SPHEREboard's Asset Review Module (ARM) is a certification and entitlement review tool used to collect feedback from asset owners.
Overview
The Asset Review Module is a tool within SPHEREboard that is used for conducting reviews and recertifications of assets in an organization. SPHEREboard administrators direct campaigns to reach out to asset owners and gather feedback about the assets they own.
This guide is aimed at the owners who have received a notification that they have assets to review. If that's you, read on!
Campaign Workflow
Your part of the campaign process generally begins with a welcome email. The email may contain a variety of information about the campaign and the assets that you need to review, but the most important part of the email is the link to SPHEREboard that it contains.
This link takes you to your review page and can be used to return back to your review if you have to stop in the middle.
💡 We recommend bookmarking this link while you are in the middle of a campaign for easy access.
Throughout the campaign you may receive additional reminder emails if you have not completed all of your reviews. The interval for these reminder emails is determined by your campaign administrator, who also has the ability to CC your manager for awareness.
Once you have completed your reviews, the campaign administrator can take action based on your valuable feedback.
My Pending Reviews
When accessing your review page for the first time you will see a card titled "My Pending Reviews". This card will show a list of assets that you have been identified as owning.
Many campaigns focus on a single type of asset (server, group, account, application, etc.) but it is possible to be assigned assets of varying types to review. Switch between tabs at the top of the card to view each asset assigned to you based on asset type.
Start reviewing an asset by selecting either Accept if you believe you are the correct owner or Deny if you do not think you are the correct owner of this asset.
If you select Deny, you have the opportunity to provide a more suitable owner if you know one.
If you don't know who the owner should be, click "No" and the campaign administrator will be responsible for finding a more suitable owner.
If you click Accept you will be able to start the review process. The review process is customizable and may differ between asset types. We've outlined the available review steps below.
🗒️ Note
It is possible for your campaign administrator to disable the ownership confirmation step if ownership is being maintained outside of the campaign. In this case the first column in the card will have a Review button that allows you to jump straight into the review.
My Completed Reviews
The My Completed Reviews card displays the list of assets that you have completed reviewing.
If you have completed a review and realize that you made a mistake you can select the checkbox next to the asset and click the "Reset Assets" button. This will allow you to restart your review of the asset from the beginning.
Review Steps
Each campaign can be customized by the campaign administrator depending on the feedback they require from owners. Below we've outlined the available steps that you might encounter while completing a review.
Asset Retire/Keep
The Retire/Keep step is generally one of the first steps of an asset review.
If you select "Retire" you will receive a second prompt asking you to confirm that the asset should be retired.
Clicking "Yes" will mark the asset for retirement and complete your review. Your campaign administrator will be able to take the next steps to decommission the asset based on your company policies.
If the asset should not be retired, select "Keep". This will take you to the next step in your review process.
Access Review
The Access Review step allows you to certify the users who should have access to your asset. This step will only apply to some assets and the contents will vary depending on asset type.
Collections
When reviewing access to a collection you will receive a list of users who currently have access and the level of access that they have.
Best practice for provisioning access to collections is to create two groups of users; those that only require read access, and those that require modify access. The access review page allows you to select which users should have which permission, and remove users who should not have any access.
If your campaign administrator has configured it, you may also be able to grant additional access to users who do not currently have permission to the collection. Click the "+ Add Access" button to search for users to add to the collection.
🗒️Note
If you see an orange banner telling you that "Data in this collection is accessible by everyone in the company", that means that there is an open access group with permission to your collection.
Your access review will not list out all of these users for you to review and SPHERE's virtual worker will automatically remove open access groups during remediation.
Groups
Access review of a group allows you to certify group membership. The page will display a list of users and give you the option to keep or remove them.
Similar to collections, your administrator can configure your review so that you can add additional users to a group if necessary by clicking on the "+Add Access" button. If you don't see this button and you think you need to add some group members, reach out to your campaign administrator.
Roles
The Access Review step for roles provides a list of users who are members of each role and allows you to review whether they should continue to be members or not.
Role access review is commonly used to certify high level access to database servers. The example above shows an end user reviewing membership of the sysadmin role on a Microsoft SQL Server instance.
Servers
Access reviews for servers allow you to certify user access to Windows and Unix servers.
For Windows, the access review page will display each user who is a member of the local Administrators group on the server. Similar to access reviews for other assets, you can select "Remove" to remove any users who should not have this access.
For Unix devices, the access review page will show all users that have access to the server. If applicable, the Access Context column will show any sudo permissions that the user may have. A user may be listed multiple times with different values in the Access Context column so that you can certify each sudo permission individually.
Custom Questions
Sometimes campaign administrators will need to gather additional information from asset owners regarding their assets. The custom questions step allows them to do just that. Administrators can either create their own questions or use out of the box question packs that come with SPHEREboard.
CyberArk Question Pack
If you own an account that needs to be onboarded into CyberArk, your campaign administrator may use the CyberArk question pack to ask for more details about which safe your account should be onboarded into and whether password rotation can be enabled for the account.
Some questions only appear depending on responses to previous questions. For example, the first question is "Is there an existing safe to onboard this account into or do you need to create a new one?". If you answer "Existing", the next question will ask which existing safe should be used. If you answer "New" you will then be asked to specify a safe name and additional details such as description and platform.
🗒️Note
When specifying a safe name be sure that it complies with CyberArk's requirements. In general, safe names should not begin with a space and should not contain the following characters: \/:*<>".|
Service Dependency Onboarding
If you have accounts which need to have their dependent accounts onboarded to CyberArk, those will show up during the Service Dependency Onboarding step. You will be asked if the dependency should be onboarded, and a few optional questions based on the type of dependency.
- Can Restart Service - Relays to CyberArk if the service should be restarted. Applies to Windows Services and IIS Application Pool dependencies.
- Task Folder - Will relay to CyberArk the folder name where the scheduled task resides. Applies to Windows Scheduled Tasks.
- Disable Automatic Management - Relays to CyberArk if the dependent account should have secret automatic management enabled or not. Applies to Windows Services, Scheduled Tasks and IIS Application Pool dependencies.
- Disable Automatic Management Reason - Relays to CyberArk the reason that the dependent account has automatic management disabled. Applies to Windows Services, Scheduled Tasks and IIS Application Pool dependencies.
Bulk Reviews
The bulk review option is meant to expedite the process for confirming ownership and retiring assets when you have many assets to review.
To begin the bulk review process
- Click the toggle on the top left of table to Enable Bulk Grouping
- Click the “Bulk Review” button on the top right of table to start the bulk review
To confirm ownership
-
Filter and select assets using the checkboxes
- By default all assets will have "Accept" selected
-
Click the "Deny” button to bulk deny ownership of those assets (you will have the opportunity to suggest a new owner in the next step)
-
Click the “Continue” button once you have finished
To assign a new owner (if you deny ownership of any assets in the previous step)
- Filter and select assets using the checkboxes
-
Click the “New Owner” field and search for the new owner
-
Click the “Assign” button and the new owner will appear in the New Value column
- If you selected the wrong owner for any assets, you can select them and assign a different owner, or use the "Unassign" button to remove the incorrect owner
- You do not need to assign a new owner to all assets to proceed (any assets that you do not specify another owner for will be reassigned to the campaign administrator to find a more suitable owner)
-
Click the “Continue” button once you have finished
To Keep or Retire an asset
- Filter and select assets using the checkboxes
- By default all assets will be kept
- Click the “Retire” action button on those you wish to retire
- Click the “Continue” button once you have finished
Review Confirmation
- This is the final step that shows everything you have updated up to this point. If all is correct, click “Confirm”. If something is not correct, click “Go Back” to make further changes.
Add comment
Article is closed for comments.