Feedback Ideas

When a session is about to expire, there is no way to extend your session. You are simply told to save your work, and then you must log back in after your session expires, regardless of what you are doing. If you are actively working on something, this is rather disruptive. Instead, it would be good to either A.) trigger session expiration only after a period of inactivity, or B.) allow users to click a button to extend their session and continue working.

This has been asked/requested by a few, so building a feedback item here for further input and research. Why it matters: Some laws and standards (like HIPAA for healthcare or PCI-DSS for payment systems) say you must encrypt personal or sensitive data to keep it safe from hackers or leaks.Encrypting inside NIM: You should be able to choose specific fields in your system tables (like passwords or SSN) and encrypt them using a key that only NIM admin controls. This keeps the data safe even if someone gets access to the database.Encrypting exported data: If you export data from NIM (for reports, backups, or sharing with partners), allow the file to be encrypted using an admin-provided key. That way, the data stays protected even outside the system. Recommendations per industry standards Use secure connections: Always send data over HTTPS with the latest version of TLS (like TLS 1.2 or 1.3). This keeps the data encrypted while it’s traveling.Strong encryption: Use trusted methods like AES-256 (for encrypting data) and RSA (for sharing keys securely). These are widely accepted and hard to break.Protect your keys: Store encryption keys in secure places like a key vault or hardware security module. Rotate them regularly and limit who can access them.Verify the data: Add digital signatures or checksums so the receiving system can confirm the data wasn’t changed or tampered with.Follow the rules: Make sure you’re meeting standards like GDPR (for privacy), NIST (for government systems), or ISO 27001 (for general security). These help you stay compliant and avoid fines

There would be some potential benefit in having an Admin Dashboard when you login to the NIM Studio. Essentially providing an overall health status for the service. Here are some key items you would see System/Filters/Jobs/Scheduler StatusesLicense StatusBackup StatusConnector/Service UpdatesConfiguration RecommendationsRecent Error logs Attached is a concept of the information that could be presented

Organizations need the option brand NIM to help users know they are in the right place. Apps currently give you a level of that today but it needs to be expanded. The following elements should be considered. Change logo in the top right of AppsChange log on login pageAbility to turn on/off "I forgot my password" link on login pageOption to change "I forgot my password" link on login page.Ability to add custom text to the login page (markdown support)Option to change label and placeholder text for field on login pageOption to change background for login page

Use Case: Define a filter that returns all Active Employees. Now, for the corresponding 'Inactive Employee AD Accounts' filter, instead of defining the inverse of all the Active conditions, just target all the relevant accounts (ie: AD, EmployeeType == Employee, etc). Add a Lookup Exclude against the 'Active Employee' filter using the EmployeeID named, with the Lookup named 'Inactive Employee Accounts'. This functionality would allow us to more quickly implement filters that have both a set of Grant and Revoke criteria that are just inverse of each other.

If I make a custom column spec, it shows in the filter view. If I hit delete on the filter view because I dont need it in view it deleted the custom spec I made. All my Java efforts are then deleted unless I am missing something.

NIM currently supports only two access levels: FULL or APPS-only. It would be helpful to have an "admin light" security level for junior admins to manage existing source syncs and run existing schedules/jobs when needed, but not be able to make changes to role model, mappings, filters, or what-have-you.

A proposed enhancement to the product is the introduction of workflows, allowing requests to be reviewed and approved by designated reviewers before proceeding. This would be particularly beneficial in scenarios such as application access requests or provisioning processes, ensuring oversight and compliance. How Workflows Would Improve the Product Approval Mechanism – When a user submits a request (e.g., access to an application or a provisioning action), it enters a workflow where assigned reviewers must approve or reject it before execution. Role-Based Reviewers – Approval requests could be routed to specific individuals based on their roles (e.g., managers, security officers, or compliance teams). Multi-Step Approvals – Workflows could support multi-tiered approvals where different stakeholders must review a request at various stages. Audit and Compliance – Each approval or rejection would be logged, providing a clear audit trail for governance and regulatory requirements. Example Use Case A user requests access to an HR application. Instead of immediate access, the request follows this workflow: Step 1: The user's manager reviews and approves the request.Step 2: If approved, the HR department reviews and grants final approval.Step 3: Upon approval, the provisioning process assigns the necessary permissions automatically. By incorporating workflows, the product enhances security, ensures compliance, and streamlines access management while preventing unauthorized changes.

If Roles could be tagged with a Type, then when scheduled, rather than just selecting groupMembership -> target it could be groupMembership ->target to only run the specific tagged roles for that target. This could allow separation of Role concerns (e.g. Students roles not running Employee roles).

Currently, you have to export all columns that are turned on in a filter. This prevents you from using ordering on data that you don't want in the export. There should be an option to select which columns that are present in the filter that we want to export in the scheduler's export and multi-export options.

To protect NIM configuration natively, we should provide the ability to schedule automatically backups. This is beneficial when there are multiple NIM Administrators making configuration changes and often forget to back up their configuration.

It's no fun getting evaluation reports every hour that show zero changes to be made. An option to only send evaluation reports when there are changes to be made in the target systems would be nice.

In Privileged Identity Management, elevated rights are typically granted on a temporary basis (e.g., 8 hours). NIM should have native functionality to support this directly. While some target systems offer time-bound permissions, a centralized approach within NIM would provide greater control and consistency. This perhaps is related to https://feedback.nimsuite.com/b/5v84550g/feature-ideas/workflows

A key concept within the Role Model is implementing Segregation of Duties (SoD) or preventing Toxic Role Combinations to enhance security and compliance. This feature would ensure that conflicting roles are not assigned to the same individual, reducing the risk of fraud or misuse of privileges. Possible Implementation Approaches: Defining Conflicting Roles – Explicitly specify roles that cannot be held by the same user. Example: If your Role Model includes three roles—Employee, HR, and Payroll—you could define a rule stating that members of the HR role cannot also be assigned the Payroll role. This prevents HR employees from processing payroll, reducing the risk of internal fraud.Defining Conflicting Target Resource – Explicitly specify target resources that cannot be held by the same user. Example: In financial workflows, a system could enforce a rule that the person approving payments cannot also be responsible for issuing checks, ensuring a proper checks-and-balances system. By enforcing these restrictions, the Role Model ensures accountability and minimizes security risks associated with excessive or conflicting permissions.

Currently NIM does not use the data types and keys from the connector. To simplify the process in adding an new system this should be automatically loaded and used. Additionally it would be beneficial if relations would be defined and used in the connector too.