Least Privilege Check (LPC)
Overview
- This module can be used to make Mendix Applications more secure and aligned with business by automatically removing High Privileged Roles from Inactive Users.
- Administrator can define the Inactivity offset period and schedule period. Also, it can be configured if this Module to be set auto running or Manual.
- It is very useful in Applications containing continues involvement of Certain roles and in Applications where very less interaction involved.
Documentation
Typical usage scenario
Applications containing business flows which required continues involvement of Users with High Privilege Roles. It could be easily identified if high privileged user is inactive for Long Time. If yes, then such roles could be removed.
E.g., Application has 5 Administrators who can access all Business and Technical Information. Out of 5, two Administrators has not accessed the application from defined time. Then, this module will automatically remove Administrator role and set default role with less access I application. This way, application will be made more secure and another is, inactivity can would be identified to re-align the Administrators or process.
Features
- Application users with access rights and inactive for defined time can be identified and their roles with High Access can be removed.
- Administrator can define the offset time to check the inactivity.
- Administrator can define Schedule period/Window period before removing the roles.
- Automatic Process can be turned on/off from Module (Scheduled event must be turned on).
Dependencies
Requires Mendix Version 9.1.1 or above.
Configuration
- Add Microflow “ASU_LPC_Configuration_Create” to After Start-Up microflow in app settings.
- Use page “LeastPrivilegeCheck_Configuration_Overview” or create a new page of your choice and add Snippet “SNIP_LeastPrivilegeCheck_Overview” to it. This page is used to manage all configurations and resources related to this module.
- Configure the LPC Module by adding values in InactiveForDays, ScheduleForDays and setting IsAutoProccessOn.
- Select the Privileged Roles and default roles and save the configuration.
- When user with Privileged Roles, is Inactive for “InactiveForDays” then defined privileged roles will be removed after “ScheduleForDays”. If there are any other roles apart from Privileged roles and default roles, then only such roles will be set to User else default roles will be assigned.