Mover Testing
  • 01 Jul 2024
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Mover Testing

  • Dark
    Light
  • PDF

Article summary

This article will help you test and verify the proper Mover process in Clarity.


Testing

We recommend replicating the process you currently utilize for cases where users move and their access is changed, but limited to a specific role to begin with. Most often, these events are triggered through changes in your Source(s) of Truth.

Report

You can run the State of Access Report, to get a snapshot of the access the Identity has before the mover process.
Head to the Reports section, then load the State of Access report and filter to your Identity.

State of Access.png

Prepare Identity Modified workflow for testing

For the Identity Modified Workflow, you may want to add a condition (shown in the image below) before the Re-Provision Identity, so that only a target population receives new access when a role change is detected. This change would be temporary until you complete any testing.

In the example below, we have added a Condition: Identity has Role, and configured this to only proceed to the provisioning step if the Identity matched the role Marketing/Junior (Department: Marketing, Job Title: Junior).

Mover Testing Workflow

Verify your Re-Provision Identity Workflow Step

Confirm in Clarity, that the Re-Provision Identity step in the Identity Modified workflow is configured as expected. The image below shows the options available when a role change has been detected. You can choose to remove all access that doesn't overlap with the new role immediately, never, or a custom number of days.

Re-Provision Identity Options

Verification

You can confirm that the workflow was successful in a few different ways.

Clarity Identity Page

Loading the specific Identity the tests were run with, you can check the Applications and Entitlements tabs to verify what Apps and Entitlements they currently have access to. You can also check the Audit Log tab to view changes to this Identity. These views can be compared against the State of Access report to see changes.

Note

The Clarity Service User Identifier in the Applications tab, or the numbers at the end of the URL in your address within an Identity can be used to filter your reports (50856 in the image below)!

Sam McClarity Applications

State of Access Report

In the Reports section, you can run the State of Access Report again for an updated Date and Time will give you another point-in-time overview of the application(s) you are validating.

Entitlement and Removals Report

Audit Log Report

To access, navigate to the Report section of Clarity, then open the Workflow Audit Logs report, and finally search using the Identity ID of the particular user. You will want to filter this report to the correct workflow for your termination event, and use the context options to find your particular user. You can paste the Identity ID found in the URL address bar when you load an identity.

https://demo.claritysecurity.io/identity/50856
# Example Clarity Identity URL
# 50856 is the Identity ID for this Clarity Identity

Workflow Audit Identity Modified

Verify in your Applications Downstream

Compare the access provided by each of the roles, the role the Identity is starting in, and the new role in the relevant application(s). When an Identity triggers a Mover workflow, Clarity will compare the 2 Roles and their access. Clarity will grant any new access the Identity should have in the new role.

By default, access from the previous Role is retained during these events, but you can configure these to be removed immediately, or after a set time period.

Note

If configured to remove immediately or after a custom number of days, Clarity will only perform that desired action against entitlements associated with the Identity that are of the Grant Type: role. Clarity will not remove exceptions (Grant Type: exception) as part of the Mover workflow process.

Check out this article's section on Grant Type:
What is a Role?


Need Help?

If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.