UAM - User Access Management
From All n One's bxp software Wixi
- 1 Overview
- 2 Basic Concepts
- 3 UAM Setup
- 4 Ongoing Management
- 5 Operational Procedures and Evidence
- 6 Final call to action
UAM or User Access Management is the process of controlling user access to resources through the application of company policies and guidelines. Every company has a different set of UAM controls. bxp provides a very detailed suite of capabilities to allow for very controlled UAM. The challenge is understanding which this wixi provides background for.
Understanding the concepts and security of bxp is covered in CC-2-1_Security_and_Custom_Interface_configuration
2 Basic Concepts
2.1 Basic concept - User types
The most basic concept in bxp is that of a user. A user has a status. The most common status is Live.
There are a number of user statuses possible
2.2 Basic concept - Function Vs. Content
In bxp we separate function and content. Function_Vs._Content
If we're mapping this functionality to something more well known such as Active Directory. Function would be as simple as specifying Read, Read|Write, type access control. Content control is "which folders can you perform these functions on".
Each module in bxp has a two digit code. These can be see when you're renaming modules. Module_Names
Within each of these modules are grouped functionality called Sections. Bxp_-_Logical_Structure
Each Section has a four digit code, which is not readily visible in the system, but is available through the Security - Functional Access Matrix report. Security_-_Functional_Access_Matrix
Once a user can access the correct functions in a module, for example, read in eCourse, they must then be given access to the content, i.e. which books can they read? This is called Content Access and is also controlled from the System Access Management module.
In Main Menu > System Access Management >
- Functional access is controlled from the User Administration section
- Content access is controlled from the Security - Content Access section
2.3 Basic concept - Department, Role and Security Groups
For each user in the system they can have a number of settings applied to their account at a security level.
Department, is the primary mechanism for billing reporting. A user can only belong to one department at a time. System_Access_Management_-_Departments
Within the organisation, you might have many Basic, or Agent accounts. They can belong to the Contact Centre department which isn't very clear for security reporting. The next useful field is called Role. System_Access_Management_-_Role
It is suggested by All n One for UAM, that role comprises two words. Basic - Program 1, Basic - Program 2, etc. This allows security administrators to easily see not only Functional access level (Basic) but also Content level access (Program 1). Whilst this is a guideline it can make reporting and UAM significantly easier to control.
The third item belongs to the Organogram Security Groups. Organogram_with_Group_Profiling. A user can belong to many security groups, as the focus of this engine is for team reporting. i.e. John works in Team A in the mornings and in Team B in the afternoon. It doesn't make sense to have to keep changing the one team John is in. Security Groups allow for John to be in two teams at the same time.
3 UAM Setup
3.1 Creating functional template users
The first step in UAM is to define Roles. Basic, Team Lead or Manager, Reporter and Administrator and the four roles we often see business apply to their UAM. These roles will also need "general" content titles.
Create a template user for each role. Using ZZTemplate as the first name and the role name as the surname.
For each of these roles you define which functional access the users have and apply them to the template users. Log in as each of the users and verify that the functional access is correct for the type.
3.2 Applying content access to template users
For each of the template users, you can now grant them access to the specific forms, eCourses and other material they need to perform their jobs. This security change can be closely controlled and limited to users with System Access Management access only.
Log in as each of the template users to ensure they have the access they need to do their jobs.
3.3 Group user management
The next step of the process is for existing users or new users, is to copy permissions from the template user onto the new / edited user.
There are two mechanisms available.
3.3.1 Single User replace permissions
Where one user is being added, the single process easiest to use is :
- Main Menu > System Access Management > User Administration > Edit User - Replace permissions >
- Select your new user
- Select the template user from the drop down list
- Ensure all permissions are replace and not added.
3.3.2 Group User replace permissions
Where a group of users have been added, or need to be updated, the process easiest to use is :
- Main Menu > System Access Management > System Management > Security - Group Replace Permissions >
- Using the search screen, identify a group of users
- On the following screen, tick the users to be modified.
- The final screen is the same as the single user permission modifications but the list of User Ids will be included at the top of the page.
- Ensure all permissions are replaced and not added.
At this point you have template users and all your users fit into "buckets" which is easier to security control and audit in the system. Next we look at ongoing management of the system.
4 Ongoing Management
Now that we have performed the exercise of getting the system in hand, we next look to ensuring that UAM is consistently applied going forward.
4.1 Functional controls
The easiest way to review user access and perform group auditing is to use the Functional Access Matrix. Security_-_Functional_Access_Matrix. The output of the report allows reviews to quickly see who has access to what by different criteria, with a handy export to excel option to facilitate more in-depth analysis.
From this the Security - Group Replace functionality allows for quick modification of users permissions to those of a selected template user. Security_-_Group_Replace_Permissions
4.2 Content controls
With all of the functional access secured, review of content access is the next ongoing task.
From the console on the left, access by form and access by eCourse can be easily reviewed.
5 Operational Procedures and Evidence
5.1 Logging reviews
For compliance purposes, evidence is the process to ensure that checks have been carried out. The simplest way of managing this is to give the System Administrators access to a newly built form. In the form include the following
|Date Time||Date Time||To record when the review happened.|
|Reviewed by||Staff List||Person signing off that the review was done|
|Functional Access reviewed||True/False||Simple statement|
|Functional Access anomalies||Text Area||A box to state if any exceptions were noted.|
|Functional Access corrections||Text Area||Any corrective actions taken to fix the anomalies|
|Content Access reviewed||True/False||Simple statement|
|Content Access anomalies||Text Area||A box to state if any exceptions were noted.|
|Content Access corrections||Text Area||Any corrective actions taken to fix the anomalies|
By ensuring at agreed intervals the work is carried out this form can be used as evidence as the logs are date and time stamped.
With these reviews, build into your procedures that the export of the full Functional Access Matrix is included in the contact history of the record. Also the security profile of a sampled Form and a sampled eCourse could be included.
5.2 eCourse reference material
It is important to have a set or processes, procedures and policies for the management of bxp. Usually regulated businesses will based these on Word documents. bxp provides an initial document for consideration / modification by clients to match their internal processes.
By creating an eCourse this material can be stored online and reference to look ups is auditable in an eCourse, where it is not in a Word document.
5.3 UAM Event Diary
Using Outlook or the Appointment Management module it is recommended to set up a shared UAM event diary to remind those responsible when checks and reviews are required.
5.4 Data Security reviews
Whilst UAM is a useful tool it should also feature as part of a data security review process which examines all security considerations. This process usually and naturally leads to full security | legal | risk | compliance audits.
All n One are well versed in these processes and would be glad to help and work with your security and other teams to put processes and procedures in place to support your organisation.
6 Final call to action
If you need any advise, help or further information on anything mentioned in this scenario, we would be glad to help. Please contact us on +353 1 4294000 or email us at email@example.com and we'll get you the answers you need.