Feedback Ideas

In Privileged Identity Management, elevated rights are typically granted on a temporary basis (e.g., 8 hours). NIM should have native functionality to support this directly. While some target systems offer time-bound permissions, a centralized approach within NIM would provide greater control and consistency. This perhaps is related to https://feedback.nimsuite.com/b/5v84550g/feature-ideas/workflows

A proposed enhancement to the product is the introduction of workflows, allowing requests to be reviewed and approved by designated reviewers before proceeding. This would be particularly beneficial in scenarios such as application access requests or provisioning processes, ensuring oversight and compliance. How Workflows Would Improve the Product Approval Mechanism – When a user submits a request (e.g., access to an application or a provisioning action), it enters a workflow where assigned reviewers must approve or reject it before execution. Role-Based Reviewers – Approval requests could be routed to specific individuals based on their roles (e.g., managers, security officers, or compliance teams). Multi-Step Approvals – Workflows could support multi-tiered approvals where different stakeholders must review a request at various stages. Audit and Compliance – Each approval or rejection would be logged, providing a clear audit trail for governance and regulatory requirements. Example Use Case A user requests access to an HR application. Instead of immediate access, the request follows this workflow: Step 1: The user's manager reviews and approves the request.Step 2: If approved, the HR department reviews and grants final approval.Step 3: Upon approval, the provisioning process assigns the necessary permissions automatically. By incorporating workflows, the product enhances security, ensures compliance, and streamlines access management while preventing unauthorized changes.

Proposed Feature Ability to (re)certify access to security/resources via manager, owner(s), users. The following would be some basic requires of the functionality Ability to categorize resourcesAbility to set/retrieve owners and reviewers for a resourceOwner/Manager based review, with confirmation tracking (view and submission)Remediation steps (Report or Automatic Remediation)Ability to create scheduled campaignsOption for failback reviewer Usage Review via NIM AppNotification via Email

Currently, Role Mining in NIM evaluates groups in a target system (e.g., Active Directory, Google Workspace) and compares them to existing roles in the Role Model. However, NIM should also support attribute-based Role Mining, allowing administrators to analyze existing permissions based on user attributes such as title, department, and company. For example, an administrator could identify all users with a common attribute (e.g., Department = Human Resources) and assess how many have a specific group or permission. This insight would then enable the administrator to automatically create a role based on the observed patterns, streamlining role definition and ensuring alignment with business structures.

There are cases where a CSV or API Response to cause additional columns to be added to a system table. In cases where the header row isn't included it could be the data row that becomes the column names. (Attached Example) To solve this, NIM should implement the following Ability to lock columns for a system tableAbility to set guards much like data row guards we have today but for columns.

Create connector for Concur SAP

Provide ability to reconcile permissions, NHI (Non-Human Identities), role, and memberships that fall outside of automation Basic functionality would include the following: Detects excessive or unauthorized permissions by comparing actual entitlements with role modelRevoke unauthorized permissions or flag for review.Enables administrators to grant temporary exceptions with expiration policies.

Many clients want to be notified when their thresholds are hit for the source and target systems. However, the only means of notifying them is by triggering an email on the error state of a sync. There is no distinct "threshold reached" event that we can trigger on, which makes our notifications more vague than they ought to be. It would be great to have such an event that we could use to trigger an email notification.

Use Case: Define a filter that returns all Active Employees. Now, for the corresponding 'Inactive Employee AD Accounts' filter, instead of defining the inverse of all the Active conditions, just target all the relevant accounts (ie: AD, EmployeeType == Employee, etc). Add a Lookup Exclude against the 'Active Employee' filter using the EmployeeID named, with the Lookup named 'Inactive Employee Accounts'. This functionality would allow us to more quickly implement filters that have both a set of Grant and Revoke criteria that are just inverse of each other.

To protect NIM configuration natively, we should provide the ability to schedule automatically backups. This is beneficial when there are multiple NIM Administrators making configuration changes and often forget to back up their configuration.

The ability to categorize apps in the interface would be helpful. Also, the ability for users to favorite an app so it always shows at the top would be helpful as well. E.g. local IT always does app X and rather than searching for it each time as we make new apps available it would always show up at the beginning of the available apps.

NIM currently supports only two access levels: FULL or APPS-only. It would be helpful to have an "admin light" security level for junior admins to manage existing source syncs and run existing schedules/jobs when needed, but not be able to make changes to role model, mappings, filters, or what-have-you.

A key concept within the Role Model is implementing Segregation of Duties (SoD) or preventing Toxic Role Combinations to enhance security and compliance. This feature would ensure that conflicting roles are not assigned to the same individual, reducing the risk of fraud or misuse of privileges. Possible Implementation Approaches: Defining Conflicting Roles – Explicitly specify roles that cannot be held by the same user. Example: If your Role Model includes three roles—Employee, HR, and Payroll—you could define a rule stating that members of the HR role cannot also be assigned the Payroll role. This prevents HR employees from processing payroll, reducing the risk of internal fraud.Defining Conflicting Target Resource – Explicitly specify target resources that cannot be held by the same user. Example: In financial workflows, a system could enforce a rule that the person approving payments cannot also be responsible for issuing checks, ensuring a proper checks-and-balances system. By enforcing these restrictions, the Role Model ensures accountability and minimizes security risks associated with excessive or conflicting permissions.

It's no fun getting evaluation reports every hour that show zero changes to be made. An option to only send evaluation reports when there are changes to be made in the target systems would be nice.

Some organizations want to be fully hosted in the cloud for various reasons. Providing a hosted solution for NIM could be benefical to these organizations.