jenschristianschroder / jit-access-management Goto Github PK

Add capability for admin to get detailed insights of access requests made for a user.

Some ideas:

• calendar view of requests made with indication of state
• access profiles used
• most frequent time frame

If you are reading this and have additional ideas feel free to leave a comment!

Configure the charts to use the colors of the Access Request Status Reason choices

Hello,

Excellent application combining different components to solve a real problem :)

Not a big deal but there is a Notify statement when we click on a row of the Request detail list:

Add link to teams and users from relevant gallery on Shared With panel for admin to navigate to relevant record

Would be nice to be able to nudge approvers to react to approval request

Access Request Overview Page - On Granted requests, display a countdown timer indicating time until access revoked.

See #68

Add capability for users to request extension of access

Access request - "Your request has been Submitted" Feedback after click request access.

See #68

The comment field is not cleared after submitting a request

Can you implement a mechanism to enable profiles only to specific users/groups so users won't be able to see all profiles by default?

Consider including a max. count of requests a user can use an access profile per day.
Users could use the tool to have constant or very often access to the target environment. When limiting the access to e.g. 2xday, it can be used to prevent users building unmanaged solutions etc. in the target environment.

If access profile does not have approval, Grant Access flow runs twice resulting in duplicate activities created

Change the approval flow to user start approval action and wait for approval action to be able to create individual approval activities for each approver

Add more rigor to the Access Request Create Plugin to ensure that Access Request will reflect the configuration of the selected Access Profile and prevent creation of Access Requests that do not match the selected Access Profile.

Add tracing to identify outcome and involved approvers

Potentially users can create Access Requests at different stages than Requested.

This could have the effect that Access Request will jump the required process.

Generate a log of user committed change actions within the environment during the approved access session and attach to access request record.

See #68

Access request Management - Revoke button for active granted Access request.

See #68

Hello @jenschristianschroder,

We are testing the app in our environment and running into few issues.

1. User cannot see timeline for the access profiles which requires approval.
2. After approving the user request, I cannot see user added to a specific security role. I created 2 profile, 1 for Approval Administrator role and 2nd App Opener. I can see user in Approval Administrator role in PPAC (does not require approval), but i cannot see user in App Opener role(require approval).

When Admin request for the access, they can see the timeline but also the issue I found was that after the request is approved, in timeline it still says waiting for Approval and there is no green check next to it.

Hey Jens,

I have everything configured and validated. However after I approve a request I am getting an Oauth error in the Grant-Access flow. I checked that the secret and id are correct in the app.

"The provided OAuth authentication model needs to specify either the client secret or a client certificate and its corresponding password."

Let me know if I somehow missed something.

Thanks
Andrew

Add a Shared With panel for quick access to list of teams and users that an Access Profile has been shared with

Hi Jens,

Would be great if an Azure Keyvault secret could be used for the Access management Setup. Is that possible?

When setting approval type to All must approve the flow always set the outcome to reject.

Flow needs to include logic to verify response from all approvers

The Default Access Profile Lookup View is missing from the table definition.

Add functionality to run Access Profile Diagnostics

• Check Environment Details
• Check Application User
• Check Application User Security Role
• Check Access Profile Security Role Exist

Gather Access Profile custom commands into Access Profile command drop down

Hi Jens
Step 2 of the Configure Access Profile Approval Process had me looking for a few mins can I suggest editing to :

"2. Click the AccessProfile>Approval>Enable Profile button in the command bar."

Hi Jens,

Recently the shared with functionality has been failing. I am getting an error about the app registration. It appears that the http connector in the associated flow is not getting the secret. The profile is showing up for the user but when a request is made everything is in the request except for the user.

Thanks!
Andrew

Retrieve-Shared-Access.Run failed: { "error": { "code": 502, "source": "unitedstates-002.azure-apim.net", "clientRequestId": "xxxxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxx", "message": "BadGateway", "innerError": { "error": { "code": "NoResponse", "message": "The server did not receive a response from an upstream server. Request tracking id '08585070392234518897265260702CU98'." } } } }

There is a type in the trace output of the Access Request Create Plugin

When an Access Request is created without justification for an Access Profile that requires justification, the trace says ". Selectec" rather than ". Selected"

The "Waiting for approval" activity is created from the "Access-Request-Created" cloud flow.

It should be created from the "Start-Access-Request-Approval" cloud flow.

The icon in the galleries of teams and users shows the icon when mouse pressed.

Need to set the pressedColor to transparent

Testing the JIT App I'm getting this error when running the Grant-Access flow:

Http request failed as there is an error getting AD OAuth token: 'AADSTS700016: Application with identifier 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' was not found in the directory 'Contoso'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Trace ID: 2d61dd77-aca3-44ff-86cc-f700e17a9901
Correlation ID: 586635ab-e714-4e16-a955-3d4c66009706
Timestamp: 2023-05-30 19:31:55Z'.

here is a screenshot of the action that failed:

could this be related to the tenant hardcoded?

Save the Approval comment(s) to timeline activity

There seems to be some issue with caching of data stored in Dataverse.

When an Access Request status reason is updated it takes some time before the change is visible in the JIT Access Request Canvas App.

This also affects the Access Request Activities on the timeline of Access Request Details panel.

Add a capability for users to be notified that Access will be revoked in x min

The Access Management Administrator Security Role is missing privileges to allow user (admins) to enable Access Profile Approvers

Access request - Related Support ticket reference number text field

See #68

Access Request - Option so request immediate access or requester can specify a start time/date for the required access window.

See #68

Add Justification column to Access Request Main and Quick Create forms

Currently all Access Profiles are shown in the New Access Request Panel including Access Profiles that are draft or inactive.

Only Access Profiles with Status Active should be shown

Hi Jens,
Some feature suggestions.

1. Access Request Overview Page - On Granted requests, display a countdown timer indicating time until access revoked.
2. Access Request - Option so request immediate access or requester can specify a start time/date for the required access window.
3. Access request - "Your request has been Submitted" Feedback after click request access.
4. Generate a log of user committed change actions within the environment during the approved access session and attach to access request record.
5. Access request - Related Support ticket reference number text field.
6. Access request Management - Revoke button for active granted Access request.

Best regards

Matt

Add Flow Run Url link to Access Request Activity for direct deep link to run details

Add sorting to the Detail List of the JIT Access Request App

The facepile on the new Access Request Panel shows "Error loading control"

The label width in the access profile gallery of the canvas application is too narrow to display the text.
Consider increasing width. Limiting the column max. string length is probably a bad idea as admins will want to give the very discriptive names.

Enable secure output on cloud flow actions that retrieve Access Management Setup to ensure sensitive data is scrubbed

The Access Profile Diagnostics feature does not check if Application User exist in target environment

After adding a new user to host environment and setting user as approver for Access Requests the user does not get any approvals in Power Automate approvals site