Documentation forAccess Rights Manager

Configure the recertification settings

This section describes how to configure the recertification settings in the ARM Web Client.

See Assign resources to an organizational category for details about resources that must be certified.

These settings apply globally to all data owners who manage user access to specific data resources in an organization.

See the following sections for more information.

Activate and deactivate recertification

  1. Log in to the ARM Web Client as an administrator.

  2. Configure the Recertification settings.

    1. In the left column, click Settings.
    2. In the Settings menu, select Recertification.

    3. In the calendar, select a start date to activate Recertification.

      Recertification is based on scan data from the date a data owner starts a recertification. Authorization changes that occur after the start by the data owner are not reflected by an active recertification.

    4. (Optional) Select the End date checkbox and select an end date. Recertification is deactivated on your selected date. This is the only option to deactivate recertification. All data owners with open recertification requests will be informed by email.

      When you set an end date, choose a date after the start date + recertification period + 2 days.

    5. Click Save.

Set the recertification deadlines

  1. Log in to the ARM Web Client as an administrator.

  2. In the left column, click Recertification.

  3. Update the recertification deadlines.

    1. In the Duration field, enter a value that indicates the number of days that data owners can complete the recertification process.

    2. In the Frequence field, enter a value (in months) that indicates the number of months when data owners should repeat the recertification process.

    3. Click Save.

Activate recertifications in the Data Owner configuration

  1. Start the Configuration application.

  2. Click the Data Owner tile.

  3. Activate the recertifications for all data owners.

    1. Tag the resources (such as file server directories and Active Directory groups) as editable and activate the recertification. This process ensures that these resources display in the data owner recertification process.

    2. Select a resource and use the highlighted floating menu bar selection to activate the recertification.

Customize notification emails

Manage the frequency of email notifications

During the recertification process, email notifications are sent frequently to data owners and ARM administrators. The following graphic illustrates when emails are sent and and their targeted recipients. Each email above the timeline (with an orange indicator) can be deactivated.

Adjust the notification email content and style of the notification email

ARM provides standard templates in XML stylesheet format. The templates are located iin the following directory:

OLD: %ProgramFiles%\Protected Networks\8MAN\etc\mails\Recertification
NEW: %ProgramFiles%\SolarWinds\ARM\etc\mails\Recertification

If you need to modify these templates, create the following directory: 

%ProgramData%\protected-networks.com\8MAN\cfg\mails\Recertification

When you are finished, copy the files (*.xslt und css.html) to the Recertification directory.

Adjust the templates in ProgramData. ARM primarily uses the customized templates in this location. When you update to a new ARM version, the data in ProgramFiles will be overwritten.

Test the notification emails for recertification

During the recertification process, ARM sends various notification emails to targeted users. Test the notification emails—including your adjustments if necessary—before you enable recertification.

See Customize notification emails for recertification (Administrator) for more information.

  1. Log in to the ARM Web Client as an administrator.

  2. Test the notification emails.

    1. In the left column, click Settings.

    2. In the Settings menu, click Recertification Email Test.

  3. In the Recertification Email Test screen, configure the settings.

    1. In the Add emails field, enter one or more email recipients.

    2. Click the Select Language drop-down menu and select a language.

    3. Under Email notifications, send the targeted email.

      The following example shows an email notification received by a target user during the initial stage of the recertification process.

Configure the display settings

Eliminate the display of technical accounts

The recertification process is designed to check the permissions of authorized users. The following technical accounts are not displayed:

  • Creator Owner (S-1-3-0)
  • Creator-Group (S-1-3-1)
  • Creator-Owner-Server (S-1-3-2)
  • Creator group-Server (S-1-3-3)
  • All Services (S-1-5-80-0)
  • RDT (S-1-5-1)
  • Network (S-1-5-2)
  • Batch processing (S-1-5-3)
  • Interactive (S-1-5-4)
  • Domain controller (S-1-5-9)
  • Local System (S-1-5-18)
  • Local Service (S-1-5-19)
  • Network service (S-1-5-20)

Manage the display settings for resolving group memberships

Recertifications adopt the settings of the blacklist for views and reports.