UAM - User Access Management

From All n One's bxp software Wixi

Jump to: navigation, search

1 Overview

UAM or User Access Management is the process of controlling user access to resources through the application of company policies and guidelines. Every company has a different set of UAM controls. bxp provides a very detailed suite of capabilities to allow for very controlled UAM. The challenge is understanding which this wixi provides background for.

Understanding the concepts and security of bxp is covered in CC-2-1_Security_and_Custom_Interface_configuration

2 Basic Concepts

2.1 Basic concept - User types

The most basic concept in bxp is that of a user. A user has a status. The most common status is Live.

There are a number of user statuses possible

2.2 Basic concept - Function Vs. Content

In bxp we separate function and content. Function_Vs._Content

If we're mapping this functionality to something more well known such as Active Directory. Function would be as simple as specifying Read, Read|Write, type access control. Content control is "which folders can you perform these functions on".

Each module in bxp has a two digit code. These can be see when you're renaming modules. Module_Names

Within each of these modules are grouped functionality called Sections. Bxp_-_Logical_Structure

Each Section has a four digit code, which is not readily visible in the system, but is available through the Security - Functional Access Matrix report. Security_-_Functional_Access_Matrix

Once a user can access the correct functions in a module, for example, read in eCourse, they must then be given access to the content, i.e. which books can they read? This is called Content Access and is also controlled from the System Access Management module.

In Main Menu > System Access Management >

  • Functional access is controlled from the User Administration section
  • Content access is controlled from the Security - Content Access section

2.3 Basic concept - Department, Role and Security Groups

For each user in the system they can have a number of settings applied to their account at a security level.

Department, is the primary mechanism for billing reporting. A user can only belong to one department at a time. System_Access_Management_-_Departments

Within the organisation, you might have many Basic, or Agent accounts. They can belong to the Contact Centre department which isn't very clear for security reporting. The next useful field is called Role. System_Access_Management_-_Role

It is suggested by All n One for UAM, that role comprises two words. Basic - Program 1, Basic - Program 2, etc. This allows security administrators to easily see not only Functional access level (Basic) but also Content level access (Program 1). Whilst this is a guideline it can make reporting and UAM significantly easier to control.

The third item belongs to the Organogram Security Groups. Organogram_with_Group_Profiling. A user can belong to many security groups, as the focus of this engine is for team reporting. i.e. John works in Team A in the mornings and in Team B in the afternoon. It doesn't make sense to have to keep changing the one team John is in. Security Groups allow for John to be in two teams at the same time.

3 UAM Setup

3.1 Creating functional template users

The first step in UAM is to define Roles. Basic, Team Lead or Manager, Reporter and Administrator and the four roles we often see business apply to their UAM. These roles will also need "general" content titles.

Create a template user for each role. Using ZZTemplate as the first name and the role name as the surname.

For each of these roles you define which functional access the users have and apply them to the template users. Log in as each of the users and verify that the functional access is correct for the type.

3.2 Applying content access to template users

For each of the template users, you can now grant them access to the specific forms, eCourses and other material they need to perform their jobs. This security change can be closely controlled and limited to users with System Access Management access only.

Log in as each of the template users to ensure they have the access they need to do their jobs.

3.3 Group user management

The next step of the process is for existing users or new users, is to copy permissions from the template user onto the new / edited user.

There are two mechanisms available.

3.3.1 Single User replace permissions


Where one user is being added, the single process easiest to use is :

  • Main Menu > System Access Management > User Administration > Edit User - Replace permissions >
  • Select your new user
  • Select the template user from the drop down list
  • Ensure all permissions are replace and not added.

3.3.2 Group User replace permissions


Where a group of users have been added, or need to be updated, the process easiest to use is :

  • Main Menu > System Access Management > System Management > Security - Group Replace Permissions >
  • Using the search screen, identify a group of users
  • On the following screen, tick the users to be modified.
  • The final screen is the same as the single user permission modifications but the list of User Ids will be included at the top of the page.
  • Ensure all permissions are replaced and not added.

3.4 Summary

At this point you have template users and all your users fit into "buckets" which is easier to security control and audit in the system. Next we look at ongoing management of the system.

4 Ongoing Management

Now that we have performed the exercise of getting the system in hand, we next look to ensuring that UAM is consistently applied going forward.

4.1 Functional controls

The easiest way to review user access and perform group auditing is to use the Functional Access Matrix. Security_-_Functional_Access_Matrix. The output of the report allows reviews to quickly see who has access to what by different criteria, with a handy export to excel option to facilitate more in-depth analysis.

functionalAccessMatrix output.png

From this the Security - Group Replace functionality allows for quick modification of users permissions to those of a selected template user. Security_-_Group_Replace_Permissions

4.2 Content controls

With all of the functional access secured, review of content access is the next ongoing task.

From the console on the left, access by form and access by eCourse can be easily reviewed.

5 Operational Procedures and Evidence

5.1 Logging reviews

For compliance purposes, evidence is the process to ensure that checks have been carried out. The simplest way of managing this is to give the System Administrators access to a newly built form. In the form include the following

Field Type Reason
Date Time Date Time To record when the review happened.
Reviewed by Staff List Person signing off that the review was done
Functional Access reviewed True/False Simple statement
Functional Access anomalies Text Area A box to state if any exceptions were noted.
Functional Access corrections Text Area Any corrective actions taken to fix the anomalies
Content Access reviewed True/False Simple statement
Content Access anomalies Text Area A box to state if any exceptions were noted.
Content Access corrections Text Area Any corrective actions taken to fix the anomalies

By ensuring at agreed intervals the work is carried out this form can be used as evidence as the logs are date and time stamped.

With these reviews, build into your procedures that the export of the full Functional Access Matrix is included in the contact history of the record. Also the security profile of a sampled Form and a sampled eCourse could be included.

5.2 eCourse reference material

It is important to have a set or processes, procedures and policies for the management of bxp. Usually regulated businesses will based these on Word documents. bxp provides an initial document for consideration / modification by clients to match their internal processes.

By creating an eCourse this material can be stored online and reference to look ups is auditable in an eCourse, where it is not in a Word document.

File:Template - bxp UAM - v1-0.docx

5.3 UAM Event Diary

Using Outlook or the Appointment Management module it is recommended to set up a shared UAM event diary to remind those responsible when checks and reviews are required.

5.4 Data Security reviews

Whilst UAM is a useful tool it should also feature as part of a data security review process which examines all security considerations. This process usually and naturally leads to full security | legal | risk | compliance audits.

All n One are well versed in these processes and would be glad to help and work with your security and other teams to put processes and procedures in place to support your organisation.

6 Final call to action

If you need any advise, help or further information on anything mentioned in this scenario, we would be glad to help. Please contact us on +353 1 4294000 or email us at and we'll get you the answers you need.