Date: Fri, 29 Mar 2024 13:19:33 +0000 (UTC)
Message-ID: <1979888120.8003.1711718373024@ip-10-10-7-29.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_8002_534405333.1711718373022"
------=_Part_8002_534405333.1711718373022
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Scenario Background
A departmental Human Resources employee has access to an application tha=
t grants her access to salary information for her department. Access to thi=
s application is controlled through group memberships in the Grouping Servi=
ce and is provisioned and deprovisioned through the Provisioning Service.=
p>
The institution's Internal Audit group has established an auditing contr=
ol that requires everyone with access to salary information to take sensiti=
ve data training on an annual basis, and to have their access re-approved b=
y a supervisor once a year.
The Provisioning Service has two attestation rules configured:
- Members of the 'Salary History' group must be in the group of users tha=
t have taken sensitive data training annually
- Members of the 'Salary History' group must have an approved request tha=
t is less than one year old.
Scenario Walkthrough
- The Provisioning Service evaluates whether or not the user is in the gr=
oup that has taken sensitive data training within the last year. If so, the=
service moves on to the next attestation rule. If not, an institutionally =
defined workflow is fired that may inform the user about the need for train=
ing, remove the user from the group, notify the user's supervisor or take o=
ther action as appropriate.
- The Provisioning Service evaluates the date of the last approved reques=
t. If the date is greater than one year, a new request is generated automat=
ically and sent to the user's supervisor. If the request is approved, the a=
pproval is noted as a positive attestation that her access is still require=
d. If it is not approved, her access is removed.
- The Internal Audit group is able to verify that the required audit cont=
rols were met, and that the user had both taken sensitive data training and=
had a supervisory attestation that her access was still necessary.
------=_Part_8002_534405333.1711718373022--