Compliance Suite 2024 - Release Wave 2

Feature Description

Segregation of Duties (SoD)

In Compliance Suite you can now define which memberships of a user group will cause a segregation of duty (SoD) conflict. For this, you can create SoD definitions with a set of resources that cannot be assigned to a user simultaneously via a role. From the overview of SoD conflicts, you also get the option to regulate the allowance of a conflict. The following changes have been made in Compliance Suite to create, modify and list SoD conflicts:

  • New option - SoD Definitions in component Configuration
    To define which resources, when assigned simultaneously to a user via a role, will lead to an SoD conflict, the option SoD Definitions is now available to you.

    16191192164636

    • Tab Summary
      Here, you enter the following general information about the SoD definition:

      Field Description

      Name

      Here, you enter a name for the SoD conflict.

      SoD Definition Id

      Here, you can assign an Id to the conflict.

      Category

      Here, you can assign this conflict to a predefined category or create a new category for it.

      Description

      Here, you can enter a description of the conflict.

      Change Status

    • Tab SoD Definition Resources
      Each SoD definition has a list of SoD definition resources which cannot be assigned simultaneously. On this tab you define those resources.

      16374730143004
      If more than two SoD definition resources are defined for an SoD definition, a conflict is created for a person, if at least two of the resources are assigned.
      When creating a new SoD definition resource or when clicking on the name of an existing one, you open the view SoD Definition Resource:
      16374937586972

      Here, you define the resource in detail. You can provide the following information:

      Field Description

      SoD Definition

      Shows the name of the SoD definition, for which you are about to define the resources.

      SoD Definition Resource Id

      Here, you can assign an Id to the resource.

      Description

      Here, you can enter a description of the resource.

      Category

      Here, you can assign this resource to a predefined category or create a new category for it.

      Assignment Type

      User Group (example)

      Depending on the chosen assignment type, the respective field is added here. In this field, you define the details for the chosen assignment type. For example, for which user group when assigned simultaneously with another here defined user group, a conflict will be created.
      Creating, deleting, activating or deactivating a resource is changing the status of field Change Status of an SoD definition to Changes ready to publish.

  • The information on the view Person has been extended to show SoD conflicts information.

    • New provisioning status - SoD Conflict - on the tab Groups for a person
      If the person receives a role that causes an SoD conflict, it is communicated on tab Groups > table User Groups > in column Provisioning Status. For this, the status SoD Conflict has been added.

      16373490605084
      If a membership to a resource is given directly in the external system while the Provisioning Status of this membership is SOD Conflict, CCS removes that membership to the resource. Thus, the provisioning status is set to Synchronized. Under SOD Investigation, then to Removing and finally to SOD Conflict.

    • New tab SoD Conflicts
      As soon as an SoD conflict is created for a person, the tab SoD Conflicts is added, showing the amount of conflicts that are created.

      16373460200348

      Clicking on the name of the SoD conflict here, opens the details of this SoD conflict.

  • New option - SoD Conflicts in component Manage
    Here, you can find a list of all created conflicts with the information of their timestamp.

    16373490601244

  • New view SoD Conflict
    In the list of active SoD conflicts, when clicking on the name of a conflict, you open the following view:

    16373490603292

    • Tab Summary
      Here, you can find the following information:

      Field Description

      Name

      Shows the name of the SoD conflict.

      SoD Definition

      Shows the name of the SoD definition whose resources are the reason for the conflict.

      Person

      Shows the name of the person whose role assignments caused the conflict.

      SoD Conflict Id

      Here, you can assign an Id to the conflict.

      Description

      Shows the description of the conflict.

      Category

      Shows the category of the conflict.

      Change Status

    • Tab SoD Conflict Memberships
      Every membership for which a conflict exists for the person is listed here.

      16383059450652

  • New view SoD Definition Membership
    In the list of SoD conflict memberships, when clicking on the name of a definition membership, you open the following view:

    16385112728348

    Here, you can find the following information:

    Field Description

    Name

    Name of the SoD definition membership.

    Membership

    Name of the membership for which a conflict exists for the person.

    Internal Resource Id

    Automatically filled.

    SoD Conflict

    Name of the SoD conflict.

    Allowed

    Comment

    Here, you enter your justification for the chosen allowance status.

    Reject / Allow Comment

    Depending on the chosen allowance status, the content of field Comment is then copied into field Reject Comment or Allow Comment.
When the field Change Status is changed from status Changes ready to publish to All changes published, recalculations are performed:

  • For SoD Definitions
    The recalculation is performed for all persons who have an SoD conflict due to the respective SoD definition.

  • For SoD Conflicts
    The recalculation is only performed for the respective person.

The new SoD conflict calculation can handle the following use cases:

  • Assign resources via roles

  • Change the allowance for a membership

  • Membership to the resource is assigned directly in the external system while the membership in CCS is in provisioning status SoD Conflict

  • A resource is assigned to a person in an external system first, but the resource is included in an SoD definition

  • A person is deactivated

FrontDesk - set default values for fields

When defining the FrontDesk fields, you can now set a default value for all available fields. For this, the section Default value has been added to the page FrontDesk Field with the fields:

16153333115932

  • Default Value
    Here, you can set the value for the respective field. This value is then automatically added to this field in FrontDesk.

  • Default Value Behavior
    Here, you can define for which action the default value should be added.

    • Only Set in Create
      Sets the default value only when the person data is created.

    • Set in Update
      Sets the default value when the person data is updated.

You need to define a default value behavior, otherwise the default value is not used.

Improvements

Improvement

Description

Status of locked accounts on AD DS systems is shown in the user system identity information

The information that an identity is locked on any of its AD DS system, is now shown on the user system identity information. For this, the field Account Locked has been added.

16303053018780

If the person is locked, the value of this field is set to Yes. To unlock the person, you need to open the details of this person under Manager > Persons and click the button Unlock account. This will change the value of the field Account Locked to No.

The person will be unlocked on all its AD DS systems.

Additional variable for email templates

You can now also add to email templates, where the person template object is available, the variable Id of a person.

This allows a customer to use the custom notification with offboarding where they need to be able to generate a link to a update definition for that person in FrontDesk.

Improved control for password definitions

A password will only be created when you specify the allowed characters for your chosen password parts. If a part does not contain the information about the allowed characters, a warning is issued.

Improved identification of users and shared mailboxes

An improvement of Microsoft Graph API properties allows now to better distinguish between users and shared mailboxes.

This prevents that:

  • A shared mailbox, that contains a first name and last name, is identified as a user.

  • A user, without first name and last name, is identified as a shared mailbox.

CCS supports New look in Microsoft Dynamics 365

All Compliance Suite scripts have been adjusted to support the New look in Microsoft Dynamics 365.

CCS ready for .NET 8.0

Compliance Suite has been updated to .NET 8.0.

Support for email aliases in pure Entra Id

  • Ability to assign different primary and secondary email addresses when creating users in pure Entra IDs.

  • Ability to update/change primary and secondary email addresses on pure Entra ID users.

  • When updating, there is the same option in relation to switching as there is for users in an ADDS system

Fixed bugs

Summary Error description Solution

Deleting an auto role definition does not stop access on person

When deleting an auto role definition, auto role bindings and auto roles are disabled, but the associated access is still active. When the person is updated and a recalculation is performed, the access is then disabled.

When deleting the auto role definition, the accesses on all persons that have an auto role from the auto role definition are disabled.