Provisioning

In some cases as example TOPdesk we would like to use the sAMAccountName as correlation field. Because this is generated by a dependend system (AD) we would like to have support for the person.accounts<<systemname>>.attributes to be set as the person correlation field. This way we support values from dependend systems to be used as correlated value.

Support not (inverted) and in (select multiple values for equal + contains) operator for filtering

Since manually selecting actions for each record can be time-consuming, we aim to support bulk actions for the displayed records. Users can apply filters to define the scope of these bulk actions, making it easier to manage all records in the reconciliation report. Suggestion: Add bulk action button to the report Shows all possible actions types (delete account, exclude account, etc) which can be executed based on issues in report (taken into account the current filtering & search) Enable bulk modus after action type is selected - Only issues in which the action can be executed are shown - You can change or create new, filters to limit the number of issues - Action can be executed (This will be only be executed on the filtered or search issues shown in the report)

We would like to filter the reconciliation report on account attributes based on values of the target system. Therefore we need some UI to select which attributes we use for filtering and a filtering of the grid so we can see the filtered results. Filter on all mapped fields Shows suggestions of unique values of a selected filter field Show account details on each record of report Account attributes are excluded from report export

Within this step, we review our entitlement state against the network state of the active directory each month. The review ends with a report of all differences. Match the state from Active Directory (network state) against entitlement state (based on account entitlement reference) Match only on granted entitlements (not on open actions) Based on mismatching show the following data in a report Filter on systems & scenario - Sort on System, Account, Person Each record - Show user (samAccountName (DisplayName) from Active Directory) - show label when account is excluded and type is permission - Show permission - Show Linked person if available - Show Linked Business rules (based on which BR include the account entitlement & account access entitlement or Person by fromRules depending on the scenario) - Show Description of the scenario as described down below Unmanaged permission: The permission exists in Active Directory but no corresponding state can be found in HelloID - Option to create exclusion for a specific period (3 months, 6 months, 1 year, 3 years). This means that only after the selected period we have to review this particular permission for that account again. - Option to revoke the permission from the account Missing permission: An permission entitlement exists but no corresponding account + membership exist in Active Directory - Option to un-manage entitlement which results in granting entitlement in next enforcement (this option is automatically set when the option “force grant desired entitlements automatically” is enabled in reconciliation settings) Reconciliation settings - force grant desired entitlements automatically (Automatically handles the “Missing permission” suggestion) default = false When account is excluded give option to exclude all unmanaged permission (at that moment) Show count of permissions

Based on the reconciliation report we would like to take action and clean-up our Active Directory environment. Therefore we are getting suggestion how to handle certain scenario's between the difference in state of HelloID and Active Directory. Scenario's with the suggestions: Unmanaged account: The account exists in Active Directory but no corresponding state can be found in HelloID Option to solve suggestion (will be shown at next reconciliation report creation run) Option to delete account Option to disable account (only shown when account is enabled) Option to create an exclusion(*) for a specific period (3 months, 6 months, 1 year, 3 years). With extra option to disable account Missing account: An account entitlement exists but no corresponding accounts exist in Active Directory Option to solve suggestion (will be shown at next reconciliation report creation run) Option to create account (unmanage & grant account). This option can be automatically forced without manual approval Mistakenly enabled account: An account in Active Directory exists with a corresponding account entitlement in HelloID but the account is enabled but no corresponding account access entitlement exists Option to solve suggestion (will be shown at next reconciliation report creation run) Option to disable the account Mistakenly disabled account: An account in Active Directory exists with a corresponding account entitlement in HelloID but the account is disabled although it has a corresponding account access entitlement Option to solve suggestion (will be shown at next reconciliation report creation run) Option to enabled account (unmanage account access & grant account access). This option can be automatically forced without manual approval * Exclusion list: Suggestions will not appear for the excluded items as long as the exclusion exists. Exclusions are automatically removed when the selected period on creation is exceeded. It's possible to manually remove exclusions from the list This feature requires the Governance module license.

As a HelloID admin, I want HelloID to recognize when a membership in Active Directory is already granted, so that redundant grant actions can be skipped during evaluation and give me a better evaluation forecast. Process Overview: Data Retrieval from Active Directory: Obtain data from the Active Directory target system, including permissions and memberships. Conversion to Granted Entitlements: Transform Active Directory permission data into granted entitlements for evaluation. Detailed Permissions Display: Display all permissions to be imported for each account, offering comprehensive insight. Import of Converted Data: Import the converted Active Directory account data as granted entitlements into the system. Evaluation Comparison: Contrast HelloID's desired state based on Business Rules (BR) with the current state in Active Directory. Benefits: Streamlined Evaluation: By importing existing Active Directory memberships and permissions, HelloID optimizes the evaluation process, enabling the system to skip redundant grant actions when memberships are already present. Clarity in Changes: This approach provides a clearer overview of actual changes in Active Directory during evaluation, facilitating better decision-making and management.

In certain scenarios, it's necessary to establish precedence among permissions in the event of conflicts or to optimize licensing costs by consolidating entitlements. To address this, we utilize toxic combinations, which dictate how conflicting permissions are resolved when multiple entitlements are granted. Configure a Toxic combination: Name: Provide a descriptive label for the rule. Description: Briefly explain the purpose and context of the toxic combination. Input entitlements: Define the conflicting combination of permissions from one or more systems. Output entitlements: Specify the subset of permissions to be retained when the toxic combination occurs. Benefits: Permission Conflict Resolution: Effortlessly configure conflicting combinations of permissions and specify the preferred resolution. Overview of Configured Toxic combinations: Easily access and manage all established toxic combination. Evaluation Visibility: Clearly indicate actions triggered or caused by toxic combinations during evaluation processes. Filtering Capabilities: Streamline analysis by filtering actions based on their association with toxic combinations.

We would like to see which Active Directory accounts are not managed by HelloID Provisioning and if these accounts are enabled/disabled. This helps to clean up the current Active Directory state. Import accounts + accounts access (enable/disable) state from Active Directory Match the state from Active Directory (network state) against HelloID Provisioning entitlement state (based on account entitlement reference) Report is renewed each month Based on a mismatch (unmanaged by HelloID provisioning) the following data is shown per mismatch: Show Active Directory user Show System (We only support Active Directory but you could have multiple Active Directories) Show the person if available we do a check based on correlation value (When a person is shown this could mean that the scope of the Business Rules assigning the account entitlement is not correct) Show business rules assigning the account (access) entitlement from the Active Directory system Show Description of the scenario as described down below Scenario's: Unmanaged account: The account exists in Active Directory but no corresponding state can be found in HelloID Missing account: An account entitlement exists but no corresponding accounts exist in Active Directory Mistakenly enabled account: An account in Active Directory exists with a corresponding account entitlement in HelloID but the account is enabled but no corresponding account access entitlement exists Mistakenly disabled account: An account in Active Directory exists with a corresponding account entitlement in HelloID but the account is disabled although it has a corresponding account access entitlement This feature needs the Governance module license.