|
Decision Trees
|
|
Employee Access & Permissions Management
|
|
IT Support
|
|
New Business Qualification
|
|
Activate alerts
|
|
Activate behavioral and anomaly alerts
|
|
Add new access or permissions to an existing user
|
|
Apply elevated cloud platform permissions
|
|
Apply elevated permissions within cloud platforms
|
|
Apply MFA enhancements
|
|
Apply MFA enhancements required for privileged accounts
|
|
Apply monitoring
|
|
Apply monitoring required for privileged accounts
|
|
Apply server-level or local admin rights
|
|
Are key stakeholders aligned on the problem and desired outcome?
|
|
Are multiple users affected in the same application module?
|
|
Are multiple users logging into this same device?
|
|
Are multiple users reporting the same issue or symptom?
|
|
Are strong customer references crucial to their decision?
|
|
Are their support expectations aligned with our standard offerings?
|
|
Are there unique legal or contract needs beyond standard terms?
|
|
Are they comfortable with a cloud-based solution?
|
|
Are they highly concerned about scaling over time?
|
|
Are they looking to replace an incumbent solution?
|
|
Are they open to a pilot or proof-of-concept?
|
|
Are they open to our standard contract terms and duration?
|
|
Are we speaking with a decision maker or strong internal champion?
|
|
Assign additional application or system access beyond baseline
|
|
Assign default access based on user’s department
|
|
Assign privileged roles
|
|
Assign privileged roles approved for the user
|
|
Based on current information, is win probability high?
|
|
Can other devices connect to the same Wi‑Fi network?
|
|
Can the user access email from webmail/OWA?
|
|
Can the user connect to any network resources without VPN?
|
|
Can the user print a test page from another application?
|
|
Can the user reach the remote host by ping or name?
|
|
Check for conflict-of-interest restrictions
|
|
Complete final least-privilege audit
|
|
Conduct IT security risk review
|
|
Configure periodic access review reminders
|
|
Configure SIEM ingestion
|
|
Configure SIEM ingestion for privileged activity
|
|
Confirm access alignment following job movement
|
|
Confirm all accounts and permissions were successfully created
|
|
Confirm inactive or unused permissions should be removed
|
|
Confirm inactive or unused permissions should be retained
|
|
Confirm legitimacy of a manager-initiated request
|
|
Confirm offboarding for internal transfers
|
|
Confirm offboarding from contractor/vendor management
|
|
Confirm permissions remain appropriate after a project finishes
|
|
Confirm role meets least-privilege compliance
|
|
Confirm that user’s current access matches minimum required privileges
|
|
Confirm the access change request is legitimate and properly authorized
|
|
Confirm the legitimacy and source of the offboarding trigger
|
|
Confirm the request originated from an authorized and legitimate source
|
|
Confirm user training & certification requirements
|
|
Could multiple products or modules be bundled for higher value?
|
|
Create new user accounts across identity systems
|
|
Determine if compliance team approval is required
|
|
Determine which system or application access is being requested
|
|
Disable access to key applications
|
|
Disable core identity accounts after offboarding trigger
|
|
Disable email mailbox and block email login
|
|
Disable multi-factor authentication (MFA)
|
|
Disable shared-account or generic account access tied to user
|
|
Disable SSO/IdP access for the user
|
|
Disable user accounts across integrated subsystems
|
|
Disable VPN access
|
|
Do they need many integrations live at launch?
|
|
Do they require a formal security or vendor review?
|
|
Do they require governance and role-based access controls?
|
|
Do they require localization or additional language support?
|
|
Do they require robust API access or automation?
|
|
Do they value a strong partner or integration ecosystem?
|
|
Do we have a committed internal champion?
|
|
Does the company meet our minimum size or revenue thresholds?
|
|
Does the customer require specific compliance such as HIPAA or SOC 2?
|
|
Does the drive appear after manual mapping?
|
|
Does the estimated deal size meet our minimum threshold?
|
|
Does the expected usage volume match our product’s sweet spot?
|
|
Does the issue occur in multiple browsers?
|
|
Does the prospect’s tech stack integrate well with our platform?
|
|
Does the requested change impact production systems?
|
|
Does the user have access to any shared drives or resources?
|
|
Does the user have an assigned license for the affected application?
|
|
Does the user see the shared mailbox in their mail client?
|
|
Does the user’s role legitimately require local admin rights?
|
|
Does their need fit our standard entry or mid-tier product offerings?
|
|
Enable session recording
|
|
Enable session recording for privileged actions
|
|
Enforce enhanced MFA
|
|
Enforce enhanced MFA for privileged accounts
|
|
Ensure all data transfers completed
|
|
Ensure all user files are archived or transferred
|
|
Ensure all user files are archived or transferred before deletion
|
|
Ensure request meets business, security, and compliance requirements
|
|
Final justification compliance decision
|
|
Final privileged-access verification
|
|
Final verification
|
|
Final verification of monitoring setup completion
|
|
Handle application-level data
|
|
Handle application-level data (task ownership, workflows, dashboards)
|
|
Handle calendars owned by the user
|
|
Handle mailbox content
|
|
Handle mailbox content (email ownership, project threads, approvals)
|
|
Handle shared network drive files
|
|
Handle SharePoint-owned document libraries
|
|
Has a budget been allocated or clearly defined for this project?
|
|
Has the device been restarted after applying updates?
|
|
Has the user already left the organization?
|
|
Has the user recently changed their password?
|
|
Have they trialed similar tools or vendors before?
|
|
Identify the correct permission tier for the user
|
|
Initial evaluation of the submitted access request
|
|
Is a channel or implementation partner involved in the deal?
|
|
Is data residency a strict requirement for them?
|
|
Is our pricing model compatible with how they budget and buy?
|
|
Is secure/pull printing already configured for the user?
|
|
Is the affected data covered by standard backup policies?
|
|
Is the asset tag found in the inventory system?
|
|
Is the business pain significant and time-bound?
|
|
Is the customer aligned with our ideal success profile?
|
|
Is the customer operating in regions we fully support?
|
|
Is the device currently reporting as non-compliant?
|
|
Is the device enrolled in mobile device management (MDM)?
|
|
Is the device past its documented lifecycle date?
|
|
Is the device powering on with indicator lights or sounds?
|
|
Is the device reporting as encryption-compliant?
|
|
Is the endpoint protection client up to date and running?
|
|
Is the expected data volume within standard product limits?
|
|
Is the issue only with audio or video?
|
|
Is the issue related to mandatory IT or security training access?
|
|
Is the primary use case clearly defined and agreed upon?
|
|
Is the proposed implementation relatively straightforward?
|
|
Is the prospect actively evaluating competitors?
|
|
Is the prospect’s business clearly within our target industries?
|
|
Is the prospect’s primary problem one that our products solve well?
|
|
Is the requested software available in the self-service catalog?
|
|
Is the slowness isolated to one application?
|
|
Is the solution likely to be renewed annually or expanded?
|
|
Is the sync client signed in with the correct account?
|
|
Is the system date and time accurate?
|
|
Is the ticket already assigned to the correct resolver group?
|
|
Is the user able to reach the login page?
|
|
Is the user able to ship or drop off the device?
|
|
Is the user attempting to reuse an old or weak password?
|
|
Is the user completely blocked from performing their job?
|
|
Is the user enrolled in self-service password reset?
|
|
Is the user exceeding documented storage limits?
|
|
Is the user part of the correct security or access group?
|
|
Is the user receiving MFA codes or prompts?
|
|
Is the user requesting support for non-approved tools or services?
|
|
Is the user working on a company-managed device?
|
|
Is their procurement process clearly understood?
|
|
Is there a clear implementation timeline or compelling event driving urgency?
|
|
Is there a clear path for future upsell or cross-sell?
|
|
Is there a matching knowledge article for this issue?
|
|
Is there a valid business justification documented for this access?
|
|
Is there executive sponsorship for this initiative?
|
|
Is there strong potential for multi-year or expansion revenue?
|
|
Is this a standard endpoint build scenario?
|
|
Provision AD admin roles
|
|
Provision AD-based admin roles
|
|
Provision application-level admin roles
|
|
Remove access and document completion
|
|
Remove access based on least-privilege alignment
|
|
Remove access based on role update
|
|
Remove access based on termination-related events
|
|
Remove access for account cleanup
|
|
Remove access from user
|
|
Remove access safely
|
|
Remove access safely without impacting system function
|
|
Remove all elevated or administrative rights
|
|
Remove all elevated or administrative rights assigned to user
|
|
Remove distribution group/role-based group memberships
|
|
Remove elevated access inside applications
|
|
Remove elevated access inside applications (admin consoles, reporting, dashboard
|
|
Remove elevated workstation/local machine rights
|
|
Remove elevated workstation/local rights
|
|
Remove emergency access
|
|
Remove emergency access ("break glass") accounts
|
|
Remove service accounts tied to the user
|
|
Remove shared mailbox access
|
|
Remove system or application access for an existing user
|
|
Remove temporary access
|
|
Route privileged-access request through required approval chain
|
|
Validate approvals match internal controls
|
|
Validate correctness of privileged or elevated access
|
|
Validate emergency security-driven deactivation
|
|
Validate offboarding for long-term inactivity
|
|
Validate permissions against compliance rules
|
|
Validate provisioning completion
|
|
Validate regulatory constraints
|
|
Validate regulatory constraints (SOX, HIPAA, PCI, internal audit)
|
|
Validate resignation events
|
|
Validate system owner approval when required
|
|
Validate that security policies and compliance rules are met
|
|
Verify all required accounts have been disabled
|
|
Verify group membership before provisioning
|
|
Verify requester identity & authority
|
|
Was the alert generated by an approved security tool?
|
|
Was the data stored in approved/managed locations?
|
|
Was the standard onboarding checklist completed?
|
|
Will end users need structured training to be successful?
|
|
Will multiple departments or teams use the solution?
|
|
Will they require professional services or onboarding support?
|
|
Will this product be business-critical for them?
|
|
Will this solution introduce significant process change?
|
|
Access Check
|
|
Ask system name
|
|
Ask: “Can you confirm the new hire’s start date and department?”
|
|
Ask: “Can you confirm the username or employee ID for AD deactivation?”
|
|
Ask: “Can you confirm the username or employee ID?”
|
|
Ask: “Did the user own or manage any shared calendars?”
|
|
Ask: “Did the user own or manage SharePoint sites or document libraries?”
|
|
Ask: “Did the user store files on mapped network drives or department file share
|
|
Ask: “Do any permissions conflict with security, compliance, or audit rules?”
|
|
Ask: “Do any permissions conflict with security, compliance, or audit rules?”
|
|
Ask: “Do you have manager/system-owner approval for this access?”
|
|
Ask: “Does current role still require this permission?”
|
|
Ask: “Does provisioning require admin access within a specific application?”
|
|
Ask: “Does the mailbox contain messages needing transfer (workflows, approvals,
|
|
Ask: “Does the mailbox contain messages needing transfer (workflows, approvals,
|
|
Ask: “Does the request satisfy business, security, and compliance requirements?”
|
|
Ask: “Does the requested system require owner approval?”
|
|
Ask: “Does the user have access through integrated or downstream systems?”
|
|
Ask: “Does the user have an active mailbox?”
|
|
Ask: “Does the user have VPN or remote access assigned?”
|
|
Ask: “Does the user need local admin or server-level admin rights?”
|
|
Ask: “Does this access depend on or impact other systems?”
|
|
Ask: “Does this access depend on or impact other systems?”
|
|
Ask: “Does this access require prerequisite systems or training?”
|
|
Ask: “Does this privileged role require enhanced MFA?”
|
|
Ask: “Does this privileged role require enhanced MFA?”
|
|
Ask: “Does this privileged role require enhanced MFA?”
|
|
Ask: “Does this privileged role require enhanced MFA?”
|
|
Ask: “Does this privileged role require scheduled access review audits?”
|
|
Ask: “Does this request fall under regulated systems (finance, healthcare, cardh
|
|
Ask: “Does this request fall under regulated systems?”
|
|
Ask: “Does this request include elevated cloud platform permissions (Azure, AWS,
|
|
Ask: “Does this request include elevated cloud platform permissions (Azure, AWS,
|
|
Ask: “Does this request introduce separation-of-duties risk?”
|
|
Ask: “Does this request involve a regulated system (SOX, HIPAA, PCI)?”
|
|
Ask: “Does this request involve an Active Directory privileged role?”
|
|
Ask: “Does this request involve an Active Directory privileged role?”
|
|
Ask: “Does this role require privileged session recording?”
|
|
Ask: “Does this role require privileged session recording?”
|
|
Ask: “Has all privileged role provisioning been completed successfully?”
|
|
Ask: “Has IT Security reviewed this request for risk alignment?”
|
|
Ask: “Has the Active Directory account provisioned successfully?”
|
|
Ask: “Has the mailbox successfully created and synced?”
|
|
Ask: “Has the user completed required privileged-access security training?”
|
|
Ask: “Has the user synced to the SSO provider?”
|
|
Ask: “Has the user’s direct manager approved this request?”
|
|
Ask: “Have all additional systems applied the user’s permissions?”
|
|
Ask: “Have all data sources been transferred or archived?”
|
|
Ask: “Have all permissions been reviewed for necessity, justification, and compl
|
|
Ask: “Have all privileged roles and shared-mailbox rights been removed?”
|
|
Ask: “Have all required accounts (AD, SSO, email, apps) been disabled?”
|
|
Ask: “Have all required approvals been collected?”
|
|
Ask: “Have all required monitoring controls been implemented successfully?”
|
|
Ask: “Have all required monitoring controls been implemented successfully?”
|
|
Ask: “Is privileged access the minimum required to complete the task?”
|
|
Ask: “Is the requester the user’s manager or a system owner?”
|
|
Ask: “Is the user a member of any distribution lists or role-based access groups
|
|
Ask: “Is the user a new hire, existing employee, contractor, or vendor?”
|
|
Ask: “Is the user already a member of this privileged group?”
|
|
Ask: “Is the user enrolled in MFA?”
|
|
Ask: “Is the user requesting standard, elevated, or administrative access?”
|
|
Ask: “Is the user still employed?”
|
|
Ask: “Is the user visible in the SSO directory?”
|
|
Ask: “Is this access needed immediately or on a future date?”
|
|
Ask: “Is this access permanent or temporary?”
|
|
Ask: “Is this access permanent or temporary?”
|
|
Ask: “Must privileged activity be forwarded to the SIEM?”
|
|
Ask: “Must privileged activity be forwarded to the SIEM?”
|
|
Ask: “Should privileged activity trigger behavioral or anomaly alerts?”
|
|
Ask: “Should privileged activity trigger behavioral or anomaly alerts?”
|
|
Ask: “Was the user added as a local admin on any workstation or server?”
|
|
Ask: “Was the user added as a local admin on any workstation or server?”
|
|
Ask: “Was the user assigned access to any shared or generic accounts?”
|
|
Ask: “Was the user ever issued emergency or break-glass credentials?”
|
|
Ask: “Was the user ever issued emergency or break-glass credentials?”
|
|
Ask: “Was the user the owner or operator of any service accounts?”
|
|
Ask: “Was this access temporary?”
|
|
Ask: “What business purpose requires these additional permissions?”
|
|
Ask: “What initiated this offboarding request?”
|
|
Ask: “What initiated this offboarding request?”
|
|
Ask: “What initiated this offboarding request?”
|
|
Ask: “What initiated this offboarding request?”
|
|
Ask: “What initiated this offboarding request?”
|
|
Ask: “What initiated this offboarding request?”
|
|
Ask: “What initiated this offboarding request?”
|
|
Ask: “Which application accounts need to be disabled?”
|
|
Ask: “Which applications assigned the user elevated roles (admin, supervisor, co
|
|
Ask: “Which applications assigned the user elevated roles (admin, supervisor, co
|
|
Ask: “Which business applications contain user-owned tasks, workflows, or dashbo
|
|
Ask: “Which business applications contain user-owned tasks, workflows, or dashbo
|
|
Ask: “Which department will the new hire be working in?”
|
|
Ask: “Which monitoring controls are required for this privileged role?”
|
|
Ask: “Which monitoring controls are required for this privileged role?”
|
|
Ask: “Which permissions or systems are impacted by the user’s new job role?”
|
|
Ask: “Which permissions or systems need to be revalidated for least-privilege re
|
|
Ask: “Which permissions show no recent usage?”
|
|
Ask: “Which permissions show no recent usage?”
|
|
Ask: “Which privileged access is being requested?”
|
|
Ask: “Which privileged or admin roles are assigned to this user?”
|
|
Ask: “Which privileged or admin roles are assigned to this user?”
|
|
Ask: “Which privileged or elevated permissions are under review?”
|
|
Ask: “Which privileged role has been approved for provisioning?”
|
|
Ask: “Which privileged role has been approved for provisioning?”
|
|
Ask: “Which project-based permissions or temporary roles need to be reviewed?”
|
|
Ask: “Which shared mailboxes was the user assigned to?”
|
|
Ask: “Which specific system or application needs additional access assigned?”
|
|
Ask: “Which system needs additional access?”
|
|
Ask: “Which system or application does the user need access to?”
|
|
Ask: “Which system or application needs access removed?”
|
|
Ask: “Which system or application needs additional access?”
|
|
Ask: “Which systems contain the user’s files or owned content?”
|
|
Ask: “Which systems contain the user’s files or owned content?”
|
|
Ask: “Who submitted this access request?”
|
|
Ask: “Who submitted this request for access changes?”
|
|
Ask: “Why is access being removed?”
|
|
Ask: “Why is access being removed?”
|
|
Ask: “Why is this access change needed?”
|
|
Begin identity mapping
|
|
Conduct verification audit
|
|
Confirm authentication readiness
|
|
Populate required fields
|
|
Prepare message
|
|
Start AD provisioning
|
|
Start mailbox provisioning
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
Approval Criteria Met
|
|
Ask: “Does the user’s role still justify privileged-level access?”
|
|
Ask: “Has the project or temporary assignment ended?”
|
|
Ask: “Has the user accessed this permission or system within the allowed usage t
|
|
Ask: “Has the user accessed this permission or system within the allowed usage t
|
|
Ask: “Is the user’s current job role different from the role originally assigned
|
|
Ask: “Is the user’s current job role still the same?”
|
|
Assign department based on HR record
|
|
Assign M365/Exchange license type
|
|
Attempt clarification
|
|
Attempt first login to ensure account is active
|
|
Attempt Verification
|
|
Check AD group memberships
|
|
Check approvals
|
|
Check Expiration
|
|
Check for admin role
|
|
Check job description alignment
|
|
Check permission list
|
|
Check requirement
|
|
Check role alignment
|
|
Check system category
|
|
Check workstation group membership
|
|
Check workstation/group listings
|
|
Compare request against job description
|
|
Compare task requirement vs. privilege scope
|
|
Compliant
|
|
Confirm Authorization
|
|
Confirm documentation
|
|
Confirm Manager Approval
|
|
Confirm permission level
|
|
Confirm permission type
|
|
Confirm reason
|
|
Confirm urgency
|
|
Conflict Validation
|
|
Criteria Not Met
|
|
Define duration
|
|
Determine privilege type
|
|
Determine Reason
|
|
Document Results
|
|
Documentation
|
|
Documentation Review
|
|
Duration Prompt
|
|
Ensure AD attributes sync to SSO
|
|
Ensure all required accounts (AD, Email, SSO, apps) are active
|
|
Ensure all required accounts are active
|
|
Follow naming convention
|
|
Follow naming convention (first initial + last name)
|
|
Identify admin role (Domain Admin, Local Admin, App Admin)
|
|
Identify admin type
|
|
Identify any regulatory system association
|
|
Identify calendar ownership
|
|
Identify content
|
|
Identify file ownership
|
|
Identify folder paths owned or modified by user
|
|
Identify folders requiring reassignment
|
|
Identify HR Event
|
|
Identify HR Event
|
|
Identify HR Event
|
|
Identify Missing
|
|
Identify Missing
|
|
Identify Missing
|
|
Identify reason
|
|
Identify regulation scope
|
|
If Failure
|
|
If Successful
|
|
Impact Review
|
|
Include AD, email, SSO, baseline access, additional access
|
|
Include relevant details
|
|
Justification Review
|
|
Missing Review
|
|
Monitoring Complete
|
|
Monitoring Incomplete
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
Not removal candidate
|
|
Permission Type
|
|
Prerequisite Check
|
|
Provide categories
|
|
Provide clarification
|
|
Provisioning Complete
|
|
Provisioning Incomplete
|
|
Request folder path
|
|
Retrieve Finance baseline profile
|
|
Retrieve HR baseline profile
|
|
Retrieve IT baseline profile
|
|
Retrieve Ops baseline profile
|
|
Retrieve Sales baseline profile
|
|
Review approval details
|
|
Review OneDrive, SharePoint, File Shares
|
|
Review OneDrive, SharePoint, File Shares, Local Drives
|
|
Safe Removal
|
|
Scope Review
|
|
Separate requests
|
|
Unable to assign baseline
|
|
Urgency Check
|
|
Validate
|
|
Validate
|
|
Validate
|
|
Validate
|
|
Validate
|
|
Validate
|
|
Validate access via provisioning tool or IAM system
|
|
Validate AD account in directory
|
|
Validate additional permissions
|
|
Validate additional system provisioning logs
|
|
Validate alert requirement
|
|
Validate app role assignment
|
|
Validate application access level
|
|
Validate approval
|
|
Validate approval presence
|
|
Validate approvals
|
|
Validate assignment
|
|
Validate assignment
|
|
Validate assignment logs
|
|
Validate authority
|
|
Validate calendar existence
|
|
Validate category
|
|
Validate cloud privilege level
|
|
Validate Contract End
|
|
Validate contractor engagement
|
|
Validate controls
|
|
Validate controls (session logging, alerts, MFA, SIEM)
|
|
Validate current role assignments
|
|
Validate Documentation
|
|
Validate Documentation
|
|
Validate duties (e.g., same user approving & administering)
|
|
Validate elevated-role assignment
|
|
Validate emergency assignment
|
|
Validate emergency-access assignment
|
|
Validate employee's active status
|
|
Validate enrollment in MFA provider
|
|
Validate Exchange/M365 mailbox availability
|
|
Validate group assignments
|
|
Validate HR Record
|
|
Validate HR Transfer Event
|
|
Validate HR-provided new hire record
|
|
Validate if role is AD-based
|
|
Validate Inactivity
|
|
Validate Incident
|
|
Validate job role
|
|
Validate mailbox
|
|
Validate mailbox
|
|
Validate mailbox exists in Exchange/M365
|
|
Validate Manager
|
|
Validate Manager Identity
|
|
Validate manager, owner, security, and compliance (if required)
|
|
Validate MFA enforcement policy
|
|
Validate MFA enrollment
|
|
Validate name
|
|
Validate new hire exists in HRIS
|
|
Validate OneDrive content
|
|
Validate presence
|
|
Validate presence
|
|
Validate presence in mailbox permission list
|
|
Validate presence in privileged groups (Domain Admin, Local Admin, Security Grou
|
|
Validate presence in VPN system
|
|
Validate presence of assignable items
|
|
Validate presence of files
|
|
Validate privilege need
|
|
Validate privileged-group membership
|
|
Validate purpose
|
|
Validate record
|
|
Validate requirement
|
|
Validate requirement
|
|
Validate requirement
|
|
Validate requirement
|
|
Validate requirement
|
|
Validate requirement
|
|
Validate requirement
|
|
Validate role of requester
|
|
Validate role type
|
|
Validate scope
|
|
Validate security review record
|
|
Validate service-account association
|
|
Validate service-account linkage
|
|
Validate SIEM ingestion requirement
|
|
Validate site/document library ownership
|
|
Validate SOD
|
|
Validate SSO identity
|
|
Validate system category
|
|
Validate System Trigger
|
|
Validate system-specific approval rules
|
|
Validate through IAM
|
|
Validate training
|
|
Validate training records
|
|
Validate user account in application
|
|
Validate user appears in SSO directory
|
|
Validate user in application
|
|
Validate user in SSO directory
|
|
Validate user presence in SSO provider
|
|
Validate user’s role in each identified site
|
|
Validate vendor authorization
|
|
Verify identity in AD/HRIS
|
|
Verify in AD/HRIS
|
|
Verify manager identity
|
|
Verify manager identity
|
|
Verify User
|
|
Verify user in AD
|
|
Accept Necessity
|
|
Accept Requester
|
|
Access Confirmation
|
|
Activate Enhanced MFA
|
|
AD Disable Action
|
|
Add to AD Group
|
|
Address
|
|
Apply Enhanced MFA
|
|
Approval
|
|
Approvals Confirmed
|
|
Approvals Incomplete
|
|
Archive Files
|
|
Ask about requirement
|
|
Ask caller for more details
|
|
Ask caller to provide screenshot, link, or system owner name
|
|
Ask for required permission tier
|
|
Ask for start/end dates
|
|
Ask permission level
|
|
Ask: “Can you provide the exact folder path or screenshot?”
|
|
Ask: “Is it related to Finance, HR, Collaboration, Operations, IT Tools, or Deve
|
|
Ask: “Is this access change required due to an audit finding or compliance requi
|
|
Ask: “Is this for system administration, user management, or configuration?”
|
|
Ask: “Is this read, edit, manage, or admin-level access?”
|
|
Ask: “Is this standard access, elevated access, or administrative access?”
|
|
Ask: “Is this temporary or permanent access?”
|
|
Ask: “Why does the user require elevated permissions?”
|
|
Assess Necessity
|
|
Assess Necessity
|
|
Assess Relevance
|
|
Assign App Admin Role
|
|
Assign Cloud Role
|
|
Assign Local/Server Admin
|
|
Assign manager field in AD
|
|
Assign SSO Group
|
|
Authentication Failure
|
|
Authorization
|
|
Authorization Check
|
|
Capture Approval
|
|
Capture Business Justification
|
|
Check contract details
|
|
Check system against approved enterprise application list
|
|
Clear of Conflicts
|
|
Cloud Privilege Not Needed
|
|
Compare job role to standard access package
|
|
Configure Alerts
|
|
Configure Session Recording
|
|
Confirm
|
|
Confirm Active Status
|
|
Confirm Compliance Approval Needed
|
|
Confirm contract dates and vendor assignment
|
|
Confirm employee is active in HRIS
|
|
Confirm name and reporting structure in HRIS
|
|
Confirm necessity
|
|
Confirm Scope
|
|
Confirm spelling of first/last name
|
|
Confirm start date and department
|
|
Confirm vendor company and statement of work
|
|
Conflict Response
|
|
Contract Check
|
|
Correct
|
|
Correct
|
|
Correct
|
|
Correct
|
|
Correct
|
|
Credentials Working
|
|
Decline Elevated Access
|
|
Directory Lookup
|
|
Disable App Access
|
|
Disable Integrated Accounts
|
|
Doc Check
|
|
Document removal in ticket and audit logs
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Does this prospect match our ideal customer profile in terms of industry, size,
|
|
Eligible for Provisioning
|
|
Enable Logging
|
|
Enable Review Reminders
|
|
Enable SIEM Ingestion
|
|
Ensure emergency justification is valid
|
|
Ensure permanent access aligns with job duties
|
|
Ensure username is not already in use
|
|
Ensure username is not already in use
|
|
Error
|
|
Error
|
|
Excessive permission risk
|
|
Excessive risk
|
|
Explain: “Standard = use; elevated = manage content; admin = configure system”
|
|
File Share Processing
|
|
HRIS Check
|
|
HRIS Check
|
|
HRIS Event Lookup
|
|
HRIS Review
|
|
HRIS Validation
|
|
Identify failing system
|
|
Identify failure cause (sync delay, role cache, permissions mismatch)
|
|
Identity Check
|
|
If Admin-Level Access
|
|
If Aligned
|
|
If Approved
|
|
If Audit Finding
|
|
If Completed
|
|
If Confirmed
|
|
If Confirmed
|
|
If Edit Access
|
|
If Event Not Found
|
|
If Expired
|
|
If Manage-Level Access
|
|
If No
|
|
If Not Approved
|
|
If Not Found
|
|
If Not Valid
|
|
If Not Verified
|
|
If Read Access
|
|
If Removing Affects Other Systems
|
|
If Yes
|
|
If Yes
|
|
Inactivity Review
|
|
Incident Check
|
|
Inform caller access is still required
|
|
Inform caller baseline package cannot be determined
|
|
Insufficient justification
|
|
Invalid request
|
|
Invalid User
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Is this issue blocking the user from performing critical work tasks?
|
|
Issue found
|
|
License Validity
|
|
Licensing Block
|
|
Load Finance baseline permissions
|
|
Load Finance baseline permissions (ERP read, shared drives, reporting tools)
|
|
Load HR baseline permissions
|
|
Load HR baseline permissions (HRIS access, documents share, onboarding tools)
|
|
Load IT baseline
|
|
Load IT baseline (ticketing system, admin tools, knowledge base)
|
|
Load Ops baseline
|
|
Load Ops baseline (inventory system, workflow tools)
|
|
Load Sales baseline
|
|
Load Sales baseline (CRM, shared drives, sales dashboards)
|
|
Locate Privileged Group
|
|
Mailbox Creation
|
|
Mailbox Disable
|
|
Manager Check
|
|
MFA Enrollment
|
|
Missing components
|
|
Missing Info
|
|
Missing Manager Approval
|
|
Missing record
|
|
Missing Role
|
|
Missing SSO Record
|
|
Missing training
|
|
No Account
|
|
No Action Required
|
|
No Alerts Needed
|
|
No App-Level Data
|
|
No Break Glass Access
|
|
No Calendar Transfer
|
|
No Compliance Review Needed
|
|
No Elevated App Access
|
|
No Enhanced MFA
|
|
No File Share Content
|
|
No Group Memberships
|
|
No Integrated Access
|
|
No Local Admin Access
|
|
No Mailbox
|
|
No Mailbox Action
|
|
No MFA
|
|
No MFA Enhancement
|
|
No Monitoring Required
|
|
No OneDrive Data
|
|
No Owner Approval Needed
|
|
No Privileged Access
|
|
No Recording Needed
|
|
No Regulatory Restrictions
|
|
No Review Scheduling
|
|
No Server Admin Needed
|
|
No Service Accounts
|
|
No Shared Access
|
|
No Shared Mailbox Access
|
|
No SharePoint Transfer
|
|
No SIEM Routing
|
|
No VPN Access
|
|
Not Privileged Access
|
|
Notify
|
|
Notify
|
|
Notify
|
|
Notify
|
|
Notify Manager
|
|
Notify Requester
|
|
OneDrive Handling
|
|
OneDrive Handling
|
|
Prepare Notification
|
|
Privilege Removal
|
|
Privileged Access Removal
|
|
Proceed
|
|
Proceed
|
|
Removal Candidate
|
|
Remove Elevated Role
|
|
Remove Group Access
|
|
Remove Local Admin
|
|
Remove Shared Mailbox Rights
|
|
Remove VPN Access
|
|
Required Permission
|
|
Restriction Review
|
|
Restriction Review
|
|
Revoke Emergency Access
|
|
Revoke MFA
|
|
Revoke Shared Access
|
|
Security Clearance
|
|
Security Review Needed
|
|
Send Notification
|
|
Skip AD Provisioning
|
|
Skip App Role Provisioning
|
|
SSO Disable Action
|
|
SSO Error
|
|
Standard Removal
|
|
Still needed
|
|
Stop
|
|
Training Needed
|
|
Training Verified
|
|
Transfer App Data
|
|
Transfer Calendar Ownership
|
|
Transfer Mailbox Content
|
|
Transfer or Disable Service Account
|
|
Transfer Site Ownership
|
|
Unauthorized
|
|
Unauthorized Request
|
|
Validate Audit Proof
|
|
Validate each requested system independently
|
|
Validate identity
|
|
Validate information
|
|
Validate name and reporting structure in HRIS
|
|
Verify group assignments
|
|
Verify manager in HRIS
|
|
Verify System Owner Approval
|
|
Verify System Owner Approval
|
|
Workflow Metadata Check
|
|
Account Creation Process
|
|
Apply access permanently
|
|
Approval
|
|
Approval Check
|
|
Approve identity
|
|
Approve new-hire identity
|
|
Ask employee to provide approval email or ticket
|
|
Ask sub-role
|
|
Ask: “Is the user assigned to a specific territory or region?”
|
|
Ask: “Is the user assigned to a specific territory or region?”
|
|
Ask: “Is this a support tech, developer, engineer, or analyst?”
|
|
Ask: “Is this a support tech, developer, engineer, or analyst?”
|
|
Ask: “Why does the user need edit capabilities?”
|
|
Assign
|
|
Assign Access
|
|
Audit Prompt
|
|
Authorization Issue
|
|
Business Need Confirmed
|
|
Check if application supports admin role
|
|
Check security group ownership
|
|
Complete
|
|
Complete
|
|
Complete
|
|
Complete
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm
|
|
Confirm baseline and additional groups applied
|
|
Confirm combined access need
|
|
Confirm correct system variant (cloud, legacy, module-specific)
|
|
Confirm if field ops or internal ops
|
|
Confirm if field ops or internal ops
|
|
Confirm manager acknowledgment of temporary access
|
|
Confirm role matches Finance profile
|
|
Confirm role matches Finance profile
|
|
Confirm role matches HR baseline
|
|
Confirm role matches HR baseline
|
|
Confirm selected level
|
|
Conflict
|
|
Conflict found
|
|
Contractor approved
|
|
Contractor invalid
|
|
Correct
|
|
Correct
|
|
Determine reason (license, role, sync delay)
|
|
Disable access across all systems
|
|
Documentation
|
|
Ensure fields meet AD schema requirements
|
|
Ensure legal name matches HR record
|
|
Ensure privilege tier exists for this system
|
|
Ensure read-only is sufficient for job role
|
|
Excessive permission risk
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Finalize
|
|
HR data mismatch
|
|
Identify failing system
|
|
Identify if creation failed due to attributes or sync
|
|
Identify Reason
|
|
Identify system
|
|
Identity mismatch
|
|
If Active
|
|
If Approved
|
|
If Approved
|
|
If Approved
|
|
If Archive Needed
|
|
If Confirmed
|
|
If Confirmed
|
|
If Confirmed
|
|
If Confirmed
|
|
If Eligible
|
|
If Ended
|
|
If Event Found
|
|
If Event Found
|
|
If Event Not Found
|
|
If Found
|
|
If Found
|
|
If Found
|
|
If Found But No Authority
|
|
If Invalid
|
|
If Matched
|
|
If MFA Ready
|
|
If Not Aligned
|
|
If Not Approved
|
|
If Not Approved
|
|
If Not Confirmed
|
|
If Not Confirmed
|
|
If Not Eligible
|
|
If Not Ended
|
|
If Not Found
|
|
If Not Found
|
|
If Not Found
|
|
If Not Justified
|
|
If Not Needed
|
|
If Not Required
|
|
If Not Required
|
|
If Not Supported
|
|
If Not Valid
|
|
If Not Valid
|
|
If Not Verified
|
|
If Required
|
|
If Required
|
|
If Sent Successfully
|
|
If Still Needed
|
|
If Transfer Needed
|
|
If Transfer Needed
|
|
If Valid
|
|
If Valid
|
|
If Valid
|
|
If Valid
|
|
If Verified
|
|
If Verified
|
|
Inform caller access cannot be removed early without approval
|
|
Inform caller AD account cannot be located
|
|
Inform caller approval is required
|
|
Inform caller HR must finalize the employee record
|
|
Inform caller justification does not match job duties
|
|
Inform caller manager email not listed
|
|
Inform caller no account exists in that application
|
|
Inform caller no mailbox exists to disable
|
|
Inform caller of system impact
|
|
Inform caller permanent access is not allowed
|
|
Inform caller prerequisite must be completed
|
|
Inform caller SSO directory does not list the user
|
|
Inform caller the request is not supported
|
|
Inform caller there are no licenses remaining
|
|
Inform caller user cannot be located
|
|
Inform employee manager approval is required
|
|
Insufficient info
|
|
Invalid audit claim
|
|
Invalid audit request
|
|
Invalid user
|
|
Keep permissions unchanged |
|
|
License Removal
|
|
Manager Confirmation
|
|
MFA Required
|
|
Name Not Recognized
|
|
No permanent justification
|
|
No valid justification
|
|
Notify Requester
|
|
Offer list of systems in that category
|
|
Policy Assignment
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed with additional access
|
|
Provision
|
|
Remediate
|
|
Remediate
|
|
Remove expired temporary permissions
|
|
Request HR/manager to confirm department classification |
|
|
Resolve the failure
|
|
Revoke conflicting permissions
|
|
Revoke system permissions
|
|
Role mismatch
|
|
Send confirmation to requester
|
|
Standard role confirmed
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
System cannot be validated
|
|
Time-Bound Access
|
|
Troubleshoot
|
|
Validate
|
|
Validate admin rights
|
|
Validate approval via email or ticket
|
|
Validate Documentation
|
|
Validate edit rights
|
|
Validate manage rights
|
|
Validate read-only requirement
|
|
Validate reason for request
|
|
Validate system supports admin tier
|
|
Validate user’s role supports management functions
|
|
Vendor approved
|
|
Vendor cannot be validated
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
Access Validation
|
|
Add to compliance log
|
|
Admin role confirmed
|
|
Allow request to move forward
|
|
Apply access in requested system
|
|
Apply retention, spam, and security policies
|
|
Apply vendor-limited access rules
|
|
Approval Checks
|
|
Approval Workflow
|
|
Ask caller to pick the correct one
|
|
Ask manager: “What is the purpose of this access?”
|
|
Ask: “Are these part of a project or cross-functional role?”
|
|
Ask: “Have badges and other assets been collected?”
|
|
Ask: “Is immediate deactivation required?”
|
|
Ask: “Is this a cross-department transfer or within the same department?”
|
|
Ask: “Is this for promotion, transfer, or additional responsibilities?”
|
|
Ask: “Is this for the full application or a specific module?”
|
|
Ask: “Is this termination, resignation, or internal transfer?”
|
|
Ask: “What dates should this access begin and end?”
|
|
Ask: “What is the employee’s final working day?”
|
|
Ask: “What is the official termination date?”
|
|
Ask: “Why does this access need to be removed?”
|
|
Assign
|
|
Assign baseline access package
|
|
Assign baseline read/use privileges
|
|
Assign Permissions
|
|
Assign Permissions
|
|
Assign Permissions
|
|
Assign Permissions
|
|
Assign Permissions
|
|
Assign Permissions
|
|
Assign standard baseline package
|
|
Assign time-bound permissions
|
|
Attribute Issue
|
|
Begin adding requested permissions
|
|
Close workflow |
|
|
Confirm
|
|
Confirm automation corresponds to HR or system event
|
|
Confirm contractor only needs minimal/time-bound access
|
|
Confirm manager approval
|
|
Confirm purpose for access
|
|
Confirm requested changes match HR update
|
|
Confirm system has admin tier
|
|
Confirm system has administrative role
|
|
Confirm user needs to add/update content
|
|
Confirm user needs to add/update system content
|
|
Confirm with HR or manager
|
|
Confirm with manager to validate removal
|
|
Confirmed
|
|
Continue to next system disable step |
|
|
Continue with additional systems |
|
|
Correct AD attributes
|
|
Correct then re-run provisioning
|
|
Direct caller to vendor management to update contract record |
|
|
Document
|
|
Document approval in privileged-access workflow
|
|
Document compliance approval
|
|
Document compliance-based removal |
|
|
Document inactivity-based removal
|
|
Document role-based justification
|
|
Effective Date Review
|
|
Ensure permission remains justified
|
|
Ensure read-only aligns with job duties
|
|
Ensure requested removal matches new role
|
|
Ensure role qualifies
|
|
Ensure role qualifies to manage users/content
|
|
Escalate for exception approval |
|
|
Escalate to HR to resolve status mismatch |
|
|
Escalate to procurement/vendor management |
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Explain
|
|
Identify Reason
|
|
If Found
|
|
If Successful
|
|
If Successful
|
|
If Successful
|
|
If Successful
|
|
If Successful
|
|
If Valid
|
|
If Valid
|
|
If Valid Reason
|
|
Inform caller audit evidence is required
|
|
Inform caller compliance approval is required
|
|
Inform caller custom review is required
|
|
Inform caller elevated permissions cannot be granted
|
|
Inform caller only verified managers can request access changes
|
|
Inform caller owner approval is required
|
|
Inform caller permanent access is not allowed
|
|
Inform caller permanent elevated access is not allowed
|
|
Inform caller request cannot be categorized as audit-driven
|
|
Inform caller system cannot be found
|
|
Inform caller system name does not match internal catalog
|
|
Inform caller they do not meet compliance requirements
|
|
Inform caller user cannot be located
|
|
Inform caller which system(s) are not recognized
|
|
Inform caller you cannot proceed without knowing the system
|
|
Inform caller you cannot process unauthorized requests
|
|
Inform HR
|
|
Invalid
|
|
Invalid path
|
|
Keep privileged access active
|
|
Load Territory Set
|
|
Log termination removal |
|
|
Manager Approval
|
|
Mark provisioning ticket as resolved
|
|
Mismatch
|
|
Mismatch
|
|
Missing territory
|
|
Move files into manager/successor’s folder
|
|
Move OneDrive content to long-term archive repository
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
Note change in audit log |
|
|
Privilege denied
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Reassign OneDrive ownership to manager or successor
|
|
Remove access with caution & document dependency note |
|
|
Remove project-based access
|
|
Request completion before assignment |
|
|
Request confirmation of correct username |
|
|
Request correct employee info |
|
|
Request correct identifier |
|
|
Request HR or department admin to provide contact |
|
|
Request HR to correct data before continuing |
|
|
Request HR to correct hire record before continuing |
|
|
Request manager authorization |
|
|
Request manager submission |
|
|
Request manager to submit authorization |
|
|
Request purchasing to add licenses |
|
|
Request revised justification from manager |
|
|
Request updated justification or deny request |
|
|
Retry removal after correction |
|
|
Revoke elevated access
|
|
Revoke permission
|
|
Search for existing AD profile
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Unsupported role
|
|
Update compliance log |
|
|
Update user’s long-term access profile |
|
|
Validate authenticity
|
|
Validate business justification
|
|
Validate continued project-related need
|
|
Validate privileged requirements
|
|
Verify request aligns with data-security policies
|
|
Access not permitted
|
|
Add AD disable step to log |
|
|
Add application disable to removal log |
|
|
Add mailbox to completion summary |
|
|
Add SSO disable to audit log |
|
|
Add to audit log |
|
|
Add VPN disable to log |
|
|
Align
|
|
Apply new access in system |
|
|
Approval Requirement
|
|
Approval Workflow
|
|
Assign
|
|
Assign
|
|
Assign
|
|
Assign additional permissions |
|
|
Assign Permissions
|
|
Await compliance decision |
|
|
Await owner approval |
|
|
Begin deactivation workflow |
|
|
Begin offboarding workflow |
|
|
Begin role-based deactivation and re-provisioning |
|
|
Check additional security requirements (MFA, logging)
|
|
Close workflow |
|
|
Complete approval routing |
|
|
Compliance Settings
|
|
Compliance Settings
|
|
Confirm documented approval exists
|
|
Confirm manager approval
|
|
Confirm manager approval
|
|
Confirm manager approval for temporary privilege
|
|
Continue validation |
|
|
Continue with permission-level validation |
|
|
Create grouped access ticket bundle |
|
|
Determine if immediate remediation is required
|
|
Document access sunset |
|
|
Document mailbox disable |
|
|
Document unused-permission removal |
|
|
Ensure access aligns with job duties
|
|
Ensure manager has provided written approval
|
|
Ensure trigger matches expected workflow
|
|
Escalate to executive or system owner |
|
|
Escalate to IT Security |
|
|
Escalate to IT Security for identity verification |
|
|
Escalate to role owner for decision |
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have initial troubleshooting steps (reboot, reconnect, basic checks) already bee
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
Have we confirmed a clear problem, viable budget, and decision timeline (BANT)?
|
|
If not aligned, inform caller
|
|
If Valid
|
|
If Valid
|
|
Inform caller admin access does not exist for this system
|
|
Inform caller Finance baseline doesn’t match job role
|
|
Inform caller HR baseline does not match role
|
|
Inform caller IT needs correct sub-role
|
|
Inform caller privileged roles do not exist for this system
|
|
Inform caller territory is required
|
|
Inform caller the folder cannot be located
|
|
Initiate contractor-access workflow |
|
|
Initiate new-hire provisioning |
|
|
Initiate vendor-access workflow |
|
|
Invalid request
|
|
Log removal in privileged-access audit |
|
|
Move to access-level determination |
|
|
Move to provisioning |
|
|
No admin role available
|
|
Notification
|
|
Notify requester |
|
|
Policy Enforcement
|
|
Policy Enforcement
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Reclassify as standard access request before proceeding |
|
|
Record justification in privilege log |
|
|
Remove access per audit directive
|
|
Remove permissions |
|
|
Request correct employee info |
|
|
Request manager to specify system name |
|
|
Request proper audit directive |
|
|
Request screenshot or documentation for clarification |
|
|
Request system owner to formally identify application |
|
|
Request updated justification or deny request |
|
|
Require corrected system list |
|
|
Require executive-level approval |
|
|
Retain access but flag for next review cycle |
|
|
Retain permission and document review |
|
|
Retain permissions and log alignment |
|
|
Retry AD creation before continuing |
|
|
Retry after correction |
|
|
Route permission to removal workflow |
|
|
Route permission to removal workflow |
|
|
Route to access-add/remove review |
|
|
Route to access-change workflow |
|
|
Route to compliance/security advisory |
|
|
Route to elevated-access workflow |
|
|
Route to IT Security |
|
|
Route to privileged-access workflow |
|
|
Security Policy
|
|
Security Policy
|
|
Set auto-expiration in system |
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Stop
|
|
Validate approval email/ticket
|
|
Validate archive storage completion |
|
|
Validate new owner has access |
|
|
Validate receiving party access |
|
|
Verify no elevated permissions included
|
|
Assign edit-level access |
|
|
Assign read-only permissions |
|
|
Direct caller to system owner for alternatives |
|
|
Document in compliance log |
|
|
Ensure HRIS→IT event sync completed
|
|
Inform caller admin roles do not exist for the system
|
|
Inform caller edit permissions cannot be assigned
|
|
Inform caller this level requires higher role
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Proceed
|
|
Refer to system owner for alternative access options |
|
|
Request confirmation from folder owner |
|
|
Request manager clarification |
|
|
Request manager confirmation |
|
|
Request manager to provide territory assignment |
|
|
Request updated HR job role for verification |
|
|
Request updated justification |
|
|
Route to access provisioning |
|
|
Route to access-add/remove evaluation |
|
|
Route to access-level review |
|
|
Route to access-level review |
|
|
Route to elevated-access workflow |
|
|
Route to privileged-access workflow |
|
|
Route to removal/addition accordingly |
|
|
Route to temporary access provisioning |
|
|
Treat request as system-authorized |
|
|
Verify approval in ticket or email
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
YES
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|
|
NO
|