Request failed with status code 502

Account Reviews

Regularly pool user accounts from systems and review them in a portal - long

  • Episodes12
  • Duration24m 53s
  • LanguagesEN
Episode 2

Account Reviews Solution Components

How AR works and what they need to operate

Introduction

In this section, we will explain the different components that make an AR and how they work one with another.

Account Reviews

For every system you wish to perform automated account reviews, you will need to create at least one Account Review (AR). Sometimes even for a single target system, you will have multiple reviews. A typical AR is made of multiple components we will explain in this episode.

Types of Reviews

eramba can perform three different types of Account Reviews against one or more target systems. This is a configuration that you will need to provide to the AR at the time you create it.

  • Snapshot: your script will feed all accounts on the system to eramba and the Reviewer will have to vet them all.
  • Differential: your script will feed all accounts on the system to eramba and the account review process in eramba will compare your feed with the previous one and only show the differences to the Reviewer.
  • Exit Reviews: your script will feed all accounts on the system to eramba and your company roster (both files must have as an index the account name), eramba will display to the Reviewer those accounts for which there is no employee.

Is not uncommon to create multiple ARs in eramba against a single system, you might want to test account modifications (Differentials) and also Exits.

Systems

We refer to Systems as the applications from where you would like to obtain accounts, roles, etc and perform automated reviews. Every system will have accounts which optionally might belong to one or more groups/roles. Every system will have at least one AR associated.

If you want to perform account reviews against a group of systems ("all my Linux systems") you will then need many ARs, this will result in something impractical. For that reason, this functionality is mainly focused on applications.

Feeds

Depending on the type of review you are performing, eramba needs to get from you:

  • The lists of accounts and their roles for your target system
  • Current or Former Employees

We call these data "feeds". The table below summarizes what files you need depending on what type of review you want to perform:

Type of Review List of Accounts and Roles List of Current or Former Employees
Snapshot Yes No
Differential Yes No
Exit Yes Yes

There are three methods to generate the "List of Accounts and Roles":

  • Using your custom scripts (File): your script will pull the accounts and their roles into a CSV file
  • Using our built-in LDAP Connector: eramba will use a previously configured LDAP Connector and pull the user accounts from any group on the LDAP Directory
  • Using our built-in Amazon AWS Connector:  you will provide Access Keys and Secrets for your AWS account to eramba and eramba will pull accounts and their roles/groups from AWS IAM.

There is one method to generate the "List of Current or Former Employees":

  • Using your custom scripts (File): your script will pull the accounts and their roles into a CSV file.

Pulls

A Pull will automatically trigger for every Account Review created in eramba based on their frequency. For example, if your Account Review has an hourly frequency, then every hour a Pull job will be initiated for that Account Review.

The pull job will read the Feed file linked to that account review (the feed should have been previously updated by your script) and read the CSV contents. It will then decide, based on the type of Account Review, what needs to be shown to the Reviewer as Feedback.

Feedback

The Pull will decide what accounts need to be shown to the Reviewer - these accounts that require Review will make the Feedback. Every account will be unique Feedback.

AR Portal

The Account Review has a unique Portal where Reviewers need to login and perform the account Review. This portal is segregated from the rest of eramba.

You can enable the portal at System / Settings / Authentication.