Feedback Ideas

NIM currently supports only two access levels: FULL or APPS-only. It would be helpful to have an "admin light" security level for junior admins to manage existing source syncs and run existing schedules/jobs when needed, but not be able to make changes to role model, mappings, filters, or what-have-you.

If Roles could be tagged with a Type, then when scheduled, rather than just selecting groupMembership -> target it could be groupMembership ->target to only run the specific tagged roles for that target. This could allow separation of Role concerns (e.g. Students roles not running Employee roles).

In Privileged Identity Management, elevated rights are typically granted on a temporary basis (e.g., 8 hours). NIM should have native functionality to support this directly. While some target systems offer time-bound permissions, a centralized approach within NIM would provide greater control and consistency. This perhaps is related to https://feedback.nimsuite.com/b/5v84550g/feature-ideas/workflows

Password Reset module of NIM provides a multitude of possibilities but it's prime function is Account recovery via password reset. Previously SSRPM provide a landing page for multiple options (Enroll, Reset Password, Unlock, Manage Attributes, Lookup Username) NIM should provide an option to have a landing page that can provide options for different Password Reset profiles (e.g. Reset Password, Unlock Only). This provides a simple point of entry. Expansion on this is to allow only certain hostnames to be allowed. For example if my nim host name is "nim.domain.com", I maybe want to have password reset point to "reset.domain.com". This would mean then if I go to "reset.domain.com" I would land on the dashboard page to select my option.

Maybe a check-out system or something, but the ability to lock a filter, app, etc. while it's being edited by another admin so that multiple people aren't simultaneously editing the same data. Should also have the ability to display who has it checked out.

When making adjustments to data being collected for a system, it would be handy if you could just collect that individual table. For example, if you adjust attributes for the Users table in AD, it would be nice to not have to collect all AD data again, but rather have the option to just collect the Users data.

Currently, we can upload a CSV file to create and populate a new lookup table. But in the event that we have an existing lookup table, and want to add more data to it, we have no option to bulk upload data to that existing table. It must be done by hand, or a new table (or new version of the table) must be created. It would be great to have an "import data" option for lookup tables.

The ability to do an if/else would greatly simplify some processing arcs. Example: All staff gets X group, unless they fit specific parameters, in which case they get Y group. It could be done as part of the role, by adding a "does not meet" option where one role is positive, and if negative is processed differently. The situations we run into are not cut and dried enough to do a full processing filter for both situations, we always wind up with duplicates due to requirements. Our primary reason we have needed this in the past is for our licensing groups for different vendors which do not do the "best offered applied" and instead use a "first applied" model. Right now we are using SQL queries to add a field into our personnel sources.

Should have the ability to write to a Google sheet like it does with creating a csv export

There are times where there are issues with importing data from a system and there's currently no way to halt the import process. E.g. when an import is too taxing on a target system as it's experiencing other issues.

when I configure a system eg google, you can then pull parts of google eg delegates, users etc. some need syncing more often then others. Some take a long time. Being able to exclude or control these more granular could be advantageous.

Use Case: Define a filter that returns all Active Employees. Now, for the corresponding 'Inactive Employee AD Accounts' filter, instead of defining the inverse of all the Active conditions, just target all the relevant accounts (ie: AD, EmployeeType == Employee, etc). Add a Lookup Exclude against the 'Active Employee' filter using the EmployeeID named, with the Lookup named 'Inactive Employee Accounts'. This functionality would allow us to more quickly implement filters that have both a set of Grant and Revoke criteria that are just inverse of each other.

A proposed enhancement to the product is the introduction of workflows, allowing requests to be reviewed and approved by designated reviewers before proceeding. This would be particularly beneficial in scenarios such as application access requests or provisioning processes, ensuring oversight and compliance. How Workflows Would Improve the Product Approval Mechanism – When a user submits a request (e.g., access to an application or a provisioning action), it enters a workflow where assigned reviewers must approve or reject it before execution. Role-Based Reviewers – Approval requests could be routed to specific individuals based on their roles (e.g., managers, security officers, or compliance teams). Multi-Step Approvals – Workflows could support multi-tiered approvals where different stakeholders must review a request at various stages. Audit and Compliance – Each approval or rejection would be logged, providing a clear audit trail for governance and regulatory requirements. Example Use Case A user requests access to an HR application. Instead of immediate access, the request follows this workflow: Step 1: The user's manager reviews and approves the request.Step 2: If approved, the HR department reviews and grants final approval.Step 3: Upon approval, the provisioning process assigns the necessary permissions automatically. By incorporating workflows, the product enhances security, ensures compliance, and streamlines access management while preventing unauthorized changes.

The ability to categorize apps in the interface would be helpful. Also, the ability for users to favorite an app so it always shows at the top would be helpful as well. E.g. local IT always does app X and rather than searching for it each time as we make new apps available it would always show up at the beginning of the available apps.

To protect NIM configuration natively, we should provide the ability to schedule automatically backups. This is beneficial when there are multiple NIM Administrators making configuration changes and often forget to back up their configuration.