Time-based roles give you the option to enable administrator access to BetterCloud only at specific times, ensuring that access is turned on only when necessary and aligns with a least privilege model. This could entail setting weekday work hours for your service desk users, preventing unsanctioned changes made over the weekend, or making sure your admins are following regulations for employee engagement periods.
This is controlled under the “Schedule” tab when editing or creating a role from the Role-based Privileges management page. You can set the timezone as well as start and end times for each day of the week, depending on what the role requires. Learn more about configuring time-based roles in our help center article.
We’ve created two new actions that allow you to assign and revoke BetterCloud access roles through Workflows to automate onboarding and offboarding of domain administrators.
For example, you could use the Add User to Access Role action to automatically give a user privileges in BetterCloud when they are added to your BetterCloud Admin group in Okta or Google, or when they are moved to the appropriate department in Office 365. This will help ensure that the BetterCloud administrators will be ready to login to BetterCloud and get started immediately.
Administrator access represents a top priority for securing your environment, and with the Remove User from Access Role action, you can now include removing BetterCloud access as part of your offboarding Workflows. In the example below, when an admin is moved to the “Super Admin Offboarding” organizational unit in Google, they will have their super admin status in both Google and BetterCloud revoked, in addition to sending an email notifying their manager of the change, and creating a ticket in Zendesk to verify that these processes are all completed successfully. This will ensure that your users don’t have privileges past the point when they no longer need them, without requiring an additional manual step in your offboarding process.
Two-Factor Authentication Alerts and Directory Support
We now have two-factor authentication alerts available for Google, Slack, Zendesk, and Box. With this update, you can be alerted to changes in a user’s two-factor authentication status. One application of this would be to provide an immediate notification when a user disables two-factor and is no longer honoring your organization’s security policies. Alternatively, use the user enabled two-factor authentication alert to automatically move a user into a two-factor enforced organizational unit. These Alerts are available under the type “Template” in the alert management page.
In addition to providing new Alert triggers, two-factor status is also now available in the Directory grid for those four connectors, giving you quick filtering and export options, and allowing you to take immediate action from a centralized location.
Please note: Slack two-factor changes do not generate push notifications, and will only be reflected in the grid and trigger Alerts during the daily full sync. Two-factor status for Box is synced when a user’s status changes, meaning that if a user has not had their status change they will continue to appear with a dash in the grid. Additionally, we do not sync in globally enforced settings from the Box Admin Console.
Office 365 Last Login
With the goal of increasing visibility for all your Connectors, we’ve added last login information in the Users Directory for Office 365. See which accounts are not being put to use in order to free up licenses or export your users to identify trends in login data.
Please note: In order to receive login events for Office 365, your domain must have a Microsoft 365 Enterprise subscription. It can take up to 24 hours to receive this information, and for it to be reflected in the grids.
Some of your stakeholders may be users who do not have or need access to BetterCloud as admins, but that doesn’t mean they need to be in the dark. Use the new export option on the dashboard to give you a shareable snapshot that can be saved as a PDF, and make sure everyone is in the loop when it comes to your domain’s security and activity.