This section is designed specifically for BalkanID Administrators, providing a comprehensive guide to setting up and configuring your tenant for optimal security and access management. You will learn how to:

1. Add Users: Integrate user data into your tenant to ensure accurate user profiles and streamlined identity management.

2. Manage User Roles: Assign appropriate roles to each user, understanding the capabilities and access levels associated with each role.

3. Integrate Applications: Connect, integrate and configure your applications with BalkanID to extract critical access and entitlement data.

4. : Establish clear ownership for resources/connections within each integrated application, facilitating efficient governance and review processes.

By following these steps, you'll establish a robust foundation for managing identities and access across your organization with BalkanID.

Embarking on the BalkanID journey begins with a seamless onboarding experience. This section is designed to guide new users through the essential initial steps, ensuring a smooth and secure setup of their account. From establishing fundamental access to preparing for uninterrupted workflow, these foundational configurations are crucial for maximising the value of BalkanID.

This section will walk through the initial steps after signing in to BalkanID. You'll learn about the different authentication methods which can be used to access the platform, how to configure authentication settings, and the various roles the administrator can assign to a user which determine their access level and capabilities within BalkanID. The following subsections are included:

1. BalkanID Onboarding : This part of the documentation walks new users through the essential steps to get started with BalkanID. It covers the process of signing in for the first time and configuring one's user account to ensure a smooth and secure experience. Understanding the available authentication methods and the roles assigned by an administrator are key to navigating and utilizing BalkanID effectively.

2. : Streamlining the login process is vital for efficient operations. This section provides comprehensive instructions on how to configure Single Sign-On (SSO) for a user's account. Enabling SSO allows for convenient and secure access to BalkanID, leveraging existing organizational credentials and reducing login friction.

3. :

   This section empowers users to tailor their BalkanID environment to suit individual needs and preferences. It covers settings that enhance daily interaction and ensure seamless workflow:

   • Theme Selection: Customize the visual theme of the application to match personal comfort or organizational branding.

   • Nominate Delegate: Delegate Responsibilities: Ensuring continuity of operations is paramount, especially when key personnel are unavailable. This feature allows a user to assign their responsibilities within the application to another designated user for a specific period, ensuring that all required actions and duties within BalkanID can be managed effectively, even in one's absence.

Welcome to the BalkanID documentation page. Here, you will find detailed information about BalkanID's capabilities, as well as release notes on the latest platform features.

What is BalkanID?

BalkanID is an identity governance platform that provides the following capabilities:

1. Preemptive discovery, analysis and remediation of identity-related risks.

2. Correlation and visualization of IdP, SaaS, IaaS and on-prem application identities and related entitlements.

3. User access review (UAR) workflow and campaign management.

4. Application entitlement lifecycle management.

Platform Demo

1. Signing into BalkanID:

   There are two ways to sign into BalkanID depending on how your admin has configured the environment. They are :

   1. Use your SSO provider to login (Okta, Microsoft, Ping etc.) for a seamless experience by using an existing Identity Provider (IdP).

   2. Sign up using social providers (such as Google) or magic link on the BalkanID Application (if a social provider hasn't been set up on your tenant yet).

2. Role-based access

   Once your account has been verified, your admin will assign a role to you in BalkanID. We have 3 primary roles used on our application which have been listed below. Depending on the role assigned to you, the following tabs will be visible:

   1. Reviewers: A users with this role will be able to view the My tasks, Access Requests, Account and Help menus. Reviewers will be able to review Access requests and perform the tasks assigned to them by the other roles.

   2. Risk managers: A user with this role will be able to view the Entities, Summary, Campaigns, Access Reviews and all other menus that a Reviewer has access too. Risk Managers will be able to discover application, people, connection and identity entitlements as a reviewer. They can view the various campaigns and perform access reviews as a part of this role. In addition they can perform all the tasks a Reviewer can perform as well.

For specific assignment of roles based on your business needs, please refer to the following help link: .

Account preferences: Nominate delegate & Notification settings

At BalkanID, we understand that efficient management of responsibilities and personalized communication are key to maintaining productivity. The Account Preferences tab empowers users to tailor their experience, ensuring that tasks are managed seamlessly and information is received just how they like it.

Nominate delegate

What is the "Nominate Delegate" option?

The "Nominate Delegate" option enables you to assign a delegate who will automatically receive any new reviews created via campaigns or access requests. This ensures that even in your absence, your reviews are promptly attended to, maintaining the flow of work without interruption. This feature is especially useful during periods of high workload or when you are away from the office.

How to use the "Nominate Delegate" option in your account preferences?

At BalkanID, we understand that efficient management of responsibilities is key to maintaining productivity. To help streamline your workflow, we offer the "Nominate Delegate" feature within the Account Preferences tab. When you are unavailable, this feature allows you to delegate the management of reviews created via campaigns or access requests to a designated person of your choice. Here’s how it works and how you can set it up.

How it works?

The delegation works in two key scenarios:

• New Reviews Created: Any new review generated through access requests or campaigns will automatically be assigned to your nominated delegate instead of coming to you.

• Reassigned Reviews: If any review initially assigned to you is reassigned, it will directly go to your nominated delegate if you have activated this option.

Setting up your delegate

To use, follow these simple steps:

1. Navigate to preferences: Click on the profile icon on the top right of the page > Preferences tab from the dropdown.

1. Select nominate delegate: Here, you can choose a delegate from a list of your colleagues.

1. Choose start and end date: Select a start and end date for the delegation. You have flexibility to:

   • Choose specific dates for the delegation period.

   • Select 'Start Now' for immediate activation (often a checkbox or default).

Notification preferences

BalkanID allows individual users to personalize their notification settings, giving them control over how and when they receive important updates.

Where to Find Notification Settings

1. Account (Profile Icon) → Preferences dropdown

Key Features of Notification Preferences

• Opt-In/Opt-Out: Users have the flexibility to choose whether to receive any notifications from BalkanID.

• Select Notification Types: Users can precisely pick which types of notifications they wish to receive. This allows for a tailored experience, ensuring that only relevant alerts are delivered while minimizing unnecessary noise. The available notification categories include:

  • Campaigns: Updates related to the lifecycle and status of access review campaigns.

How to Configure User-Level Preferences

1. Navigate to Preferences:

   • Go to Account → Preferences dropdown.

2. Set Notification Preferences:

   • Within this section, you can easily

User-purpose access requests are used to request access for an employee through a specific purposes.

There are currently 2 different ways to create a user-purpose access request.

The BalkanID CLI empowers you to take control of your identity and access governance directly from your terminal, offering a robust suite of tools designed to enhance efficiency and flexibility. We understand that managing complex access environments requires precision and adaptability, and our CLI is built to deliver just that. We offer the following services as a part of our CLI suite:

1. BalkanID API CLI

Gain unparalleled control over your BalkanID application with the BalkanID API CLI. This powerful tool allows you to directly interact with BalkanID's APIs using standard cURL commands. This direct access opens up a world of possibilities for advanced users and developers:

• Automate Complex Workflows: Script intricate sequences of operations, from user provisioning and de-provisioning to policy enforcement and access reviews, all from your command line.

• Custom Integrations: Seamlessly integrate BalkanID into your existing security ecosystem, leveraging the API to connect with other tools and platforms tailored to your unique requirements.

• Enhanced Scripting Capabilities: Build custom scripts to generate reports, perform bulk updates, or manage specific identity attributes with granular control.

• Accelerate Operations: Drastically reduce manual effort and human error by automating repetitive tasks, freeing up your team to focus on higher-value initiatives.

The BalkanID API CLI provides the flexibility and power you need to truly customize your identity and access governance strategy.

2. BalkanID Extractor CLI

The BalkanID Extractor CLI is designed to provide flexible and on-demand data synchronization from your connected applications. Imagine being able to pull critical identity and access data whenever you need it, directly into your environment for further analysis or integration. While the BalkanID API CLI offers robust control, the Extractor CLI focuses on making data retrieval effortless.

This capability will be enabled for users on demand, allowing us to tailor its deployment to specific customer needs and use cases. We're committed to providing the most effective tools for your data governance, and the Extractor CLI is poised to enhance your ability to gain insights from your connected systems.

While BalkanID offers robust integrations with your HRIS and Identity Providers for automated user data synchronization, there are scenarios where you might need to add individual users directly through the BalkanID application's user interface. This method is perfect for:

• Quick Onboarding: Swiftly add a new user who needs immediate access or review.

• Testing Purposes: Create test user accounts for internal validation or campaign testing.

• Manual Adjustments: Add users who might not be present in your synced systems, or for temporary access scenarios.

This guide will walk you through the simple process of manually adding a user to your BalkanID tenant.

Step-by-Step Guide to Adding a User

Follow these steps to directly add users within the BalkanID application:

1. Navigate to the Users Page

• From the BalkanID dashboard, locate the "Configure" section in the navigation menu.

• Under "Configure," click on "Users." This page displays all existing user identities within your BalkanID tenant.

2. "Add User" button

• On the "Users" page, find and click the "Add User" button. This button is typically located in the top-right corner of the user table.

3. Enter User Details

• A form will appear, prompting you to enter the new user's information. This page is designed to capture all essential details for the user's profile within BalkanID.

  Required Fields:

  • Email: This is a crucial and unique identifier for the user within BalkanID. It's used for notifications, linking to integrated applications, and primary identification.

  • Fullname: The complete name of the user.

4. Assign BalkanID Roles

• Once you have finished entering the user's personal data, it's essential to assign appropriate roles to this user within BalkanID. User roles determine what permissions the user has within the BalkanID application itself (Administrator, Reviewer, Risk Manager).

• By default, a "Reviewer" role is assigned to all users added. One or more roles can be assigned to each user based on the tasks required to be undertaken by them. To learn more about the different user roles and their corresponding permissions, please refer to our documentation.

5. Save the User

• After carefully reviewing all the entered details and assigned roles, click the "Save" button at the bottom of the page.

Upon successful saving, the new user will be immediately added to your BalkanID tenant. This user's profile will now be available across the platform for access reviews, assignment to campaigns, and inclusion in reporting. The user will also be able to login to the application and access this tenant with the role assigned.

Administrators in BalkanID can manage user accounts on the Users page. To start, log into BalkanID and navigate to the Users page as seen below. This page lists all employees at your company (typically fed via your direct HRIS Integration). To do this, refer to - Integrating Employee Data.

User roles in BalkanID

We support three roles with the following capabilities:

• Reviewers: Users with this role can view the My Tasks, Access Requests, Profile, Preferences, and Help menus. Reviewers are primarily responsible for reviewing access reviews and requests, and performing tasks assigned to them by other roles.

• Risk Managers: This role includes all the permissions of a Reviewer, plus access to the Entities, Summary, Campaigns, and Access Reviews menus. Risk Managers can discover application, people, connection, and identity entitlements, view various campaigns, and perform comprehensive access reviews.

• Administrators: This is the highest level of access, encompassing all the menus and capabilities of a Risk Manager. Additionally, Administrators can access the Configure section, allowing them to control system-wide configurations. This includes adding employee data, integrating applications, managing rules and saved filters, and configuring system notifications.

Steps to edit user roles:

To manage user roles, navigate to the Users page under the Configure section. There are two methods for editing user roles:

Edit a Single User's Role

1. Locate the user you wish to edit in the table.

2. Navigate to the rightmost Actions column and click the Edit button (represented by a pencil icon).

1. The option to edit the user and their respective role will appear, allowing you to select one or more roles for that specific user, as shown below.

Edit Multiple Users' Roles

1. Select the users whose roles you want to edit by checking the box next to their names.

2. Click on the Actions dropdown menu and select "Bulk Edit Roles."

1. A sidebar will open, providing the option to edit the roles for all the selected users, as shown below.

Getting started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements:

• Jira Personal Access Token

• Jira Site name

Steps to obtain credentials

1. Create a Jira token as described in the .

2. Instructions on creating a read-only user (the account from which you can create a Jira token for sharing) is also described in the .

Configuring Atlassian Jira in your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select Atlassian Jira.
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

1. Click on next to move onto Optional Configuration.

2. Fill Optional configuration, if required.
3. Once you filled in the information, click Save. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the Integrations page. When data is available, the integration Status will read Connected and the integration Message will read Data available.

Getting Started

Mapping SaaS application users to your employees is one of the primary functions supported in BalkanID. We are working hard to programmatically connect data but the BalkanID system still requires some human interaction for some applications.

Identity mapping is important to connect an application identity to an employee. This is an essential step will facilitate entitlement discovery and working with the BalkanID environment in general. The steps to map identities within the BalkanID environment are given below.

There are two ways to map identities to employees:

1. Through .CSV upload

2. Directly on the application

Map identities to employees through .CSV(Bulk) upload:

1. Go to the Integrations page under Configurations. Ensure that data has been fetched from applications.

2. Go to the Identities page under Entities. Here you will see a button, “Map Identities” which may have a number representing the count of unmapped identities in your tenant.
3. Click the Map Identities button to open a side view with further instructions.

Map identities to employees through the application:

1. Go to the Integrations page under Configurations. Ensure that data has been fetched from applications.

2. Go to the Identities page under Entities. Here you will see a button, “Map Identities” which may have a number representing the count of unmapped identities in your tenant.
3. Select the identities you would like to map. You will see the number of selected identities to map on the Map Identities button. Click on the Map Identities button.

In case of any errors, feel free to reach out to our team for further assistance.

Overview

Balkan ID supports in-app notifications, providing users with real-time updates directly within the application. This feature ensures timely communication and allows users to stay informed without the need to check their email inbox frequently.

Features

Real-Time Notifications

• Notification Feed: Users can access a dedicated panel within the app to view and manage their notifications.
• Toast Notifications: When a notification occurs, a toast notification will pop up on the screen, providing relevant information.

Notification Feed Tabs

The notification feed is divided into three tabs for better organization and management:

1. All: Displays all received notifications.

2. New: Shows only unread notifications.

3. Archive: Contains notifications that the user has archived for future reference.

Viewing Notifications

1. Open Notification Panel:

   • Click on "Notifications" with the bell icon located in the top-right corner of the application in the navigation panel.

2. Navigate Through Tabs:

   • Use the tabs ("All", "New", "Archive") to browse and manage notifications according to their status.

Archiving Notifications

Users can archive notifications from the "All" or "New" tabs. Archiving helps in decluttering the notification list while keeping important notifications accessible in the "Archive" tab.

To archive a notification, go to the "All" or "New" tab in the notification feed, and click the close (x) icon next to the notification you wish to archive.

For more detailed information or assistance, please contact BalkanID support ().

Introduction

You can automatically create tickets in freshservice as part of the following cases:

• Access Request has been approved

• Access Review has been denied

This functionality allows you to automatically create tickets to provision/de-provision resources based on the corresponding access request/review. Let us explore the steps to configure this on your tenant:

Configure Freshservice Email Notification System:

To configure in Freshservice

1. Go to Freshservice > Admin > Channels > Email settings and mailboxes. You will be able to see the support email over there.
2. Note down your Freshservice email.

To configure within your tenant

1. Go to Configure > Integrations on your BalkanID tenant.

2. Click on either Add Integration or Edit Integration for a particular integration.
3. Go to the Optional Configuration section.

You can test your setup by denying access reviews on your tenant. After the campaign has been marked as complete, an email will be sent out and a ticket will be created in Freshservice. It will resemble the one shown in the image given below:

Getting started

BalkanID relies on specific HRIS data to effectively manage Identity Lifecycle and Governance activities. Essential data fields include names, emails, manager details, start and termination dates and department information. Uploading your employee data to BalkanID allows you to map accounts across your systems to employees for entitlement discovery, assigning access reviews and creating access requests. There are three ways to integrate your users to BalkanID -

• Direct Integration to your HR system

• Manual flat file (.CSV) upload

• Bulk API upload

This article will briefly cover the process for all three. They are given below:

1. : Merge, our trusted integration partner, seamlessly connects your HRIS systems with BalkanID to ensure real-time accuracy of user data.

2. Adding users from the UI: BalkanID provides a straightforward way to add individual user accounts directly through the user interface. This method is ideal for quickly onboarding a single user, performing tests, or when a full HRIS/IDP sync isn't immediately available for a new hire.

3. : You can manually upload user data to integrate it into the BalkanID tenant.

Getting started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Slack can be integrated to BalkanID directly from the UI via oauth. To configure Slack, you will need to be an administrator on the organization Slack account.

Configure Slack with your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select Slack.
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

BalkanID supports integrations to the following ticketing systems. If there is any other ticketing system that you would like us to support, feel free to reach out to the team!

• Adobe Workfront

• Aha

• Asana

• Azure DevOps

• Basecamp

• BugTracker

• Bitbucket

• ClickUp

• Dixa

• Freshcaller

• Freshchat

• Freshdesk

• Front

• Github

• Gitlab

• Gladly

• Gorgias

• HappyFox Service Desk

• Heigh

• Help Scout

• Hive

• Hubspot

• Intercom

• Ironclad

• Kustomer

• Linear

• ManageEngine

• PivotalTracker

• Rally

• Re:amaze

• Salesforce Service Cloud

• Shortcut

• Spotdraft

• Targetprocess

• Teamwork

• Trello

• Wrike

• Zoho Desk

• Zoho Lens

Introduction

BalkanID provides a user-friendly system for setting up and configuring multi-level review settings at the integration level. This advanced feature is designed to give you granular control over review processes within each integration, allowing for customized reviewer hierarchies and response requirements based on your organization's specific needs. By following a streamlined process, you can efficiently configure these settings, ensuring optimal compliance and oversight across your campaigns.

To Configure Multi-Level Review Settings at the Integration Level

1. Go to Configure > Integrations on your BalkanID tenant.

2. Click on either Add Integration or Edit Integration for a particular integration
3. Go to the Optional Configuration section.

• Specify the order of reviewer precedence among the options by dragging them around: First Line Manager, Business Owner, Risk Manager, and Application Owner.

• Select the number of reviewers required from the dropdown menu.

To understand how reviewers interact with multi-level reviews, the progression of decisions, how to manage and interact with multi-level reviews once they're configured, please refer to the section for a detailed guide.

Note on Overriding Integration-Level Settings in Campaigns

While the multi-level review settings configured at the integration level provide a default structure, it is important to note that these settings can be overridden at the campaign level. This flexibility allows campaign managers to tailor review processes more specifically for individual campaigns, accommodating unique requirements or exceptions. To override these settings during campaign setup, simply select the "Override Defaults" option and specify the desired settings for that particular campaign.

1. Open the Slackbot and run the /purposes command. This will display a list of all purposes in the tenant.
2. To view the connections/resources the purpose provides access to, click on the three-dot menu and click on "Details". This opens up the purpose details dialog.
3. To request a purpose, click the "Request" button next to the relevant purpose.

4. Fill all the required fields on the form and click "Submit" to create a new purpose request.
5. After creation, the new user-purpose access request will be visible on the Access Requests page. The appropriate reviewer assigned to the request will receive a notification (via email, Slack, or in-app) prompting them to review the request.

6. Once the request is approved by the reviewer the request was assigned to, the purpose will be assigned to the employee.

To use assigned purposes, refer to .

1. Navigate to the ‘Purposes & Constraints’ tab in the side navigation bar and open the 'Constraints' page. This page lists all the constraints that have been set up for your tenant.

2. Click on the Filters button at the top of the constraints table to open a side panel on the right. This panel contains various fields for filtering constraints.

3. Select values for the desired filter fields. The filters are automatically applied, and the constraints matching the selected criteria will appear in the results.

To learn more about filtering please refer

1. Navigate to the ‘Purposes & Constraints’ tab in the side navigation bar and open the 'Constraints' page. This page lists all the constraints that have been set up for your tenant.

2. To edit a constraint, scroll to the right of the constraints table and click on the 'Pencil (Edit)' icon next to the relevant constraint.

3. Update the desired fields and click Save to apply the changes.

To start a purpose assigned to a user, the user must utilize the Slackbot to initiate their assigned purpose. Follow these steps:

1. Open the Slackbot and run the /my-purposes command. This will display a list of all purposes assigned to the user.
2. To start a purpose, click the Start button next to the relevant purpose.

3. Once the day ends, the user can manually stop the purpose by clicking the Stop button.

When a purpose is started or stopped, the associated connections will be automatically provisioned and de-provisioned accordingly.

If the “Should auto-provision daily?” option was enabled during the creation of the purpose request, the purpose will automatically start and stop based on the specified time window provided during the request setup.

This section explains how to manage and customise notifications within the platform. It includes setting up notification preferences to ensure relevant alerts are received, configuring in-app notifications for real-time updates, and automating ticket creation in systems such as Jira to streamline issue tracking and resolution. We will cover the following topics in this section:

1. Notification Preferences: Setting up notification preferences for your BalkanID account on the tenant-level by administrators and on the user-level by each individual user.

2. In-app Notifications: Setting up notification streams to receive within the BalkanID application.

3. : Setting up automatic ticket creation systems on your environment to provision access to users when access requests are approved and de-provision access from users when access requests are approved or access reviews are denied.

This section provides a detailed guide to Application Integrations within BalkanID, a critical step in establishing comprehensive identity and access governance for your tenant. Here, you will learn how to connect your various applications to our platform, enabling the extraction of valuable identity and entitlement data.

We will cover:

• Supported Integrations: A comprehensive list of the applications BalkanID natively supports for seamless integration and steps to integrate them.

• Identity Mapping: How to effectively map extracted identities from these applications to your employee data, providing a clear understanding of who owns what access.

• : Defining automated actions and workflows to be triggered based on the approval or denial of access requests and reviews, ensuring efficient and consistent access management.

• : How to upload data manually for your custom applications and other data sources.

By leveraging these powerful integration capabilities, you can gain a unified view of access across your entire enterprise and automate critical governance processes.

1. Navigate to the ‘Purposes & Constraints’ tab in the side navigation bar to open the Purposes page. This page lists all the purposes that have been set up for your tenant.

2. To edit a purpose, scroll to the right of the purposes table and click on the 'Pencil (Edit)' icon next to the relevant purpose.
3. Update the desired fields and click Save to apply the changes.
4. The users assigned to a purpose can be viewed by clicking on the Users tab, located next to the Connections tab on the Edit Purposes page. This tab displays a list of assigned users along with additional details, such as the status, which indicates whether the users have started their purpose or if it has been stopped.

   Users can also be removed or unassigned from the purpose by clicking on the Delete/Trash icon located to the right of the user in the table. To assign users to a purpose please refer to

1. Navigate to the ‘Purposes & Constraints’ tab in the side navigation bar to open the Purposes page. This page lists all the purposes that have been set up for your tenant.

2. To delete a purpose, scroll to the right of the purposes table and click on the 'Trash' icon next to the relevant purpose.
3. To confirm the deletion click on "Delete". Deleting a purpose will immediately de-provision the access granted to the users assigned to the purpose.

1. Navigate to the ‘Purposes & Constraints’ tab in the side navigation bar to open the Purposes page. This page lists all the purposes that have been set up for your tenant.
2. Click on the Filters button at the top of the purposes table to open a side panel on the right. This panel contains various fields for filtering purposes.
3. Select values for the desired filter fields. The filters are automatically applied, and the purposes matching the selected criteria will appear in the results.

To learn more about filtering please refer

Introduction

You can automatically create tickets (called as incidents) in ServiceNow as part of the following cases:

• Access Request has been approved

At BalkanID, flexibility and control in managing review processes are key aspects of our platform. The Multi-Level Review Settings feature allows you to customize review assignments and hierarchies during campaign creation, overriding the default settings set at the integration level. This guide provides detailed instructions on how to configure these settings for your campaigns.

Overview of Multi-Level Review Settings

Multi-Level Review Settings give you the ability to specify review hierarchies and requirements explicitly, ensuring that reviews are assigned according to organizational needs and specific risk management protocols.

Access Review Campaigns can be configured to escalate all incomplete reviews as the due date approaches. This is to help ensure that reviews happen on time.

Configuration

Escalation settings are configured when you create a campaign or edit a draft campaign, using the Escalation field.

Introduction

You can automatically create tickets in zendesk as part of the following cases:

• Access Request has been approved

• Access Review has been denied

Campaign creation includes a feature that allows you to select specific insights that are applied to the identities of reviewers whose evaluations require escalation for an additional level of review from their line manager. This feature is configured by selecting an insight in the Exclude reviewers with insights option.

For instance, if a user (employee) has an SoD insight associated with one of their identities and a campaign is created with the Exclude reviewers with insights option set to the SoD insight, then when a review is assigned to that user, both the reviewer's approval and their manager’s approval will be required. In effect, the review is automatically escalated to the reviewer's manager, necessitating two levels of review.

In scenarios where both the reviewer and their immediate manager have an SoD violation insight, the review will bypass the manager and be escalated directly to the manager’s manager. Despite this change in hierarchy, the review process still requires two levels of approval: one from the initial reviewer and one from the manager’s manager.

After successful completion of both review levels in the insight escalation process (i.e., once both approvers have provided their approval), the review will then proceed to the next reviewer in the defined precedence order based on the number of reviewers selected during campaign creation.

What is JITPBAC?

JITPBAC (Just-in-Time Purpose-Based Access Control) is a dynamic and purpose-driven access control framework designed to enhance security and operational efficiency by provisioning access to identities in Cloud, SaaS applications only when it is explicitly required and for a defined period of time. The model reduces the exposure of sensitive resources to potential threats, particularly when credentials are compromised, by adhering to the principle of least privilege.

Key Features of JITPBAC

1. Default Deny Policy (Zero Trust): Identities have no access by default. Access is provisioned only through assigned Purposes, ensuring strict access control.

2. Purpose-Centric Access: Access is organized under Purposes

Overview

In this article we will give an overview of the Resources page and how to utilize it for entitlement discovery. The Resources page provides a list of different resources available within an application. These resources are extracted from an application during the application integration stage.

To navigate to the Resources page, select the Resources page under the Entities section.

You can view all the resources across your application integrations within your tenant.

Enable SCIM for your application

1. In the Integrations section, click on the Setup icon for the application you want to set up SCIM.

Downloading Campaign Audit Reports

Risk Managers can download PDF reports for any active or completed campaigns that will reflect the state of the campaign. Generally, risk managers download such reports for completed campaigns to store audit proof of access reviews being completed. The reports will contain the campaign name, start & end dates, and review status of each identity, application & entitlement included in the access review campaign.

1. Navigate to the ‘Purposes & Constraints’ tab in the side navigation bar to open the Purposes page. This page lists all the purposes that have been set up for your tenant.

2. To create a new purpose, click on the ‘Create Purpose’ button at the top left of the page. This action will open a new page where you can enter the details for the purpose.
3. Fill in all the required fields related to the purpose, ensuring that the information provided is accurate and comprehensive. Filling out the optional fields is not mandatory; they are intended for organizing, grouping, and filtering purposes.

BalkanID supports access request management for multiple integrations. For a list of supported integrations, please check the integrations list. Our integrations broadly fall into IDP applications (Okta, Azure AD, etc to name a few), Cloud Service Providers (AWS, GCP, Azure, etc to name a few), Commercial SaaS applications (Salesforce, Github, Netsuite, etc to name a few). Typically, an unsupported integration can be supported immediately upon request within a few days. Note - For guidance on enabling provisioning and de-provisioning options, please refer to this article:

Access requests are broadly categorized into the following types

1. Navigate to the ‘Purposes & Constraints’ tab in the side navigation bar and open the 'Constraints' page. This page lists all the constraints that have been set up for your tenant.

2. To delete a constraint, scroll to the right of the constraints table and click on the 'Trash' icon next to the relevant constraint.

Overview of Purposes

In JITPBAC (Just-in-Time Purpose-Based Access Control), a Purpose is a core construct used to define and manage access permissions for identities within Cloud and SaaS applications. A Purpose acts as a structured grouping of access rights, aligning them with specific tasks, responsibilities, or roles within an organization.

1. To create a new user-purpose access request, navigate to the "Access Requests" page. Click the three-dot menu in the top right corner, and from the dropdown menu, select "New Purpose Access Request".
2. Fill all the required fields on the form and click Next button at the bottom of the page to proceed to the next step. Multiple users can be selected to request purposes in bulk. The “Purpose Identical To” field allows for easy lookup of the desired purpose based on the information provided during purpose creation.

   In the screenshot below, “Purpose Identical To” is set to “Team”, and the purposes under “Team 2” are listed for selection for the chosen users. Alternatively, the “Custom” option can be used to manually select the purposes to assign to the selected users.

Overview of Constraints

In Just-in-Time Purpose-Based Access Control (JITPBAC), a Constraint specifies explicit rules or conditions that restrict access for identities within cloud and SaaS environments. A Constraint functions as the opposite of a Purpose. While a Purpose represents a defined set of employees and entities (such as connections and resources) that indicates which users are permitted to access or request access to those entities, a Constraint similarly involves a set of employees and entities, but explicitly prohibits access to the specified entities. In essence, a Constraint establishes a security policy that enforces denial of access, ensuring robust access control and data protection.

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements:

• Client ID

• Client Secret

• Tenant Name

Getting the Configuration

1. Go to your Onelogin Tenant Administration Page.
2. Hover over Developers and click API Credentials under it.
3. Click on Create New Credential, and give Read all as the permission.

1. Paste the same in Balkan ID App Integration setting

Configure Onelogin within your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select OneLogin.
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts. Make sure that the account has ownership or super admin level permissions.

Requirements:

• Personal Access Token

Step to obtain Personal Access Token

1. Login to Asana, and Click on your profile photo in the top right corner of the Asana app. Select My Settings... > Apps > Manage Developer Apps.
2. Follow the below steps to get personal access token from Asana:

   1. Click on Create New Token.

Configure Asana within your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select Asana.
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements:

• Tenant Name - This is the same as your tenant URL https://<tenant-name>.twingate.com

• API Token

Create your tenant API Token with Read only permissions.

Getting the Configuration

1. Open your Twingate Tenant Page, and navigate to Settings.
2. Now go to API and click on Generate Token .
3. Click on

Configure integration within your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select Twingate.
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

This section is your guide to managing and performing access reviews within BalkanID. It details how users with different roles can track the status of all access review campaigns and provides step-by-step instructions on how to take action on individual reviews, ensuring appropriate access for all users.

Performing Access Reviews

Let us understand the following to perform access reviews effectively:

1. Viewing your reviews

Go through the below to understand how users with different roles can perform access reviews using BalkanID.

For Reviewers

Viewing Access Review Status

Users with the Reviewer role can view access reviews from the main menu item My Tasks. From here, they can search, sort, and select campaigns that are on their task list to be completed.

Clicking on the Review button will take you to a dedicated page where you can view all the access reviews assigned to you. Clicking on the Priority Inbox button on a campaign review will take you to a page where you can view the same reviews bucketed by various criteria of your choosing for faster triage.

Priority Inbox for a Campaign

This page helps you focus on the most important review tasks by using shared filters and groupings that you can create on the reviews page. You can create “buckets” of reviews based on your chosen filters and work through them by priority. Each bucket shows your progress for the related campaign, along with key details about the applications, users, and insights included in that group.

Performing Access Reviews

1. Select Reviews: Choose the specific access reviews you'd like to work on.

2. Bulk Actions: Click the "Bulk Actions" button on the Access Reviews page.

3. Perform Operations: From the options provided, select the desired action for the chosen reviews:

For Admins and Risk Managers

Viewing Access Review Status

The Access Reviews main menu item provides a comprehensive overview of all access review campaigns in your system. Here, you'll find a consolidated list including pending, in-progress, completed, aborted and overdue access reviews. This dedicated view is available exclusively to BalkanID Administrators and Risk Managers.

Performing Access Reviews

To efficiently manage your access reviews, follow these steps:

1. Select Reviews: Choose the specific access reviews you'd like to work on from the list.

2. Bulk Actions: Click the "Bulk Actions" button on the Access Reviews page.

3. Perform Operations: From the options provided, select the desired action for the chosen reviews:

Note: To configure de-provisioning after an access review has been denied, please refer to this article for detailed instructions on enabling .

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements:

• API Key

• Organization ID

Obtain API Key

The API Key needs to be from an administrator account. To retrieve the API Key follow the JumpCloud instructions here: .

Obtain Organization ID

To retrieve the Organization ID follow the JumpCloud instructions here: .

Configure JumpCloud within your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select JumpCloud.
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

With BalkanID, any team member can request access for themselves or for others to any support application integration. Requests can be either GRANT (provisioning) or REVOKE (de-provisioning). GRANT requests can be permanent or temporary (specified by end time, when the access is automatically de-provisioned).

By default, every access request goes through a review process. Upon successful approval of the access request (by the assigned reviewer - either manager or application owner or whoever is assigned as the designated reviewer), the request shall get fulfilled immediately (either provisioned or de-provisioned, depending on whether its a GRANT or REVOKE request).

If the fulfillment option for an application integration is selected to be direct integration and auto approved provisioning, then a request GRANT shall automatically result in provisioning of the request in the respective application. Similarly, a request REVOKE shall automatically result in de-provisioning of the request in the respective application. All of these are event driven, which means the provisioning/de-provisioning act happens immediately.

Access request identical to a User (get access similar to another team member)

This will request access that is identical to a different target user.

Access request identical to a Job Title

This will request access that is identical to the access that users with the target job title have in common.

Access request identical to a Role

This will request access that is identical to the access given by the target role.

Access request identical to Custom

This allows the requester to chose the exact access changes they wish to apply to the user, including both GRANTs and REVOKEs. Both GRANTs and REVOKEs can be present in the same request.

Select the identities that should be provisioned or de-provisioned

If an identity for an employee does not exist in an application, BalkanID will automatically create a new identity, corresponding to the access request. If a selected identity is suspended, it will be re-activated and subsequently provisioned or de-provisioned with the requested changes.

Preview the request

Before you submit you're request, you will be presented with a summary of the request details as well as the requested access changes. Once you submit the request, it will be created and be ready for review.

Users, Risk managers and IT administrators can view the list of access requests they have created, along with their progress on the BalkanID dashboard.

Users, Risk managers and IT administrators can view the list of completed access requests on the BalkanID dashboard.

The full audit trail of an access request, starting from creation till the provisioning or de-provisioning is recorded within BalkanID and available to be viewed or downloaded as a report anytime, for audit purposes.

Note: You may see different completion percentages in your My Tasks tab and Access Requests tab for multi level reviews. My Tasks will reflect how much of the actions needed to be taken by you, are completed for a given access request. Whereas Access Requests shows how many total actions by all the reviewers for an Access Request are completed for a given Access Request.

Setting up recurring campaigns

At BalkanID, we aim to make your campaign management process as seamless and efficient as possible. With the "Recurring Campaigns" feature, you can automate the repetition of campaigns at specified intervals, ensuring continuity and consistency in your review processes. This guide will walk you through how to set up and manage Recurring Campaigns on our platform.

Understanding Recurring Campaigns

The "Recurring Campaigns" feature allows you to schedule a campaign to repeat automatically after a defined period. This is particularly useful for regular compliance checks, routine audits, or any campaign that needs to be conducted on a regular basis without manually setting it each time.

Configuration

Here are a few simple steps to set up a Recurring Campaign:

1. Create a New Campaign: Begin by creating a campaign as you normally would. Fill in all necessary details such as campaign name, description etc.

2. Select Recurrence: In the campaign creation form, you will find an option for setting the campaign to recur. Click on Custom.

3. Provide the specifics regarding when the campaign should repeat. This allows for highly flexible scheduling to match your organization's compliance and review cycles. You can define the recurrence frequency at different granular levels:

• Weekly: Specify the number of weeks between recurrences (e.g., every 2 weeks) and select the exact day(s) of the week (e.g., Mondays, Wednesdays, and Fridays) on which the campaign should launch.

• Monthly: Define the number of months between recurrences (e.g., every 3 months). For monthly campaigns, you have two options for specificity:

  • Day of the Month: Choose a specific day (e.g., the 15th of the month).

1. Edit Recurrence Details later: You can convert an existing campaign to be recurring or edit the recurrence details of a pre-existing recurring campaign via any of the aggregated campaigns views, or the individual campaign page. Clicking on the chip indicating recurrence status should open up a modal as shown below. You can do the same from within the campaign as well.

Note: Campaigns which have already recurred will have a yellow "Re-curred" chip, and their details page will direct you to the next campaign in that recurrence chain. You will be able to edit recurrence settings for the latest campaign in the chain (i.e., the one which hasn't recurred yet).

Overview

BalkanID offers extensive notification preferences for both tenant administrators and individual users. These preferences allow for the customization of notification settings, ensuring that users receive relevant notifications through their preferred channels.

Tenant-Level Notification Preferences

Accessing Notification Preferences

Tenant admins can configure notification settings at the tenant level. These settings are what are used as the default for every user who have not set up their own preferences:

• Configure Group → System Notifications Tab

Features

• Enable/Disable Notifications: Admins can turn notifications on or off entirely or for specific categories.

• Notification Channels: Choose which channels (currently email, in-app and slack) to use for sending notifications. Future support can include additional channels like Teams.

• Allow User Override: Enable or disable users' ability to customize their notification settings for specific notifications. Disabling this will prevent users from overriding the tenant level settings.

After selecting or changing the notification preferences, the admin has to click on the save button on the bottom right of the application to save the tenant-level preferences.

User-Level Notification Preferences

Accessing Notification Preferences

Individual users can personalize their notification settings under:

• Account (Profile Icon) → Preferences dropdown

Features

• Opt-In/Opt-Out: Users have the ability to subscribe to or disable specific notifications through their Account (Profile Icon) → Preferences page. However, this control is only available if the tenant admin has enabled the "Allow user override" setting for those notifications. If this setting is turned off, users will not be able to disable or modify the notification preferences on their own.

• Notification Selection: When allowed by the tenant admin, users can selectively choose which types of notifications they want to receive. This flexibility depends on the "Allow user override" setting being enabled. If a notification, its group, or all notifications are disabled at the tenant level, users will not be able to opt in to those notifications.

FAQs

Q: How do I disable notifications entirely?

A: Tenant admins can disable all notifications for users by navigating to Settings → System Notifications.

Individual users can opt out of notifications (if tenant admin has enabled them) entirely via Account (Profile icon) → Preferences by turning off the notification toggles—but only if the tenant admin has enabled the "Allow user override" option for all notifications.

Users cannot disable notifications entirely if:

• The "Allow user override" option is turned off for any notification at the tenant level by an admin.

• A notification group, or all notifications, are disabled at the tenant level by an admin.

Q: Why can't I change certain notification settings?

A: If the tenant admin has disabled the "Allow user override" option for a particular notification, users will not be able to modify settings for that notification.

Q: Can I choose the channels through which I receive notifications?

A: Yes, tenant admins can configure the channels at the tenant level.

For further assistance, please contact BalkanID support ().

Introduction: Seamless Security and Access Management in Slack

The BalkanID Slackbot integrates powerful identity security and access management capabilities directly into your Slack workspace. It is designed to be your team's central hub for managing application access, ensuring that security workflows are not only robust but also efficient and user-friendly.

By bringing critical notifications and approval processes into the collaborative environment your team already uses, the Slackbot eliminates friction, reduces response times, and enhances your organization's overall security posture.

Core Capabilities

• : Stay on top of user access reviews with automated notifications delivered via Slack. The bot alerts reviewers when campaigns are due, ensuring that standing privileges are regularly examined and access rights remain appropriate, thereby strengthening your security compliance.

• Streamlined Access Requests: Empower your users to request, approve, or deny access to applications directly through Slack commands and interactive modals on Slack. This removes the need to switch contexts or log into different platforms, accelerating the entire process from request to fulfillment.

• : Receive immediate alerts regarding security risks and misconfigurations discovered by the BalkanID platform. By notifying you directly in Slack, the bot enables your security team to acknowledge and remediate potential threats faster than ever.

Setting up the BalkanID Slackbot

This guide will walk you through the simple process of installing and configuring the BalkanID Slackbot for your workspace.

Prerequisites

Before you begin, please ensure you have the following permissions. You must be:

1. An Admin in your BalkanID tenant.

2. A Workspace Admin in the Slack workspace you wish to connect.

Note: The BalkanID Slackbot currently supports a one-to-one mapping. This means one BalkanID tenant can be connected to only one Slack workspace.

Installation steps

1. Log in to and select the tenant which you will be linking slack workspace with and then click on the Slackbot installation url. At this time the Slackbot can handle one BalkanID tenant connection with one Slack workspace.

2. Navigate to the page and under Notification Channels, click the Install BalkanID Slackbot button.
3. From the top right corner,

After it is installed in your Slack workspace, you can also find the Slackbot by clicking on “Add apps” and then search for “BalkanID”:

How Authentication Works: Linking Users

The BalkanID Slackbot authenticates users by matching their Slack email address to a user profile in your BalkanID tenant.

Crucial Point: For the Slackbot to work, a user's primary email address in their Slack profile must exactly match the email address associated with their user profile in BalkanID.

For Example:

If a Slack user named Cameron Anderson has the email address [email protected], they must also exist as a BalkanID user with the email [email protected]. If the emails do not match, the Slackbot will not be able to process their requests or commands.

Understanding the various review statuses in BalkanID is crucial for effectively managing user access review campaigns. These statuses provide real-time visibility into the progress and outcome of each review, ensuring accountability and facilitating timely actions. You can update the status of a review at any time until the campaign is either completed or prematurely aborted.

Here's a breakdown of the supported review statuses:

• Draft: This initial status indicates that a review has been created but is not yet active. It's a placeholder, allowing reviewers to prepare or set up the review before it officially begins. Reviews in "Draft" status do not yet require action from reviewers.

• Pending: Once a review campaign is launched, all outstanding reviews will move to a "Pending" status. This signifies that the review is active and awaiting action from the assigned reviewer(s).

• Waiting for info: This status indicates that the review process is blocked because the reviewer needs additional information to make a decision. The review can be actioned upon but indicates that the reviewer is still awaiting on a response from a stakeholder.

• Overdue: If a "Pending" review is not completed by its designated due date, its status will automatically change to "Overdue." This indicates that the review requires immediate attention to keep the campaign on track.

  • Overdue, Waiting for info: This status combines two conditions: the review is past its due date, and it's currently blocked because the reviewer is awaiting additional information. It signifies an urgent need for the requested information to unblock the overdue review.

• Approved: This status indicates that the reviewer has affirmed the user's current access or entity relation. The access is deemed appropriate and will remain unchanged.

• Denied: This status signifies that the reviewer has determined the user's access or entity relations are no longer appropriate and should be revoked. This decision can lead to one of the three statuses below:

  • Denied, notification sent: This status applies when a "Denied" review has resulted in a notification being sent to the relevant parties (e.g. the user, their manager, or IT). This is the final status of a "Denied" review when a notification system is set up, but there is no de-provisioning or ticketing system configured, or if the de-provisioning or ticket creation process failed.

  • Denied, ticket created: This status is assigned when a "Denied" review has led to the creation of a ticket in an integrated ticketing system. This is the final status of a "Denied" review when a ticketing system is set up, but there is no de-provisioning system configured, or if the de-provisioning process failed.

Audit Trail and Final Statuses:

All status updates, along with the user who performed the action, are meticulously recorded in the audit logs for each review. This provides a clear and transparent history of all decisions and changes.

Access Change Status

We also track previous appearances of access review items in campaigns which have already been completed. You can view this information in the Access Change Status column, and filter by these values via the filter panels/dialogs.

1. Added Access: this access item (entity -> has access to pair) was completely new, and had not been actioned upon and completed as of the current campaigns time of creation.

2. Unchanged Access: this access item appeared unchanged in a previous completed campaign, and was actioned upon. Click on this chip to view more info (such as the past action and action trail).

3. Modified Access: this access item appeared in a previous completed campaign, but with different permissions or other metadata. Click on this chip to view more info (such as the exact different in metadata and permissions).

BalkanID Risk Managers can get daily alerts for Findings via the BalkanID Slackbot, keeping them up to date on the access issues that should be addressed without needing to visit the app (contact [email protected] to enable this alert).

Daily Alerts

For each Finding Rule that has any findings, an alert will be sent via BalkanID Slackbot to each Risk Manager at 9AM CT every day.

Each such alert message includes the name and severity of the Finding, a summary of number of employees, identities and app integrations affected and a link back to the BalkanID web app for further information.

Additionally a list of matched Users and Identities is shown. See the screenshot below for a couple example alerts.

Configuration

These alerts can be configured on the Configure > System Notifications page under Findings, where the alert can be toggled on and off for all and for individual Finding Rules. Additionally, the alerts for individual Finding Rules can be sent to Slack Channels instead of direct messages from BalkanID Slackbot.

Enable/Disable

Findings (Daily alert) notifications can be disabled entirely with the notification group level toggle, and individually for specific Findings.

Send to Slack Channels

The alerts for each Finding can be be sent to a Slack Channel instead of direct message using the Send to Channel option. Default Channel can be set as a fallback for Findings without a channel individually specified.

Severity Level

If you'd rather not receive alerts for lower priority findings, but don't want to manage individually toggling specific Finding alerts on and off, you can set the Severity Level option, which is the minimum Finding Severity for which an alert will file. The default Severity Level is High to avoid noisy alerts, but it can be lowered or raised as needed.

Rollup

To summarize and reduce notification noise further, multiple Findings can be combined with less details in a single alert, by setting the Rollup toggle for those Findings.

See for more details on configuring notification preferences such as the Allow user override toggles.

Overview

In this article, we will walkthrough the Applications page in BalkanID. The Applications page gives a list of all applications that have been integrated within the BalkanID tenant.

To navigate to the Applications page, select the Applications page from Entities group.

You can use the search box and filters to explore the applications integrated with BalkanID. The following filter fields are available for this page:

Overview

In this article we will give an overview of the Connections page and how to utilize it for entitlement discovery. The Connections page provides a list of different connections available within an application integration. These connections are extracted from an application during the application integration stage.

To navigate to the Connections page, select the Connections page from the Entities group.

You can view all the connections with respect to the application that belong to your organization from here.

Introduction

You can automatically create tickets in Jira as a part of the following cases:

• Access Request has been approved

• Access Review has been denied

BalkanID makes it easy to integrate Single Sign-On (SSO) with your existing Identity Provider (IdP), helping you streamline authentication and improve security across your organization. By connecting your Identity Provider, you can centralize authentication, reduce password-related risks, and provide a seamless login experience for your users.

We support a wide range of industry-standard IdPs out of the box. Whether you're using a popular cloud IdP like Okta or Azure Entra ID, or a custom in-house solution that supports SAML or OIDC, BalkanID offers flexible support to meet your needs.

Supported Identity Providers

BalkanID currently supports the following IdPs:

Access reviews in BalkanID can be configured for a single reviewer or for multiple reviewers in a sequential order. This section explains how multi-level reviews work, ensuring user access reviews are thorough and accountable.

Understanding Multi-Level Reviews

Multi-level reviews are designed to add layers of oversight to the access review process. When you set up a multi-level review, you define a specific reviewer order, creating a chain of approval.Each reviewer in the sequence must take action before the review progresses to the next level. Only one reviewer at each level needs to approve for the review to proceed to the subsequent stage in the hierarchy.

A key aspect of multi-level reviews is that a user can edit their review decision at any time

BalkanID supports multiple fulfillment options, allowing seamless configuration for how identities, connections, and resources are provisioned or deprovisioned across all connected applications.

This comprehensive approach offers both a streamlined setup process and the versatility to integrate with your existing infrastructure. You can configure fulfillment via your Identity Provider (IdP), directly manage provisioning, connect via a SCIM server, create tickets for management through your Ticketing and Work Management solutions, or even trigger custom actions by calling webhooks and playbooks.

Note: To enable Fulfillment Options for your account, please .

The options are:

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements:

The New Connection Access Request System offers three primary functions:

• Connection Creation

• Connection Assignment

• Connection Deletion

Each function can be easily accessed through a simple selection process using radio buttons on our interface. Detailed steps on how to perform each action are provided below.

Insights can be , or generated as part of our process while connecting new applications. These may include insights about missing MFA, unused access for a period of time, terminated users, or users who act in the capacity of a manger, among others (plus custom insights you might have defined yourself).

Some of these may not be relevant after a while, or may be adding to the noise while reviewing access in a tenant with a large number of insights. Alternatively, some discovered and created insights might have a degree of overlap. In this case, you can hide insights. This will make it so that hidden insights are not shown anywhere on the tenant, for any user.

How to Hide Insights

Overview

In this article we will explain how to use the Identities page for access discovery. Here you will see a list of all the identities in your BalkanID environment, which includes employees, service accounts, and unmapped identities. You can use the filter menu or search bar to drill down for individual identities or groupings of identities, such as identity types, departments, or managers.

Keep in mind that this a list of application identities, not employees, and multiple identities are often tied back to one employee as a user account or service account.

To navigate to the Identities page, select the Identities page from the Entities section.

You can view the various identities associated with different applications.

You can use the search box and filters to explore the applications integrated. The following filter fields are available for this page:

• Identity - This field filters data based on the specific identity within an application. For example, to view information about alicegh in the GitHub (test) integration, use "alicegh (GitHub test)" as a filter in this field.

• Identity type - You can filter your identities based on a user being an employee, service account or an unmapped identity.

• Identity Name - This field filters data based on the name of the identity irrespective of the application integration type. For example, to view information about alice identity in all AWS integrations, enter the filter in this field.

Using multiple filter fields together will help you navigate through the data swiftly and will make your time spent on discovering entities a lot more productive! Refer to to learn more about filters.

Viewing Individual Identities

When you click on an identity from the list, a detailed view appears, presenting comprehensive access information specific to that individual or service.

This detailed view provides a granular understanding of an identity's access footprint across your entire system.

The "Has Access To" Tab

The Has Access To tab reveals which connections and resources this specific identity can access. This answers the question: "What can this connection do or reach?"

This tab provides a critical insight into the permissions and scope of the identity itself. For example, if you're examining an identity like "[email protected]" in your Azure integration, the "Has Access To" tab would show you:

• Resources Spencer can access (e.g., the "Production SQL Database," the "Dev Virtual Machine").

• Connections (like Azure groups or Azure RBAC roles) that Spencer is a member of (e.g., the "Admin-HR" group), which in turn grants him further access.

Exploring Entity Details

Every data point listed on the "Has Access To" tab is clickable. Clicking on an entity will open a sidebar providing detailed metadata about that specific entity. Each entity, depending on its type and the application it comes from, has its own unique set of metadata that gives you more context about it within the application.

Understanding Permissions

The "Permissions" column within this tab is also clickable. Clicking on the data in this column will reveal metadata specifically about the relationship between two entities shown in the tab.

To understand what each of these fields (like Connection Provider, Project, and Privileges) indicates, please refer to our dedicated guide on .

Getting Started

The following fields are required from AWS Identity Center:

Requirements

• Access Key

• Secret Access Key

• AWS Region

Getting the Access Key and Secret Access Key

1. Login to your AWS Console.

2. Select "Security Credentials" on the dropdown when you hover over your user email on the top-right.

3. Scroll down, until you see a section called "Access Keys". You will see a section shown in the below image:

Authentication

Access Key is used for authentication. The authenticated IAM User needs to have access to the Identity Center for the integration to work correctly. The IAM User needs to have the following policies attached to it:

Configuring AWS Identity Center on BalkanID Tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select AWS Identity Center.
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements:

• Client ID

• Client Secret

• Environment ID

• Region Name

Getting the Configuration

1. Login to Ping Identity, and navigate to Connections > Applications.
2. Use the PingOne admin console to create your first application connection. To create the application connection:

   1. Click Connections.

Configure Ping Identity within your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Third Party Applications and click Add Integration, select Ping Identity. Set up the Primary Application owner and the Description, if any.
3. Ping Identity would have been added to the list of applications. Click on the Configure and Integrate button beside the integration name, and configure the fields with the values that were noted prior. It should look like this:

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements:

• Bitbucket Access token of Workspace (Organization)

• Bitbucket API Url (example: “”)

• Username of Workspace ID (example: “myworkspace”)

• Bitbucket Account Username (example: "janesmith")

Get Access Token of Workspace

1. On the Bitbucket Workspace Page, navigate to Settings.
2. Go To Access Tokens.
3. Click on Create Workspace Access Token.

Get Workspace ID

1. Go to the Workspace settings.
2. Copy the Workspace ID.
3. Store the Workspace ID in a secure location.

Get Bitbucket Account Username

1. This is your account username, You can go to and copy your username under Bitbucket Profile Settings

Get Bitbucket Account App Password

1. Go to or Settings > Bitbucket Personal Settings > Access Management > App Password
2. Click on Create App Password and give the respective permissions.
3. Copy the App Password somewhere securely

Get Bitbucket URL

To configure your integration, paste the URL in the following format: https://api.your_bitbucket_domain.org.

Simply replace your_bitbucket_domain.org with the actual domain URL of your Bitbucket instance as shown in the image.

Configure Bitbucket within your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select Bitbucket.
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.