Feature - Automated Account Reviews (end of April)

We have feature built but not attached to eramba that help us with the daunting task of account reviews. We address two types of reviews:

  • Regular Account Review: The goal is to ensure accounts that have been created are still required by asking someone to review them regularly.

  • Exit Reviews: The goal is to know if employees that left the organization still have accounts on systems and directories.

The draft document that explain how this works and will be designed is here: https://docs.google.com/document/d/1yqpdu631gkBuea1KDiUm4HDpYC6P8p3WiYfV1NpmTlA/edit#

This feature will be launched in late September.


Just dropping in to say I’m extremely excited about this feature :slight_smile:

wow. I would be unbelievably happy if you could integrate some sort of business role model. I looked for some simple business role management (like eramba for GRC management) and am now very near about setting up my own application. But hope dies last, maybe you are planning to implement something like that? I’m imagining the following:
Business roles by function (also reviewed by the application owners), delta to situation as is, flag deviations from business roles and let them review more often resp. by a superior etc. Would fit in very nicely for me :slight_smile:

Just to clarify, a business role would look like this for me:
Business Function / Role in Application A / Role in Application B / Role in Application C etc…
The roles of the applications either come from the application directly or (for non rolebased accesses) are built within the business role management: Role 1 in Application A consists of functions a, b, c, role 2 consists of b, c, d etc…

As a minimum I hope you will foresee some manual import for the accounts? We have lots of applications which are managed without ldap and where it would be difficult to get a connection.

PS: to me it’s clear that I cannot expect such a functionality from a grc application, but you’ll never know.

Hi Fabian!

I’m not sure i follow the roles functionality you describe ! But if i do i think you are looking more for an IDM (Identity and Access Management) which is a different “industry” and level of complication that for now exceeds eramba.

We have some php scripts in my company that we use to manage access to some (as you said, some applications can talk to anything) apps…the service desk analyst has a drop down with the list of business roles and once it selects one and “grants” the system pushes those permissions to all this apps automatically.

In the backend there is a matrix that describes for each business roles, what permissions should have on each application in the scope of the system. We can also grant “Exceptions”.

We have it running on custom scripts and is certanly not impossible to implement in eramba but it needs time and perhaps some funding.

Our account reviews system will work with both, LDAP and non-LDAP systems (by running scripts).

I hope this helps with a bit more clarity what we mean!


1 Like

Hi Estéban

Thanks for your answer. Of course this is another topic. I would never expect such a functionality out of the box from a GRC application.
Usually IDM are too big (in terms of costs and maintenance) for us. I’m thinking about something like you describe or even simpler, just some simple CRUD-functions in a db-based web application to replace our excel which grows bigger and bigger and is not really usable for our service desk anymore.

Great to see that also non-LDAP systems will be covered!

Yep - i have the same story, IDM solutions are insanely complicated and expensive, again, there seems to be missing a solution for mid-market companies…

ps. I’ll be in CH in the first week of August, let me know if you wont be away maybe i can stop for a coffee or two!

Any update on this feature? I would definitely use it if it were implemented!



work (design phase) has started , inputs more than welcome

FYI - I get a Google Drive error stating “You need permission” when trying to access the document.

I’m getting the permission error as well - looking forward to looking at the design document.

new link:

As a quick intro , we are thinking on the following types of reviews:

  • Snapshot: pull all accounts and check them all
  • Differential: pull all accounts, compare against the previous pull, show differences and ask for those differences to be reviewed. Pulls intervals can be 1 hour minimum (they rely on hourly cron) and that is not really good because in one hour you can add and delete the same account and eramba would not have a clue, still for many people is a huge step forward.
  • Exits: pull all accounts from a system and compare them against a list of current employees or employees that have left the organisation. If this is run every day you can monitor exits pretty much ok.

Thanks! I also have one other review idea/thought here. Would be good to have another option to review groups.

Especially if Eramba can pull from LDAP/Active Directory, would be nice to specify which groups to review, who the owner is, and allow them to attest that the correct people are in the group, or ask to have some removed if needed.

We used to do this manually/via script at a previous employer. We pulled any groups that provided administrative access to devices or systems, then sent them to the owner to validate.

(Note: This may already be the thought/intent behind the Snapshot and Differential reviews above. Just giving a thought/example as to how I’ve dealt with this in the past, and how Eramba might help).



With this approach you can check any system no matter the connecting method, you will need:

1/ script to pull members from that group and store them in a text file, the following is an example that stores all members for a group in a txt file.

ldapsearch -D “CN=Joe Ramone,OU=People,DC=corp,DC=eramba,DC=org” -w “password” -p 389 -h ad.eramba.org -b “DC=corp,DC=eramba,DC=org” -s sub “(&(objectCategory=user)(memberOf=CN=Network_Team,OU=Groups,DC=corp,DC=eramba,DC=org))” sAMAccountName | grep sAMAccountName | sed s/"sAMAccountName: "// > eramba_v2/app/tmp/network_group_accounts.txt

You will add that script in your crontab to run every hour, day whatever you want.

2/ eramba will pick up that file automatically and perform any of the three reviews (snapshot, differential, exits)

On purpose we want to stay “out” of the method used to get accounts, im sure we’ll have a nice repo of scripts you and everyone else can use.

This looks like it will be very useful for a number of my clients and far more economical than using Aveksa or Sailpoint (both of which may be helpful to you in looking to get any more inspiration for requirements).

Based on the the training class I was in a couple weeks ago and the direction of the account reviews module, there may need to be some thought given to how to handle assets. On the training call, it was said that it was a bad idea to load every single system asset (i.e. all servers, databases, etc.) into Eramba as the asset functionality was designed more to be used for high level things, perhaps at the system, category or process level (same level as the risk assessments). However, when we start getting into doing account reviews, being able to establish relationships ala a CMDB would be very beneficial at the server level (assuming there’s intent to use this for infrastructure user reviews) but also bring it right back to where Eramba is not intended to be - at that every single system level. Of course, even without the relationship information, this is still a great feature for my smaller clients.

Will the Rest API be made to work with this feature? Specifically, can systems push their user lists in via it?

makes a ton and a half of sense - yes…i’ll keep this in mind! thx!

Catching up on this area of development and I wondered if the capture of account information would include some reference to the level or type of access. Just as Eramba has groups with different types of access, so do most systems needing account reviews. If we capture accounts and ask people to review them via Eramba, how will this review reflect the level or type of access for that review? Maybe someone changed roles, and while they still need access, maybe the level of access has changed. Would that be obvious in the review tool?

nice one JGLA - very good point indeed.

i’m running your request with an example, lets assume eramba as the target system to review. eramba has:

  • user accounts (authentication)
  • users assigned to groups (authorization)

to review both, authorization and authentication i believe you’ll need to configure in this feature two reviews:

  • list of user accounts (authentication)
  • list of users per group (authorization)

if someone is in group A and gets group A and B , that will show on any of the two basic reviews (snapshot or incremental).

Not sure if this clarifies the approach (simplistic of course as anything in eramba) we have taken.

I think the easiest way to put it is that eramba has no clue about what is being pulled from the fees and what is reviewed, you could well be reviewing a firewall configuration (or its changes) instead of a list of accounts with this same feature.

appreciate the thoughts and feedbacks! really do.

Good in concept. There may be cases where a user may have multiple authorizations. It may be important for this system to be flexible to handle various forms of authorizations, whether direct user authorizations, or via groups. Also, to be able to group or batch these together for approvers to avoid too many steps in the approval process.

I’ll have to look at the possible inputs we would be using to see if there are other considerations to share, but it sounds like the right path.

Guys, thanks so much for doing this. great feature. looking forward to using this. (Paul Jose)

HI Esteban,
with the Account review module, I understand that the module will be pulling information from a CSV file. is there plans to interface with Windows AD like you have done with the Accounts module?