Mover Testing
- 02 May 2024
- 3 Minutes to read
- Contributors
- Print
- DarkLight
- PDF
Mover Testing
- Updated on 02 May 2024
- 3 Minutes to read
- Contributors
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
This article will help you test and verify the proper Mover process in Clarity.
Testing
We recommend replicating the process you currently utilize for cases where users move and their access is changed, but limited to a specific role to begin with. Most often, these events are triggered through changes in your Source(s) of Truth.
Report
You can run the State of Access Report, to get a snapshot of the access the Identity has before the mover process.
Head to the Reports section, then load the State of Access report and filter to your Identity.
Verify your Identity Modified Workflow
Confirm in Clarity, that the workflow for Identity Modified is configured as expected. The image below shows the options available when a role change has been detected. You can choose to remove all access that doesn't overlap with the new role immediately, never, or a custom number of days.
Verification
You can confirm that the workflow was successful in a few different ways.
Clarity Identity Page
Loading the specific Identity the tests were run with, you can check the Applications and Entitlements tabs to verify what Apps and Entitlements they currently have access to. You can also check the Audit Log tab to view changes to this Identity. These views can be compared against the State of Access report to see changes.
:::
Note
The Clarity Service User Identifier in the Applications tab, or the numbers at the end of the URL in your address within an Identity can be used to filter your reports (50856 in the image below)!
State of Access Report
In the Reports section, you can run the State of Access Report again for an updated Date and Time will give you another point-in-time overview of the application(s) you are validating.
Audit Log Report
To access, navigate to the Report section of Clarity, then open the Workflow Audit Logs report, and finally search using the Identity ID of the particular user. You will want to filter this report to the correct workflow for your termination event, and use the context options to find your particular user. You can paste the Identity ID found in the URL address bar when you load an identity.
https://demo.claritysecurity.io/identity/50856
# Example Clarity Identity URL
# 50856 is the Identity ID for this Clarity Identity
Verify in your Applications Downstream
Compare the access provided by each of the roles, the role the Identity is starting in, and the new role in the relevant application(s). When an Identity triggers a Mover workflow, Clarity will compare the 2 Roles and their access. Clarity will grant any new access the Identity should have in the new role.
By default, access from the previous Role is retained during these events, but you can configure these to be removed immediately, or after a set time period.
Note
If configured to remove immediately or after a custom number of days, Clarity will only perform that desired action against entitlements associated with the Identity that are of the Grant Type: role. Clarity will not remove exceptions (Grant Type: exception) as part of the Mover workflow process.
Check out this article's section on Grant Type:
What is a Role?
Need Help?
If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.
Was this article helpful?
