” on page 33.

A review cycle that you create by copying an existing review cycle is in one of these states, depending on the state of the original review cycle:

• If the original review cycle was in a Creating state, the new review cycle is in a Creating state.

• If the original review cycle was in any state other than Creating, the new review cycle is in a Created state.

Managing Review Cycles 33

Courion Corporation

Managing Review Cycles

Once you have created a review cycle, you can activate it and manage it in the following ways:

• “Editing or Viewing a Review Cycle” on page 33

• “Activating a Review Cycle” on page 33

• “Closing a Review Cycle” on page 34

• “Deleting a Review Cycle”

Editing or Viewing a Review Cycle

You can edit a review cycle if it has not been activated. Once the review cycle has been activated, it becomes read only, and you can only view the existing configuration.

To view or edit a review cycle, click on the VIEW or EDIT icon in the second column of the grid. This opens the Certification Review Cycle Management wizard to page one, with the review cycle loaded.

Activating a Review Cycle

When a review cycle is completely configured, you can activate it. Select the review cycle, and select ACTIVATE from the Actions menu.

Note: If you selected the SCHEDULE option on the Schedule Review Cycle page (see Figure 15 on page 31), the review cycle is automatically activated on the start date you specified and you do not need to activate manually as described in this section. You can activate it manually before the start date if you need to do so.

Activating a review cycle does the following:

• Copies all the data to the appropriate certification table. The reviewers work on a snapshot of the data in its state at the time you activate the review cycle.

• Automatically configures the metric for the review cycle and adds it to the task list table. Reviewers can access the newly activated review cycle and perform their certifications. A separate task is created for each reviewer in the task list table.

• If email notifications are configured as part of the Access Assurance Suite installation, the review cycle sends email notifications to all reviewers, informing them that the review cycle is ready to use.

Note: If ACTIVATE is not available from the actions drop-down menu, then the review cycle might not be completely configured, or it has already been activated. You can open the review cycle and finish configuring it (and click FINISH), or choose another action from the menu if the review cycle has already been activated.


Courion Corporation

Closing a Review Cycle

Once all reviewers have completed and submitted their reviews, the review cycle is automatically marked as Completed. You can then view the review cycle or close it. Closing a review cycle does the following:

• Changes the status of the review cycle to Closed, so the compliance analyst sees that it has been closed in the Review Cycle Summary in the compliance analyst’s task list.

• Deletes the associated tasks from the Certification Task List table, so that the task no longer appears in the business user’s task list.

• Deletes the data from the certification table.

Note: Any decisions that have been submitted have already been backed up in the associated audit table. Decisions that have not been submitted have not been backed up.

• Deletes the metric data from the Metrics and MetricDisplayArguments tables.

You can close a review cycle that has not yet been completed. For example, if one or two reviewers have not yet completed their reviews, but there is no plan for them to completely finish them, you can close the review cycle.

Deleting a Review Cycle

To delete a review cycle, select the review cycle and select DELETE from the Actions menu. You can delete a Review Cycle at any state: Creating, Created, Active, Completed, Closed, or Failed.

Note: When you delete a review cycle that has been activated and has had decisions applied to some (or all) data, the data in the Audit table remains unchanged. This is true for partially completed review cycles, as well as Completed and even Closed review cycles.

To eliminate the possibility of deleting audit data from a review cycle that has been Closed, you can hide all Closed review cycles from view in the Compliance Analyst task list by adding a restriction to the ReviewCycleGrid configuration in the MetricDisplayArguments table. To do this, add the following data to the MetricDisplayArguments table:

MetricDisplayID = ReviewCycleGrid

MetricID = ReviewCycle

ArgumentName = Restriction

ArgumentValue = State <> 'Closed'

Data Tables 35

Courion Corporation

Data Tables

The Access Certification solution provides data tables associated with each certification type that are populated at different stages of a review cycle. Each certification type has the following data tables associated with it:

• Staging — Populated as part of the implementation of the Access Certification solution for each enterprise.

• Certification — Populated from the staging table when the compliance analyst activates a review cycle.

• Audit — Populated from the certification table when the business user clicks the SUBMIT ATTESTATION DECISIONS button.

Table 3 lists the data table names associated with each certification type.

Modifying the Data Tables

If you need to modify any of these data tables, contact Courion Professional Services at:

http://www.courion.com/contact/index.html

Table 3: Data Tables

Certification Type Data Tables

People Sample_StagingTable_PersonReview

Sample_CertificationTable_PersonReview

Sample_AuditTable_PersonReview

Sensitive Data Sample_StagingTable_SensitiveData_DLP

Sample_CertificationTable_SensitiveData_DLP

Sample_AuditTable_SensitiveData_DLP

Application Sample_StagingTable_ApplicationType

Sample_CertificationTable_ApplicationType

Sample_AuditTable_ApplicationType

Access Level Sample_StagingTable_AccessLevelType

Sample_CertificationTable_AccessLevelType

Sample_AuditTable_AccessLevelType


Courion Corporation

37

Courion Corporation

Chapter 5: Delegating Review Cycles

This chapter describes how users can delegate review cycles to others, using the DELEGATE CERTIFICATION REVIEWS window. Users who delegate review cycles to others are called delegators. Users who review and submit delegated review cycles are called delegatees. This chapter also describes how to configure the SEARCH CONTROL window so that a user can search for delegatees and includes the following sections:

• “Delegating Review Cycles” on page 38

• “Reclaiming Delegated Review Cycles” on page 40

• “Viewing Delegated Review Cycles” on page 41

Note: Before you configure the global options described in this chapter, refer to the “Using the Global Configuration Manager” chapter for additional information about the Global Configuration Manager.

38 Delegating Review Cycles

Courion Corporation

Delegating Review Cycles

If you have review cycles that you want to delegate, select ACTIONS > CERTIFICATION > DELEGATION. The DELEGATE CERTIFICATION REVIEWS window appears as shown in Figure 16.

Figure 16: Delegate Certification Reviews

The window shows the review cycles assigned to you for review by the compliance analyst. To delegate a review cycle, follow these steps:

1. For each review cycle that you want to delegate, click the Search icon next to the review cycle to search for delegatees. The SEARCH CONTROL window appears for you to search for a delegatee.

2. Enter your search criteria, and click SEARCH to search for the delegatee.

3. Select the delegatee from the search results and click OK. A prompt appears to enable delegation for the selected delegatee. Click OK to enable delegation or CANCEL to exit.

If you select OK, the selected delegatee appears in the DELEGATEE ID column of the DELEGATE CERTIFICATION REVIEWS window with delegation enabled.

Alternatively, you can enable delegation by checking the Select All checkbox for all the review cycles, or checking an individual checkbox for a specific review cycle. Then, click ENABLE SELECTED to enable delegation. To disable, check the Select All checkbox for all the review cycles, or check an individual checkbox for a specific review cycle. Then, click DISABLE SELECTED to disable delegation. The ENABLED column displays TRUE for enabled and FALSE for disabled.

Note: You need to select a delegatee first before you can enable or disable delegation.

When you disable delegation for a review cycle, the delegator reclaims the right to review it. For additional information about reclaiming a delegated review cycle, refer to the “Reclaiming Delegated Review Cycles” on page 40 section.

The disable option does not remove the selected delegatee. The CLEAR SELECTED permanently deletes delegatees from the grid for the selected review cycles.

Delegators and delegatees receive notifications when a a review cycle is delegated.

Delegating Review Cycles 39

Courion Corporation

Customizing the Search Control Window for Delegatee Search

To customize the SEARCH CONTROL window, use the FINDCERTIFICATIONDELEGATORSEARCHOPTION global option. From the Main menu, select GLOBAL CONFIGURATION MANAGER to configure the global option.

The default values for the FINDCERTIFICATIONDELEGATORSEARCHOPTION global option include:

HEADING — Find Employee - Delegatee


KEYCOLUMN — ProfileUID

ISSINGLESELECT — True

RESTRICTIONCONFIGURATIONNAME — FindCertificationDelegatorSearchRestriction

ROWSPERRESULTPAGE — 7

RESULTCOLUMNS — ProfileUID, FirstName, LastName, Location, Department, StartDate

Default Values in the Restriction Global Option For Delegation

The FINDCERTIFICATIONDELEGATORSEARCHRESTRICTION global option enables you to create a custom macro or SQL clause to implement a restriction for FINDCERTIFICATIONDELEGATORSEARCHOPTION. The default values include:


NAME — FindCertificationDelegatorSearchOption Restriction

VISIBLE — False

LABEL — FindCertificationDelegatorSearchOption Restriction

CLAUSE — Accepts a SQL clause or custom macro

DEFAULTVALUES — True

Table 4: FindCertificationDelegatorSearchOption Default Values for the Grid

Column-name

Order Visible Label Control

ProfileUID 0 True Employee ID Text

FirstName 1 True First Name Text

LastName 2 True Last Name Text


Courion Corporation

Reclaiming Delegated Review Cycles

The delegator can reclaim a review cycle that was delegated by disabling or clearing the delegation until the compliance analyst closes the review cycle. Once the delegator reclaims a review cycle, the delegator can review it and submit decisions or delegate it to another delegatee.

To disable the delegation, check the Select All checkbox for all the review cycles or check an individual checkbox for a specific review cycle. Then, click DISABLE SELECTED to disable the delegation. The ENABLED column displays FALSE for disabled.

To clear the delegation, check the Select All checkbox for all the review cycles or check an individual checkbox for a specific review cycle. Then, click CLEAR SELECTED to clear the delegation permanently.

Delegators and delegatees receive notifications when a a review cycle is reclaimed.

Viewing Delegated Review Cycles 41

Courion Corporation

Viewing Delegated Review Cycles

To view delegated review cycles, go to ACTIONS > MY CERTIFICATIONS. If the logged in business user is delegated with review cycles the grid displays the delegator username in the OWNER column, and the delegatee username in the DELEGATEE column.

Delegatees can only review the delegated review cycles, but they cannot delegate them to another person. While the review cycle is delegated, the delegator sees the review cycle as read only.


Courion Corporation

43

Courion Corporation

Chapter 6: Configuring Macros

This chapter describes how to add or edit macros through the MANAGE MACROS window.

To add new macros or edit existing macros, go to the Main menu and select MACRO CONFIGURATION. The MANAGE MACROS window appears, as shown in Figure 17.

Note: You need an AccountCourier® or a ComplianceCourier™ license to access the MANAGE MACROS window.

Figure 17: Manage Macros

Adding a New Macro

To add a new macro, click ADD NEW MACRO. The MANAGE MACROS window expands to display the fields required to add a new macro as shown in Figure 18.

44 Configuring Macros

Courion Corporation

Figure 18: Add a New Macro

Configure the following fields:

MACRO NAME: Enter a name for the new custom macro you want to create.

MACRO DESCRIPTION: Brief description about what the custom macro does.

CONNECTOR NAME: The name of the connector against which the custom macro is resolved. For example, AD Connector.

TARGET NAME: The name of the configured target for the specified connector. For example, Active Directory.

IS MACRO CACHEABLE: Accepts a boolean value of true or false. Check the checkbox to enable caching. Uncheck the checkbox to disable caching.

MACRO QUERY: A query that runs against the target system. For example, if the target is Active Directory, the query is against this target.

Click SAVE to create a new macro. The newly created macro appears in the MANAGE MACROS window.

Click CANCEL if you prefer to close the panel without creating a new macro.

Editing or Deleting an Existing Macro

To edit an existing macro, select the Edit icon . The window expands to show the configured fields as shown in Figure 19.

45

Courion Corporation

Figure 19: Edit a Macro

Edit the fields you want, and click SAVE.

To delete a custom macro, click the Delete icon .

46 Configuring Macros

Courion Corporation

47

Courion Corporation

Chapter 7: Setting Up Email Notifications

This chapter describes how to configure email notifications that are sent when a review cycle is delegated, for example.

The EMAIL TEMPLATES MANAGER offers default email templates, as shown in Table 5 .

Editing a Default Email Template

To customize a default email template:

1. From the Main menu, select EMAIL TEMPLATE CONFIGURATION. The EMAIL TEMPLATES MANAGER appears as shown in Figure 20.

Table 5: The Default Email Templates for Notification

Default Email Type Sent To Notification is Sent

CertificationDelegated Delegator and Delegatee When a review cycle is delegated.

CertificationReclaimed Delegator and Delegatee When a delegated review cycle is reclaimed.

CertificationReassigned User who reassigned a review cycle item (Reassignor), and the user to whom the item was reassigned (Reassignee).

When one or more individual items from a review cycle are reassigned.

DelegateAssigned Delegatee and Delegator When delegation happens.

DelegateWithdrawn Delegatee and Delegator When delegation is withdrawn.

CertificationActivation Reviewers When a new review cycle is activated.

48 Setting Up Email Notifications

Courion Corporation

Figure 20: Email Templates Manager

2. Click the Edit icon to edit the subject or the body text of the email template you selected. See Figure 21.

Figure 21: Add New Email Template

Customize the following fields:

SUBJECT: Enter the topic of the email you want to display to the requester or the approver.

BODY: Enter the message you want to send as a notification. The email template macros specified in the %<macros may be used>% retrieve information from Profile and other tables.

Note: Do not modify the names or number of macros in an email template. You can change the order of the macros. However %CertificationName% is not a macro in the CertificationActivation email template.

3. Click Save to save the message or CANCEL to reset to the previous message.

49

Courion Corporation

Index

AAccess Assurance Portal Page

icons 20opening 19

Access Certification Portalinstalling 5upgrading 5

CCertification Review Management wizard

starting 21certification type

wizard page 21certification type wizard page 22certification types

default 18constraints

notes on configuring 25constraints, adding 24

Ddelegate 37delegatee 37delegation 37

audit 39delegator 37design review cycle view wizard page 26

Eedit

email template 47email template

edit 47

Ffilter builder, using 23

Gglobal option

complex 14defaults 12edit 14

Mmacros

adding 43deleting 44editing 44

Microsoft Active Directory Domain, configuring 6Microsoft Active Directory Target, configuring 6

Nnotifications 47

Ooperators for constraints 24

Rreview cycle configuration, wizard page 23review cycles

about 18configuring 17creating 21using 18

Wwizard, Certification Review Management 21

50

Courion Corporation

Using ComplianceCourier Certification Review Cycles€¦ · Using ComplianceCourier Certification...

Documents

Transcript of Using ComplianceCourier Certification Review Cycles€¦ · Using ComplianceCourier Certification...