High-Risk Entitlements Review: A Comprehensive Guide

This guide walks you through a critical access control process: reviewing Entitlements we have identified and marked as High Risk.

What's Included in This Review?

This review targets Entitlements we have identified as having significant access privileges, often assigned to administrators or other privileged users. The Access Review will be made up of these High Risk Entitlements from multiple applications.

Creating and Managing Reviews

1. Assigning Ownership and Setting Review Frequency

We are going to assign the review to the Entitlement Owners, if we have them set. If not, we will have Clarity assign the review items to the default reviewer, so they can reassign them appropriately. We will also set the frequency as quarterly to make sure we're on top of reviewing these items, and give the reviewers 10 business days to complete their review.

2. Reviewing and Approving Entitlements

Due to our review being for High Risk entitlements, we want to ensure that they are properly reviewed and not a victim of Rubber Stamping. For this reason, we will set the Risk Threshold to 0.

3. Selecting Entitlements for Review

For our review type we will choose High Risk Entitlements, as we have gone through our Entitlements and designated them as High Risk. If there were any Applications we wanted to exclude from the review we could define those in the Add Exclusions option. In our case, we do not want to exclude anything for our review.

4. Additional Considerations:

We select the option to include the friendly names for Entitlements we have configured. Include Inherited Entitlements ensures we review nested access granted by high risk entitlements, providing a complete picture.

Finally, we're going to select the option to Delay email notification for assignees so we can reassign items before communicating to the reviewers they have assigned items.

Reassigning and Emailing

When we select Save or Update, our review will be generated. We will see a blue note at the top of the screen informing us that the review is currently generating. Depending on the size, it may take some time to process and generate the review, but after refreshing the screen we see it listed if it has completed.

For our review, we will select the Actions dropdown and then View All Items so we can review all the assignments for this review.

We will select the items we want to reassign and then, in the popup, search for who we are going to assign these items to. Because we have not yet sent the emails for this review, the new assignee will not be notified until we select that option from the Actions dropdown menu.

Upcoming Reviews and Archived Templates

Due to setting the frequency to quarterly, the next High Risk Entitlement Review is scheduled for 90 days after launch. We can adjust the review template from the "Upcoming" tab if we need to make any changes. By following these steps, we can effectively manage high risk entitlements and ensure a robust access control environment.

Review Process

Now that we have reassigned the review items as needed, it's time for us to review the remaining items we are responsible for. In the Actions dropdown for the Access Review, first we will select Email Assignees, then select Review My Items to start completing your assigned items.

When we open the review, Clarity will automatically expand the context for review items to give us a full picture of what we are reviewing. We can toggle this in the top right using the Auto Expand option.

As we review items, they will be hidden when we take an action on them. This behavior can be changed by toggling the option for Hide Completed in the top right of the UI.

You will notice that after you Approve (1) or Deny (2) access, the button changes to show that action has been taken on that row.

When we deny access there will be a popup prompting us for a reason of No Longer Needs Access or Access is Inappropriate, select whichever is appropriate for the situation. Both of these options will prompt for deprovisioning of the access, but are listed with their specific reason on reports.

We've gone through a few of the items and approved and denied, but now we want to Rubber Stamp the remaining items to make this quick. Due to the Risk Threshold being set to 0 in the template, we will be unable to Approve Selected or Deny Selected, which we can see that in the following screenshot. This shows our number of selected items, the threshold for our ability to Approve or Deny Selected items in bulk, and the number of selected items that will be approved or denied if they meet the criteria.

Once we have approved or denied all the items assigned to us, our part in reviewing is complete and it's ready to be remediated.

Remediation Process

Remediation may be required when an access denial for a user occurs on the review. The system will deprovision, delete, or deactivate access as relevant. If you have Provisioning enabled in both your Clarity tenant, and the respective applications, we can choose Auto Deprovision.

If you are not using Clarity for Lifecycle Management (LCM), you can select Manually Deprovision. The status will then be Pending Manual Remediation until the application syncs and Clarity's workflow to update Remediated items are complete. It will then be listed as Remediation Complete.

Once either of those processes is complete, and there are not outstanding items, we can Finalize our review in the Ready to Finalize tab of the Access Reviews.

After reviews are Finalized, we will find them in the Completed tab. At this stage we can select the View All or Export options for a review, but no further changes can be made to the review items.

Helpful Information and Articles

• What are Access Reviews?
• User Access Review Types
• Role Access Review Types
• Active Identity Access Reviews
• Example Emails from Access Reviews
• Access Review Reminder
• What are Entitlements?

Need help?