Chat now with support
Chat with Support

Identity Manager 9.2 - Behavior Driven Governance Administration Guide

Identifying unused OneLogin applications

Applications should be used at least once by at least one OneLogin user within the given time span. You can use a default company policy to identify all OneLogin applications that, according to the change history, have not been used during this time. Exception approvers are informed about the affected applications. Recertification can be used to clarify whether the applications are still needed. This means that users and their managers or target system managers discuss whether the applications are still required. If not, access to unused applications can be subsequently removed, automatically or manually. Default policies must be enabled and configured to meet company requirements.

Applications are identified as unused when the following conditions apply:

  • The application is assigned to at least one OneLogin user account (OLGUserHasOLGApplication).

  • The number of days between the date of the last application login (OLGEvent.CreatedAt) and the current date is greater than or equal to the value of the TargetSystem | OneLogin | UnusedApplicationThresholdInDays configuration parameter.

    - OR -

    There is no application login date for a user account in the change history. Therefore, the user has not yet used the application.

To find and recertify unused applications

  1. (Optional) Configure automatic withdrawal of entitlements.

    Depending on the method used to assign OneLogin user accounts to OneLogin roles (directly, via IT Shop request, through hierarchical roles or system roles), different configuration parameters must be set. For more information about this, see the One Identity Manager Attestation Administration Guide.

  2. (Optional) Check whether policy violation notifications and attestation notifications are set up in the attestation case.

    For more information, see the One Identity Manager Company Policies Administration Guide and the One Identity Manager Attestation Administration Guide.

  3. (Optional) Assign identities to the Identity & Access Governance | Company policies | Exception approvers application role if they are to be informed about unused OneLogin applications. These identities are allowed to approve exceptions if necessary.

  1. Enable the working copy of the Unused OneLogin applications can be removed company policy

    For more information about this, see the One Identity Manager Company Policies Administration Guide.

    This starts the policy check.

    TIP: If an enabled company policy already exists, you can start the policy check with the Recalculate policy task.

    A predefined schedule starts the policy check once a month.

  2. In the Web Portal, edit the Attestation of OneLogin application access attestation policy.

    For more information about this, see the One Identity Manager Web Portal User Guide.

    1. (Optional) To periodically recertify approved unused applications, select an enabled schedule in the Calculation schedule field.

    2. Specify which applications require recertifying. In the Objects to be Attested by this Attestation Policy pane, add at least one other condition.

      Example:

      1. Select the Specific applications condition type and select one of the applications that has been identified as unused by the company policy.

      2. Add another condition with the Unused for x days condition type and enter the number of days after which the application is identified as unused.

      3. Delete the All applications condition.

      If you do not add a condition, attestation cases are created for all the OneLogin application assignments to OneLogin user accounts.

    3. Enable the attestation policy

      • Disable the Disabled check box.

    4. Save the changes.
Procedure
  1. In the Manager, verification of the Unused OneLogin applications can be removed company policy is either scheduled or started by the Recalculate policy task.

    • It finds all OneLogin applications where the user account has either not logged in within the specified time period or never logged in.

    • Exception approvers are notified of policy violations via email.

  2. In the Web Portal, attestation with the Attestation of OneLogin application access is either scheduled or started manually.

    It finds all OneLogin application assignments to user accounts according to the configured condition.

    Approval sequence:

    1. Is the user account linked to an identity?

      • If not, the assignment is submitted to the target system managers for attestation.

    2. The linked identity confirms whether the assigned application is required.

    3. The manager of the linked identity decides whether the assignment stays.

    4. If attestation was denied in an approval level, automatic removal of the assignment is reviewed. This finds all OneLogin roles used to assign applications to the user account.

      • If no other applications are assigned to a role, automatic withdrawal of this role is initiated. This removes the assignment of the role to the user account and provisions the change in the target system, thus removing the entitlement for using the application from the OneLogin user.

        With the subsequent synchronization, assignment of the application to the user account is marked as pending or deleted in the One Identity Manager database, depending on the configuration of the synchronization. Run a full target system synchronization to irrevocably delete pending assignments.

    5. If the application is assigned directly to the user account or access to multiple applications is granted through a OneLogin role, the attestation case is submitted to the target system managers for final processing.

      • If the target system managers deny attestation, they must ensure that the assignments are removed manually.

If the manager or target system managers have approved the attestation, the assignment stays and is submitted for recertification again by the next scheduled check.

Related topics

Assigning OneLogin applications to OneLogin roles

OneLogin user access to applications is controlled by roles. To be able to manage access to OneLogin applications automatically, only one OneLogin application can be assigned to a OneLogin role. When this application is no longer needed, its membership in the role can be removed without withdrawing access to other applications at the same time. Similarly, an application should be assigned to only one OneLogin role. If this application is no longer required, you only need to remove membership from the role.

You can use default company policies to verify that whether the requirements for automatic withdrawal of entitlements are met. Exception approvers are informed about the affected roles and applications and can take appropriate action.

To identify OneLogin roles with more than one OneLogin application

  1. (Optional) Assign the identities to be informed about the OneLogin roles affected to the Identity & Access Governance | Company policies | Exception approvers application role. These are allowed to approve exceptions if necessary.

  2. (Optional) Check whether notifications of policy violations are setup.

    For more information about this, see the One Identity Manager Company Policies Administration Guide.

  3. Enable the working copy of the All OneLogin roles control just one OneLogin application company policy.

    This starts the policy check.

    TIP: If an enabled company policy already exists, you can start the policy check with the Recalculate policy task.

    A predefined schedule starts the policy check once a month.

  4. Check all OneLogin roles that violate the policy and correct the assignments to OneLogin applications.

To identify OneLogin applications with more than one OneLogin role

  1. (Optional) Assign the identities to be informed about the applications affected to the Identity & Access Governance | Company policies | Exception approvers application role. These are allowed to approve exceptions if necessary.

  2. (Optional) Check whether notifications of policy violations are setup.

    For more information about this, see the One Identity Manager Company Policies Administration Guide.

  3. Enable the working copy of the All OneLogin applications are controlled by just one OneLogin role company policy.

    This starts the policy check.

    TIP: If an enabled company policy already exists, you can start the policy check with the Recalculate policy task.

    A predefined schedule starts the policy check once a month.

  4. Check all OneLogin applications that violate the policy and correct the assignments to OneLogin roles.

Related topics

Behavior Driven Governance for Privileged Account Management

NOTE: This functionality is only available if the Privileged Account Governance Module in installed.

One Identity Manager provides various company policies and attestation policies to test and recertify, or remove access to entitlements in One Identity Safeguard depending on the usage behavior of its users. This means the following scenarios can be handled:

  • PAM user groups that are not used by your users

    Members of user groups can request access within a defined time period. User accounts with no access requests recorded in the PAM audit log, should have their membership in the user group recertified or deleted.

    A company policy determines all the user accounts without access requests. Exception approvers are informed about the user groups and user accounts involved. At the same time, a recertification process is launched. During the recertification process, attestation policy approvers clarify whether the memberships are still required. Memberships that are not required can then be removed automatically or manually.

  • Different PAM entitlements that are not used

    PAM entitlements, such as assets, user groups, or permissions, should be used at least once within a defined period of time. If, according to the PAM audit log, an entitlement has not been used during this period, a recertification procedure can be used to determine whether the entitlement is still required.

    Any unused entitlements are determined by various company policies. Exception approvers are informed about the entitlements involved. Recertification can be used to clarify whether the entitlements are still required. Unused entitlements can then be removed from the target system.

The number of days after which entitlements are considered unused is specified in the TargetSystem | PAG | UnusedUserAccountThresholdInDays configuration parameter. The default value is 90 days.

For more information about mapping PAM objects, see the One Identity Manager Administration Guide for Privileged Account Governance.

Related topics

Behavior Driven Governance for target systems in the Unified Namespace

One Identity Manager provides company policies to find user accounts that have not been used for a specified period of time. They can use this information to verify and correct target system access permissions. This can reduce the security risks associated with unused but enabled user accounts.

Prerequisites
  • The user accounts are mapped in the Unified Namespace.

  • The target systems provide information about how long the user accounts have been in use. This data is synchronized with the One Identity Manager and mapped in UNSAccount.LastLogon.

For more information about mapping target systems and user accounts in the Unified Namespace, see the One Identity Manager Target System Base Module Administration Guide.

The number of days after which user accounts are considered unused is specified in the TargetSystem | UNS | UnusedUserAccountThresholdInDays configuration parameter. The default value is 90 days.

The following scenarios can be handled:

  • User accounts that are not used can be disabled

    If users have not logged in to a target system for a specified period of time, their user accounts can be considered to be unused. These user accounts ought be disabled so that logging in is no longer possible.

  • User accounts that are not used can be deleted

    User accounts that have not been used to log in to the target system for a specified period of time can be deleted.

Default company policies can be used to find unused user accounts and to inform exception approvers. How to proceed with these user accounts (disabled or delete) depends on the capabilities of the respective target systems. Define target system-specific processes to do this.

Detailed information about this topic
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating