KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Good morning or good afternoon, ladies and gentlemen, welcome to this webinar, ensuring compliance through automation, how to achieve, maintain, and document sustainable. It compliance. This webinar is supported by enforce and the speakers today are me. My name is Matthias ARD. I'm senior Analyst at Ko, a Cole, and I will be presenting the first part of this webinar. And the second part Shahar Troya technical consultant of enforce will join us.
And before we start some housekeeping and some general information about Ko a Cole and as an, as an Analyst company, Cola is providing enter enterprise it research advisory services, decision support, and networking for it professionals. And we do this through our research services where we provide several types of documents, including our leadership compass documents, comparing market segments, advisory notes, looking at various topics, vendor reports, executive views, etcetera, et cetera. We do this through our advisory services where we provide advisory to end user organizations and vendors.
And we do this through our events like webinars or seminars and our conferences. And our main event is the EIC, the European identity and cloud conference. But this year's EIC has been held last week in Munich. And in case you've missed it, you really missed something. I highly recommend checking out our website where some of the brilliant keynotes from the brilliant speakers are available as online videos. And apart from that, we are already preparing the digital finance world in Frankfurt.
This will be an event covering strategies for the developments and changes happening in financial services currently ranging from FinTech to big data and to new business models between mobile decentralization and the blockchain. Please consider having a look at our website for all events, using the given URL on this slide, the guidelines for this webinar, all participants are muted centrally. You don't have to mute unmute yourself. Actually we control the mute unmute features.
We are recording this webinar and the recording of the slide X will go online soon on our website, expectedly tomorrow, there will be a Q and a session at the end of this webinar. And you as the participants can enter your questions during the presentations at any time using the questions panel of the go-to webinar software. And please do so so that we can start the Q and a session right away with a good set of your questions. We really encourage you adding your questions so that you get the best out of this webinar for your purposes. The agenda, it consists of three parts.
The first part will be my Analyst view and an introduction into a consistent approach to maintain compliance in heterogeneous it landscapes from enterprise policies to policy enforcement. Then Shaha tries from enforcer will take over and he will do a deep dive into leveraging automation to achieve an adequate level of compliance and cross platform environments. And the third part as already mentioned will be the Q and a session. Each part will be approximately 20 minutes so that we add up to sum of some 60 minutes or below.
So that will be the agenda for today and that's it for the housekeeping and for the introductory part. And then we start with my introduction. We will first have a look at some, some general terms. We will look at governance and risk and it governance, especially because this is the topic for today. And it governance is actually an essential part of enterprise governance. So of a overall overarching governance effort. And it focuses on both the processes and the organization within an enterprise or an organization.
And actually it ensures that it is done according to the corporate strategies and objectives. So it is really considered and understood as the implementation of business processes and the underlying organization. It risk management is usually seen as part of it governance. And we look within it, risk management at the threats and risks for enterprise information on one hand data and the systems themselves on the other hand.
And as I said before, it has implementation of business processes and the purpose is to identify and implement the right controls, measures, preventing risks, mitigating risks, to reduce the impact and the probability of a risk to an acceptable level. This is, these are the two main terms that we are looking at today and both are part of GRC, G for governance, offer risk and see for compliance. And if we look at traditional GRC approaches, they are typically derived. And this is true also from, for modern approaches from actually three main factors. The first are regulatory requirements.
So these are requirements that are imposed on new from the outside. You cannot actually change them when you are doing the business that you're doing. So it's for example, for, for it's, it's compliance to Sox, for example, or in Germany for, for compliance to ma risk when you run a bank or for, to HIPAA, when you are working with, with health data for, for, for your customers. So these are requirements that change, but you have to fulfill the second.
Also, typically not changeable are legal requirements, but these result, for example, from data protection laws, so that you make have to make sure that you are dealing with personally identifiable information, as you are supposed to. The third part that we have to look at are actually corporate policies. These are not from the outside. These are policies that result from, from requirements that are raised within the organization. So for example, the organization wants to make sure that intellectual property is, is protected appropriately. That financial information is, is protected.
And that executive communication for example, is, is protected, but traditional GRC approaches. And we actually want to look at automation today and efficiency. Typically these traditional GRC approaches are mainly considered to be cost and effort. And we do this. They were usually were done for the reason to avoid penalties for non-compliance to avoid fines in case of being not compliant or not being fully compliant. They usually were overly complex because they were overly manual. We will have an example with re-certification on the next slide, but, and you will understand what I mean.
They were typically highly inefficient or at least a bit inefficient. And they were mainly reduced to some kind of tick box approach. So we had to fulfill a lot of, of controls and to had to make, make sure that they are in place and that we have evidence available for that. But once this was achieved, there was a tick box to be ticked. And that's it, which is not a sustainable approach towards GRC. So we were reactive instead of strategic, we were working to the auditor and that was the main, main issue there as in re-certification campaigns.
This is the traditional period of access governance that many organizations know. So typically it was meant to reprove or revoke access, which has been assigned, assigned to employees or to partners. And at one given time in the year scheduled all 12 or 24 months, whenever it was required, large lists electronically, or even Excel sheets were handed around to the line management or to the system owners or to it to make sure that somebody actually understands what is on the list and that they actually re certify the individual access rights assigned to people.
And you see all the bad things to the writer. I will not read out that I really not read out that so that you can check it for yourselves, but typically it was really a highly manual approach with not a very large business focus.
So, and especially we were looking at full recertification, so it was a large chunk of work imposed on the people having to do the work. And this was on top of usual work. So recertification is always yeah, a pain for those having to execute it. High cost of course, is an issue at that point as well, because it is added to the list of tasks that people have to do. Instead of that, keeping a goal is actually thinking that governance risk and compliance and it GRC especially should be part of the enterprise objective.
So it should be part of your strategy and it's compliance and security should be understood as a business objective, just like any other. So if you look at this at this graphics, we have enterprise objectives as the, as the main topic and information security.
And it, GRC is part of that is as important as the business objective. So if we look at compliance, which we are looking here today, this is an information security enterprise objective, just as important as business objectives. So we want to make sure, for example, also that there is incident notification. If incidents are happening, make sure that people are informed appropriately. And also the protection of intellectual properties are, are actually objectives within the organization, which are important to you just as are the traditional business objectives.
So maintaining agility cost savings, which are business objectives, communication and collaboration within the extended enterprise, sustainability within the actual business processes and in production. And finally also innovation. So all these are different aspects, not a full and complete list, but different aspects of objectives. And they all the sum of that makes up the set, the set of enterprise objectives. So how do we get to solid GRC processes? Now we have to identify and validate the external requirements.
If you think of the image two slides before all that is imposed to us from the outside, which is resulting from regulatory requirements, legal requirements, these, we have to identify and validate whether these are relevant for us. And we have to compliment that with adequate internal guidelines. And the next important step is that we have to transfer all requirements into actionable guidelines and controls. And this is something that Shaha will focus on later as well, because actually he will show us how this can be transformed into actionable guidelines and controls.
And once we have this in place, we can actually continuously assess your compliance, our compliance within an enterprise, and assessing means that we can react appropriately. That means we can communicate the result of an assessment. We can act upon the result. For example, if we have to immediately react to a result that has been, that, that is of the result of this assessment. And the third step of course, is documentation providing evidence that solid GRC processes are in place from a different angle. This might look as follows.
We have the enterprise objectives on the one hand side, we have standards, legal and regulatory requirements. On the other hand, this is combined into your policies and resulting in guidelines.
And once these guidelines and policies are well designed and well approved within an organization, this can lead to the adequate process regarding governance and derived it governance and risk management and thus, and from that derived, the it risk management and this block of, of processes actually then represents the implementation of the policies and guidelines regarding governance and risk and it governance and risk.
So once this is in place and we have defined our policies and guidelines well enough, we can get to a continuous achievement of our objectives and to continuous evidence for compliance. So this is actually the way that we look at the, the overall picture from enterprise objectives, leading to policies, to the implementation and the achievement of the individual objectives. Be they business objectives or compliance objectives. This all should be well embedded within a GRC framework. And this should, in our opinion, or might look like something like that.
We have a platform, a GRC platform, which actually provides the generic platform functions, which might be workflows and, and tests and communication to the individual stakeholders. We have audit management included there. And of course this also implements the actual organization.
So people who work with this platform on top of that, we build specific GRC functionalities for business, for security, and it functions like continuous controls monitoring like the implementation of mechanisms for fraud management or anti fraud management and the it GRC, pardon, lots of more of them that are all embedded within this GRC platform.
And overarching, there is the business GRC, which actually controls and, and, and consumes the information resulting from this GRC platform, which provides the policies and guidelines and leads to overall risk assessments and management compatible dashboards. Once we have this system in place, what do we look for just to give you an, an impression what systems like the enforcer system that we look at later can provide the types of information. So it could look at changed in configuration unexpectedly changed configuration. We can have a look at excessive access rights.
Once we look at the, the access rights assigned to individual people, we could identify dormant accounts or orphaned and abandoned accounts within a access management system. But also we can check for insecure configuration of system components and very important. Sometimes administrator maintain the system outside of the defined processes. And once this happens, this should be something that could be identified within an it GRC system, sod violations.
So violations to the rule of the segregation of duties is a typical finding for an it TRC system as well, especially when it comes to administrative accounts and their assigned access. And especially when we have access to, to realtime logging information, we could even identify unexpected behavior by analyzing realtime logs and get to almost near real time results regarding unexpected behavior.
And lots of that more, I think we can all think of more cases where it GRC can actually also help in raising the level of security apart from the requirements that we have in, in compliance and governance. So my final slide looks at how this framework can support you and how automation can assist you in efficiency and a better level of compliance. So actually efficiency is one of the most important points, and we have actually a cycle of interdependent processes for we get, we achieve efficiency through automation. Once we have automation in place, we have applicability.
So we can use this for many use cases. Of course, once when we have this automated, we have auditability because we can look at the documentation that is also coming into systems through automated processes. We have repeatability so we can check whether the same results will result tomorrow, as well as we had them yesterday. So we can compare them and get to an identification if we actually have what we want to achieve, which is continuous improvement.
So the main targets are when you build up such a framework that you support business objective, as I've described before to prevent risk from actually manifesting as actual threats. If this is the case to help detect the risk, when there is some threat already being, being deployed to mitigate risk, once you have it identified, you can identify the right controls and actually then measure them and control them afterwards.
So after all, we can improve your which are main target, and you can provide evidence for the improved compliance you in the best case, even improve the it performance, which can help you in achieving your goals more cost effectively by monitoring continuously your system performance and your compliance, not this every 90 days or once a year, but continuously just check, have a deeper insight into your state of compliance. So in the end, you can also protect your infrastructure and protecting your infrastructure.
If we understand it also as a part of your business, and it is, you also protect your business at that point. So that is my last slide, which was a bit theoretical. So to get more into the practical aspects, I would like to hand over to Shaha who will give us a deeper dive into how this can look like in a real life solution. Shaha are you there? Yes. Thank you very much for your introduction. My name is Shaha from enforce company today. I'm going to speak with you about the cross platform compliance about the CPC. In this slide, you can see our CPC, some of our CPC customers among them.
You can find AIG from United States, office Depot from Europe and ULA mean from South Africa. The CPC concept I'm talking about capturing, sorry, talking about capturing security and system policies into templates, checking your servers against that policy, display deviations by log and report, fix these deviations in order to bring them in line with compliance regulations. Okay? Auditors like this capability because they can come compare the situation.
Now against the last time the organization passed the audit CPC architecture in the center, you may find the central data server, which includes windows server and SQL server in the right. You can see the CTC support SQL server, Oracle windows, Linux, and IBM.
I, most of them are agentless except the last one, the IBM I, which needs an agent. When I'm talking about CPC, I'm talking about deviation, alerting deviation, reporting authority manager, password administration, stocks, HIPAA, a and of course, PCI compliance. And the last one in enforce policies, CPC categories.
When you speak about AI, Linux, windows, and Oracle and SQL server, I'm talking about many, many categories and many, many parameters that you can define for each platform, which of course gives you high granularity, lots of flexibility in defining the right templates to match your policy. Let's talk about AI. For example, we have file permissions, group administrators, group members, group projects. And so on Linux, you have file audited file permission group accounts, and so on CPC main benefits solution for multier multi database environment. Check for deviations, enforce policies.
Audits can check. If current situation is different from previous audit security, it personnel can prepare for audits security. It personnel can provide the proof that's controls required by regulations are in place. And of course the last one I'm talking about taking the pain out of compliance with regulations by fully automating the process. You don't need to do anything. This process will run automatically. Okay. Now let's go directly to our real product. I'm going to open one of my enterprise security manager. This is the degree, okay.
From here, you can control on all the processes on all the cross platform server and all the auditing and so on. It's very easy to move from the server. That's a repository to any server, all database that we monitor. For example, if I'm talking about the central data repository and I, I can just click on SQL server and define the policy from here. See how flexibility is. And it is the same for Oracle system I AI and so on. Let's go back to the cost platform server today. I'm going to focus only on cost platform compliance.
You have the modules here, compliance administration, change requests, compliance, alerts, compliance reports. I have prepared several templates, but before I'm going to show you how flexible we can be in selecting the parameters for defining a template.
Okay, by the way, if you can see here, all the templates that I prepared for you in the left, you can see there times. It means there status. When I'm talking about green, it means no deviation. When I'm talking about web, we found deviation and the yellow one means this template has not been run yet. Let's click on a double click on the user accounts that I created. I gave it a name user account. And in the template attribute, I just insert several attributes. For example, account disabled account expired company and so on.
And you just need to put the values that you want to compare against the remote policy. You can click add and add more and ed mall and more options, which again gives you high granularity and many, many options to define. Now let's make a small example. I prefer this template named password settings in the template attribute. I post these values and these attributes, okay. Account local observation, enforce password history. Let's focus this time on minimum password length. The value that I want to be is six. Okay. So now what I'm going to do is check this values against the remote policy.
I'm going to click here on the check now button and yes, now the results are coming and let's see if we have any deviation. We do have a deviation. We see now it's thread. Now see how easy it is to see the deviations. I just need to right. Click on the template, view results and view check results. Okay.
Now here, you can see all the records regarding this template. I will double click on this one and I found these deviations regarding minimum password length on the remote server. The actual value is four. And in my template, I define it. So this is the problem. This is the deviation that the system found. Now let's continue with another example, power user group. Okay. Which is very interesting. I defined a group named HTML admin on my active directory server and under the template attribute. I want only Jack James, Jeff, and Jill, to be part of that group. I don't want anyone else.
So now what I'm going to do is check this group. I'm going to click on check now. Yes. And I'm waiting for the results, which would, which would come in a few seconds. We're going to receive the results from the active directory.
And again, we see that we have deviations. I can right click. If you remember here, results, new check results. And I want to see what is the deviation. I see that we do have Jack James, Jeff, and Jim, but I also see Franklin. I don't know who is Franklin, and I don't know why someone added him to this group, but I will investigate it later. Okay. So you can see his deviation. Now let's make another example regarding Microsoft SQL service. I have created this template for you regarding database permission.
Now under the selection criteria, I defined database name finance, which is very important for my organization and under template attribute. I added bill Gina and Jack to be under this group of DB data writer and DB owner. So only these permission should have for these guys. Okay. So now again, I'm going to click on check now and, and let's get some results from SQL server in a few seconds again. Sorry for that. But I have also deviation for this template. Let's see. What are the deviations view, results, view, check results, and double click on the record. And we see that Mrs.
Gina has data writer, data reader, D the owner and DB security admin. Okay. Because someone added this permission for that person. Okay.
Now, if I'm talking about check, it can be run on the spot or by scheduler. If you can see here under the task, I can click on schedule, check process, and just add a schedule for my process. This check can run weekly. If I want to be run on Sunday, Monday and so on, it can be run on monthly, for example, every second or every month, or by time in interval, if you want this check to be run heavy, two minutes, five minutes and so on.
Now, showing the deviations is already beneficial for the auditor inside an organization. However, some situations, these deviations require an action. We can fix the deviation, meaning, bring it setting in line with the policies of an organization. So now what I'm going to do is fix these deviation. I'm going to click on this button. You see here in fourth, now let's click on this button. I'm getting a warning message because this request or this process is going to affect your remote server. Yes. Now this request has came here to the change request.
See, now it is pending for someone to authorize this request and only a person with the right permission can authorize this request. That means not everyone on your organization can just click on fix, fix, fix, and can just fix what he wants. Now let's authorize this request, click on authorize, authorize. And yes. Now the change or, I mean, the fix has been done. I can go back to the compliance administration and you see right now it is read. I'm going to click on check now again.
And yes, let's see if we still have any deviations. Let's wait couple of seconds for results. See green time, no deviations. Everything is okay. I can right. Click the results, view, check results. And you can see that no deviation at all. Bill Gina and Jack just have the appropriate permissions that I want them to have. Okay.
No more, no less. Now fix the same as checks can be run on the spot or by scheduler provided you have the right permissions, of course, schedule enforce process. You see here under the task, you have this button here and you can just add the process that you want to, to run. For example, for active directory.
And again, this process of enforce can be run weekly, monthly, or by time in per so you can be compliant all the time. Now let's talk a little bit about reports. Okay? I have prepared reports for you. I called it compliance report. You can see up there some tab, for example, report scheduler, report, process, report fuel, and so on. Let's go inside to my report, double click. I want to show you all the definitions here. This is the name of the report that I, I added. And in the selection criteria, you can put any definitions or any parameters that you want to include in your report.
For example, what action type you want to include in your report. If it's enforce, if it's checked, if it's both of them, if you want to include only a single system in your report or system group, or if you want all your system to be included in your report. And of course you have many other options here. If I click on query, the query allows me to define the fields that I want to include in my report.
You see, in my example, I chose date time, action, time attribute, and so on. You can just move or move back. What filters that you would like to be including your report. The next one will be defining a filter exactly what you want to include in your report. And in my attribute, I chose only user Gina. And if I click on this small button here, you can see bullying conditions equals doesn't equal is greater than is greater than or equals two and so on.
So in that case, you can just put all more people or more attributes here or choose any action type action, value, category, name, date, object, types, and so on that you would like to put as a, a feature. Now, the next one will be defining a thought order. I want to ascend or descend it by date time, action type action, actual value attribute. And so on. In my example, I chose the assembling by date. And by time now output format, the report can be generated as text file as a CSV file.
I mean, Excel file PDF file or report viewer, the report can be generated and sent to an email account or to be copied to one of your folders on the network. Now let's see an example of such report, okay? This is an example of PDF report. Of course you can include your logo. You can see all the definitions that I put for this report. You can see report type action type and so on, but I would like you to focus only on these three records. The first one is the check that we went.
If you remember the actual value for user Gina, where DB reader, writer, DB owner, and DB security admin, and the policy value said that the DB security admin should be removed. So now after we made the check, we did the enforce for user Gina. So now the old value will be reader. Writer did the owner and security and the new value should be the same, but accept the security me. And of course the last one that I just checked to make sure that everything is okay for user Gina and the actual value and the policy value, both of them are the same and the deviation was fixed.
Now let's talk about alerts. Okay. We have healed the compliance alerts.
I, again, I created an example for you. You can create your own this. I put the name of CPC alert of deviation alert condition. You can click on condition result and define whatever value you want to be, including your alert. For example, in my action type, I chose check.
And again, you have all the ion conditions you need in order to make your alert beneficial. Okay? So I chose equals to check. So in that case, any check that will be run. I'm going to get an alert, but I also, you see here that there is a green sign and there is another green sign here. So any check that the event status will be reject, that means we have a deviation. I want to receive an alert. And of course you can include many other values here. And you have many, many options like policies and templates.
And I want to get an alert regarding only a specific object or object type or system size. Okay? Now alert action. The alert can be sent to the log, submitted alert. That mean that event, the event, the alert will be sent to the central data repository. If you want, you can send your alert to a host and it'll show a popup message. If you want to write the alert to the windows event log, if you want, you can send the alert by email and you can also add your own costume message. And the last one, sending the alert to assist your server. Okay.
I would like to share one more piece of information with you until now we spoke about finding deviations from policy. Many of our customers would like to know what cross the deviation. For example, if you remember, I showed you that Gina has more permission on SQL server than should be allowed. We can do this using our sister product for log management. It is called cost platform, audit CPA. This product can capture logs or part of logs selected by you from different platforms and databases.
I'm talking about this product here, cross platform audit, and under the central data repository, you can see all the information you need for all your platform. All the events came to one place, but for now I want to focus only on the event that someone changed the permission. Remember I told you that I'm, I'm going to investigate this. So now I'm going to click on platform. I'm going to choose only windows. I want to investigate only application of Microsoft SQL server system audit. Okay. And under system audit, I'm going to drill down and find only audit security events.
So only permission that gave to someone or only authorities. I'm going to see.
Now I can, I can drill more about, about event types, but it's enough for me. I'm going to click on filter and I'm going to take you directly to a person named Leonardo. You see here, if I double click on this event, I can see that user Leonardo used Microsoft SQL server management studio in this date. In this time, this is his IP address. And he gave to Gina DB security admin. I wondering if you need more than that, you have all you need in one place under one product. This is more or less what I wanted to show you. We are now available for any of your questions. Thank you.
Thank you very much. Shaha for that presentation. And as you've mentioned, we are moving over to the Q and a session, and I encourage all the participants again, to, to add some questions. We have some questions already here, so let's just start out with that, but please type in your questions as well. So the first question that arrived is the question, whether it is possible, you have, you have a list of supported applications.
If there are plans for adding other applications and especially to, to support custom applications so that people can, or customers can include other applications like my other applications to treat them just as you showed that with Ms. SQL and the active directory. Yes. If we are talking about CCPC CPC, okay. We can manage the following, the, the CPC for AI follow windows for I series following for server and for Oracle, of course, for each platform, you have its own templates that you can create.
So just imagine how many parameters and, and, and, and options you have in order to build your report. Of course, we are soon going to add the solars the end up and DB two. So this is on the roadmap, right? Sorry. This is on the roadmap for the next, for next version.
Yes, yes, yes, Absolutely. Okay, great.
So, so this is also growing solution and yeah. Okay, understood. Another question was when you check for password complexity, then the, the notification should, in the best case, go out to the actual user saying, Hey, your user, your password is not compliant to the regulations. Can you also notify the user, which has not the right complexity within the password? Yeah. Just think about that. We are talking about policies, Right? Okay.
We are talking about policies, but, but in your case, we have such ability in the repo generator, in the repo generator, I can see, I can create reports regarding account local policy audit, policy file, audit settings, file permissions file, property, password, policy, user, right. Assignment, window security event, window security account. So you have all the ability in order to receive this information. And of course you can get an alert about any of these changes. Okay. Understood. Thank you.
The, the, the templates that you showed and that you prepared for this presentation, they, I think the creating them might be, might be time consuming. And, and do you provide best practices, templates that organizations can use from a start so that they don't have to start from scratch?
Yes, of course. And they are a map to, to, to regulations, to, to existing yeah. Requirements regarding yeah. Legal requirements or regulatory. So redefined sets for PCI, for example. Yes. Ma yes.
Yes, of course we have here. For example, you are getting a set of templates from us, ready to run, for example, PCI, for AI, for Oracle, you can see in the right for MSS server for windows. If we are talking about stocks, I'm talking about compliance and compliance for MSS server and for windows. Do you see my screen? Yes. If you can, if we can hand it over to you, please. Yeah. Then we can switch over to you again. Okay. So we are now, now, do you see the screen? Yes. Works fine. Okay.
So under PCI, you see, as I said, we are giving some templates for you to run that are part of the, the product. Okay. You can see from PCI on AI, you can run this template for Oracle, for SQL server, for windows. If I'm talking about stock compliance, we have templates for a prepared template for AI, for SQL server, for windows, for example, this one, PCI requirement eight, which I, which I think is about something, assign a unique ID to each person with customer access, something like that.
If I remember correctly, you can see that under the template attribute, you can put your own user that you want to check their permission. For example, for alone and Julia, I gave public and assisted me. But if I'm going to check that, I'm going to see that I have a deviation and Julia has processed me instead of me. This is kind of, of, of, of thing that you need to, to see in your, in your own environment.
Okay, great. Thank you. And one other question is left. Do you have a, a, an access management built into your system so that you control the roles of the individual users of your system so that you have a, a viewing only user or a user that which is able to enforce actually policies, which are different access rights and different powerful access rights.
Yes, of course, we have this module or this sub module name, administration role. You see, you can put, you can create your own role and put the users of your active director users under this group, or create your own group and just give these groups permission.
You see, for example, under DBA that I created, I have PBCK admin and Mr. Jeff, and I can give them permission for the EY. Okay. For example, for the central data repository, which is this one I gave only the permission of display, but if I'm talking about the, which is the change request, where the place where you can click on fix, remember this is very high authority, then I have this compliance request. Okay. So in this case they don't have the DBA, don't have any permissions to do anything.
They cannot see this submodule if I will click on this place, they're going to see, but they don't have any other permission. I can give them permission for change, add, delete, and remember the execute. Okay.
Okay, great. Thank you. And I think that's it already for the questions that we have. So we are getting closer to the, to the end of the, of the presentation of our, of our webinar. I would like to thank the participants of today's webinar. And of course, I would like to thank you Shahar for present presenting the, the actual implementation of policies within your solution. If there are any other questions left after this presentation, I, I, I kindly ask the part participants to, to just address the, the, the Shaha or me directly by mail.
The mail address will be on the, on the website for this webinar when the recording goes online. And yeah, that's it for today. I think this was a great look into the real life aspects of, of ensuring compliance. Thank you for being with us today and goodbye.
