You can design incident automation workflows to detect, manage and resolve Access denied events.
Automation workflow design for Access denied incidents
The simplest way to plan your automation workflow is to select frequently encountered causes of Access denied events and configure the system to perform a series of actions based on the cause.
This example focuses on three frequently encountered Access denied events and includes a path for the system to take if the cause of the event is not one of these three.
The Parallel tasks activity here serves as a logical IF. The activity branch that the system takes depends on the operator's response to the dynamic user procedure. Each activity branch can be configured to perform a sequence of activities to resolve the incident as needed.
In this example, the Access denied: Access rule and Access denied: Expired credential activity branches have incident resolution steps in this automation workflow itself. The Anti-passback violation and Access denied: Other activity branches trigger another incident with its own set of recipients and user procedures to resolve the incident. This is an example of one incident as a trigger for another incident.
You can also use the Change incident type activity instead of the Trigger incident activity.
The Change incident type activity preserves the incident history which includes incident ID, aggregated entities and events, unlike the Trigger incident activity, which triggers a new incident with no history and new incident ID.
You can tweak this automation workflow and use it to manage multiple incidents as well. Each activity branch in the Parallel tasks activity can represent actions relating to a different incident.
The operator's screen for an Access denied incident
When the Access denied event occurs, the incident is triggered. The recipients of the incident, in this case the operators, can see the cause of the event in the Monitoring window in Security Desk.
The dynamic SOP in this example is configured to prompt the operator for cause of the event.
The system then executes the appropriate activity branch in the automation workflow based on the operator's selection.