Evaluating EAM Requests
When a request is created, an Approver is notified by email to evaluate whether the request should be approved. Approved requests are provisioned until the time set in the request, unless it is terminated early. Access is then deprovisioned and the usage is extracted for review.
Approvers receive an email notification with the option to view, approve, or reject emergency access requests by selecting the related button in the email notification. Selecting a button launches a browser where the Approver can provide their credentials to receive confirmation the action has been completed.
Approvers can also view, approve or reject, and comment on their assigned requests using the Reviewer Dashboard. Selecting View Request in the email notification will direct the Approver to the EAM Dashboard, where they can expand the Actions dropdown menu next to the request and select Approve or Reject.
When an Approver rejects a request, it is moved to the Completed tab and the Requestor is notified. Approved requests will be scheduled to be provisioned at the date and time set on the request.
When a request is approved, Access Risk Management schedules a provisioning request. If the Requestor or Owner selected a start time in the request, provisioning will be scheduled at that time. Requests without a specified start time will schedule provisioning immediately.
Access Risk Management validates the access has been provisioned as expected by checking the entitlements assigned to the Requestor. If provisioning is successful, the Requestor receives an email notification and a countdown timer is started for the duration selected when the request was created.
If the validation check finds that no access was provisioned or if the ERP system returned an error, Requestors receive an email notification that the entitlements failed to provision, and the request is flagged as faulted and must be resolved and restarted.
Resolving Provisioning Errors
Requests with errors are displayed in red on the EAM Dashboard. You can change your view to display only requests with errors.
Approvers, Owners, or Administrators can expand the Actions dropdown menu next to the failed request and select Restart Provisioning. If the provisioning continues to fail, contact your ERP system security administrators to identify and resolve the cause of the provisioning error.
If the validation discovers that provisioning was partially successful and some entitlements were granted, the request continues as normal so the Requestor's actions are logged and reviewed in a timely manner. Entitlements that failed to provision will be noted in the Request History logs.
Access can be deprovisioned automatically after the duration specified when creating the request, or it can be terminated early by the Owner, Requestor, Approver, or Administrator.
Access Risk Management runs an additional validation check after the ERP system provides a successful deprovisioning response to ensure that all access has been successfully removed. If access is not successfully deprovisioned, you can resolve errors and restart the deprovisioning.
Terminating Access Early
If a Requestor has finished their work early, or an Owner, Approver or Administrator want to revoke access before the scheduled end date of the request, they can manually terminate the elevated access early.
Users can go to the Active tab of the EAM Dashboard, expand the Actions menu next to the request, and select Terminate Access.
This will immediately revoke the Requestors' access to the elevated entitlements and Access Risk Management will begin collecting usage data. The data collection progress is displayed on the Data Collection tab of the EAM Dashboard.
Resolving Deprovisioning Errors
An Approver, Owner, or Administrator can restart the deprovisioning process by expanding the Actions menu and selecting Restart Deprovisioning. If deprovisioning continues to fail, contact your ERP system security administrators to identify and resolve the cause of the deprovisioning error.
When an automated deprovisioning attempt fails, the request is flagged as faulted and EAM profile Attestors are notified by email to certify that access was successfully deprovisioned.
Attesting Removed Access
If a review must be completed before the cause of the deprovisioning error is resolved, Attestors serve as an emergency backup to provide a manual confirmation that the Requestor used the access appropriately.
They can also attest that no access was used if a utilization extract is blank.
When a deprovisioning error occurs, Attestors will:
Go to the Active tab of the EAM Dashboard.
Select the Actions menu next to the request.
Select Attest Deprovisioning
Submit a comment with an attachment to use as audit evidence that deprovisioning occurred. This step is mandatory to ensure an accurate request duration is recorded.