Hi Michael.
We use RACF, not Top Secret so not sure it compares but under RACF, our TSO IDs are suspended after 45 days of inactivity & revoked after 90. Revoked IDs are auto-deleted from all RACF resources, datasets, and groups. That still doesn't stop the company from wanting to be more pro-active so once a quarter, my company does the same as yours - sends out a list of everyone with access asking the managers to keep or remove each direct report's access. I think the only thing that makes it manageable is our list isn't as large because of the RACF 'auto-delete after 90' feature.
In terms of Endevor access reports, you can certainly set up a batch process to execute the Top Secret Endevor access reports on a more frequent basis. Make the reports available to management. No reason to wait to have someone removed.
Finally, 300 ESI rules seems like a lot (unless that's 1 per application). it might be worth it to see if they can be made more generic. That is, you don't need a rule for ADD access, a 2nd rule for UPDATE access, a 3rd rule for GENERATE access. Having a well thought out BC1TNEQU name equates / function equates table can go a long way to expediting Endevor access reviews.
Dave
------------------------------
Configuration Engineer Senior Advisor
Anthem
------------------------------
Original Message:
Sent: 08-14-2020 03:44 PM
From: Michael Grabski
Subject: Endevor Access Reviews
I am reaching out to the community to see how others are handling their Endevor Access Reviews. As part of an audit control, we are performing them semi-annually. The current process however is very labor and administrative intensive. Our security team runs Top Secret Reports on all the Endevor Profiles (approximately 300). These reports are sent out to the application managers of those profiles to review and determine if the ID's associated within those profiles are appropriate or not. A spreadsheet is used to track when the reports were forwarded for review, and when they are returned. Deletes are processed based on those reply's by the security group managing Top Secret. ID's are suspended for 30 days then deleted.
Is there a more automated means within Endevor to produce access reports, or has someone developed a process integrating with Endevor or Top Secret that could simplify this review process?
Thank you,
Michael S. Grabski
Information Technology Services | Production Compliance & Controls
msgrabski@comerica.com
Office – 248-371-4297
Cell – 313-204-9282
Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com to submit a secure form using any of the "Contact Us" forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.