Hello Everyone,
Could someone help me find the XML to add additional “Target Entity Type” for the Access Certification Campaigns?
Hello Kamil,
It is dynamic.
When you add the permission to certify an EntityType it will be displayed in the “Target Entity Type” list.
Example: Permission for the departments
<AccessControlRule Identifier="Administrator_AccessCertificationItem_Custom_AccessCertification_Assign_Directory_Organization" DisplayName_L1="Administrator - Access certification auto assign" EntityType="AccessCertificationItem" Profile="Administrator">
<Entry CanExecute="true" Permission="/Custom/AccessCertification/AutoAssigned/Directory_Organization" />
<Entry CanExecute="true" Permission="/Custom/AccessCertification/ManualAssigned/Directory_Organization" />
</AccessControlRule>
2 Likes
Hello Hazem,
So it is this part from the documentation.
Access Certification | Netwrix Product Documentation
This was confusing to me because of the word “profile”. so, we are giving a specific profile access to this Entity type in the certifications campaign.
The profiles that we have in the assigned profiles are not what is referred to here but the one we create with the Certification policy?
<AccessCertificationCampaignPolicy Id="-2" Identifier="Manager" DisplayName_L1="Manager" DisplayName_L2="Responsable"/>
To add more details, AccessReviews configuration is based on 3 elements :
- The campagne policy definition : defines the type of campagne (Manager, Application Owner, Administrator, Security Officer, etc.). It’s usually the profile who will be allowed to review the items.
- The Entity Type to include in the campagne dynamically computed from the permissions
- The profile that will be able to review the items
When you create you AccessControlRule you need to define these information.
Example 1:
<AccessControlRule Identifier="ApplicationOwner_ReviewRolesAsApplicationOwner_AutoAssigned_SingleRole" DisplayName_L1="ApplicationOwner_ReviewRolesAsApplicationOwner_AutoAssigned_SingleRole" EntityType="AccessCertificationItem" Profile="ApplicationOwner">
<Filter Binding="Campaign.Policy.Identifier" Value="Workforce/ApplicationOwner"/>
<Filter Binding="AssignedSingleRole.Role.Category.Id" Category="true"/>
<Entry Permission="/Custom/AccessCertification/AutoAssigned/Directory_User" CanExecute="true" />
</AccessControlRule>
This can be translated by :
Any user having the “Profile” “ApplicationOwner” can review the items from any “Workforce/ApplicationOwner” “Campaign Policy” as long as the item is a “SingleRole” assigned to a “Directory_User” and linked to the “Category” listed in the user’s profile.
Example 2:
<AccessControlRule Identifier="Administrator_AccessCertificationItem_Custom_AccessCertification_Assign_Directory_Application" DisplayName_L1="Administrator - Access certification auto assign" EntityType="AccessCertificationItem" Profile="Administrator">
<Entry CanExecute="true" Permission="/Custom/AccessCertification/AutoAssigned/Directory_Application" />
<Entry CanExecute="true" Permission="/Custom/AccessCertification/ManualAssigned/Directory_Application" />
</AccessControlRule>
This can be translated by :
Any user having the “Profile” “Administrator” can review the items from any “Campaign Policy” as long as the item is assigned to a “Directory_Application”.
I hope this make it clearer.
2 Likes
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.