Default risk index functions
One Identity Manager provides a comprehensive collection of default risk index functions. These are used for calculating the risk index of all company resources assigned. These functions can be selected in the Manager in the Risk Index Functions category under Assignments filter.
Additional factors, like the type of assignment or attestation, influence how the risk index is calculated. There is separate function stored for each factor additionally affecting a calculated risk index. These functions can be selected in the Manager in the Risk index calculation rules category under the Properties filter.
The following object type risk indexes are determined to calculate the risk index of employees:
-
User accounts: Risk index (calculated) of all user accounts that are linked to an employee
-
Company resources: Risk index (calculated) of all assigned company resources (such as, software, resources, subscribed reports)
-
Rule violations: Risk index of violated rules taking into account mitigating controls
-
Application roles: Risk index of all application roles with an employee as a member
Risk index calculation for the different object types is described in more detail in the following sections.
NOTE: The default functions can be used to perform a risk assessment for most objects in One Identity Manager. This largely covers the standard requirements on this topic. The mode of calculation, weighting, and change values must be adjusted to suit you company’s requirements.
Before running a risk assessment
-
Check all default functions for relevance to your data situation.
-
Disable all unnecessary functions.
-
Adjust the calculation type, weighting, and change value in the enabled functions rules to suit your company.
-
Define additional functions if required.
Detailed information about this topic
Related topics
Risk index for user accounts
NOTE: This function is only available if the Target System Base Module and the target system module are installed.
First, the risk indexes of all system entitlements assigned to the user accounts are found in order to calculate user account risk indexes. To do this, functions are stored for the assignment tables, such as the Active Directory user accounts: assignments to groups or the User accounts: assignments to system entitlements table.
The risk factor of these assignments depends on other factors. Each of these factors reduces the risk index found.
-
Assignment through inheritance (without IT Shop requests)
-
Assignment through an approved IT Shop request
-
The assignment is attested and approved
The highest value is determined from the risk indexes of these assignments for each user account (calculation type: Maximum (weighted)). To do this, functions are stored for the user account tables, such as the Active Directory user accounts or the user accounts table.
This value is reduced or increased by other factors.
-
The user account is attested and approved
-
The user account is not connected to an employee
-
The user account is disabled
-
The user account is member of too many system entitlements
The risk index of SAP user accounts is calculated from different individual risks.
-
Highest risk index of the assigned SAP groups
-
Highest risk index of the assigned structural profiles
-
Highest risk index (reduced) of the SAP functions matching an SAP user account
The highest value is determined for each SAP user account from these separate risks. This value is decreased or increased by given factors if the conditions are fulfilled.
The risk index of SharePoint user accounts is calculated from different individual risks.
The highest value is determined for each SharePoint user account from these separate risks. This value is decreased or increased by given factors if the conditions are fulfilled.
NOTE: User accounts can obtain a calculated index even if there are no risk indexes stored with the system entitlements. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a user account increases if:
-
The user account is not linked to an employee
-
The user account is a member of too many system entitlements
-
The user account is disabled
Risk index for system roles
NOTE: This function is only available if the System Roles Module and the Attestation Module are installed.
First, the risk indexes of all company resources assigned to the system roles are found in order to calculate system role risk indexes. To do this, risk index functions are stored for the System roles: assignments table. The system role risk index is made up of the risk indexes of the assigned objects. There is a separate function stored for each assignable object type.
The highest value is determined from the risk indexes of these assignments for each system role (calculation type: Maximum (weighted)). A function for the System roles table is stored for this purpose. This value is reduced or increased by other factors.
NOTE: System roles can be given a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a user account increases if no manager is assigned.
Risk index for hierarchical roles and IT Shop structures
NOTE: This function is only available if the Business Roles Module (for business role risk index) and the Attestation Module are installed.
First, the risk indexes of all assigned company resources are established in order to calculate risk indexes for business roles, departments, locations, cost centers, and IT Shop structures. To do this, functions are stored for the assignment tables, such as the Roles and organizations: Roles and organizations: subscribable report assignments or the Roles and organizations: E-Business Suite entitlement assignments table.
The risk factor of these assignments depends on other factors. Each of these factors reduces the risk index found.
The highest value is determined from the risk indexes of these assignments for each company resource (calculation type: Maximum (weighted)). This value is reduced or increased by other factors.
NOTE: Roles andIT Shop structures can be given a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a role or IT Shop structure increases if no manager is assigned to the role or IT Shop structure.
