Identifying rule violations
If the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter is set, properties can be added to compliance rules that are taken into account when rule checking requests.
Specify which violation should be logged for the rule by using the Rule violation identified IT Shop property.
Table 45: Permitted values
New rule violation due to a request |
Only rule violations that are added through approval of the current request are logged. |
Unapproved exception |
Rule violations that are added through approval of the current request are logged. Already known rule violations that have not yet been granted an exception are also logged. |
Any compliance violation |
All rule violations are logged, independent of whether an exception approval has already been granted or not.
This value is automatically set when the Explicit exception approval option is set. |
If the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter is not set, new rule violations are logged through the current request.
For more information about this, see the One Identity Manager Compliance Rules Administration Guide.
Finding exception approvers
Requests that may cause a rule violation can still be approved by exception approval.
To allow exception approval for request with rule violations
-
Enable the Exception approval allowed option for the compliance rule and assign an exception approver.
For more information, see theOne Identity Manager Compliance Rules Administration Guide.
-
Enter an approval step in the approval workflow with the OC or OH procedure. Connect this approval level with the compliance checking approval level at the connection point for denying this approval decision.
NOTE:
-
Only apply this approval procedure immediately after an approval level with the CR approval procedure.
-
For each approval workflow, only one approval step can be defined using the OC or OH approval procedure.
-
If the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter is set, you can use the rule's IT Shop properties to configure which rule violations are presented to an exception approver. Set or unset Explicit exception approval to do this.
For more information, see Explicit exception approval.
Table 46: Approval procedures for exception approval
OC (Exception approvers for violated rules) |
The approval decision is agreed on by the exception approvers of the violated rule. As it may be possible that several rule are broken with one request, the request is presented to all the exception approvers in parallel. If one of the exception approvers rejects the exception, the request is rejected. |
OH (exception approver for worst rule violation) |
The approval decision is agreed on by the rule's exception approver which poses the highest threat. In this way, you can accelerate the exception approval procedure for a request that violates several rules.
Ensure the following apply for this approval procedure:
|
Example
Four different compliance rules are violated by a request for Active Directory group membership. The target system manager of the Active Directory domain is entered as exception approver for all the compliance rules.
Using the OC approval procedure, the target system manger must grant approval exceptions for all four compliance rules.
Using the OH approval procedure, the target system manager is presented with the request only for the compliance rule with the highest severity code. The manager's decision is automatically passed on to the other violated rules.
Figure 8: Example of an approval workflow with compliance checking and exception approval
Sequence of compliance checking with exception approval
-
If a rule violation is detected during compliance checking, the request is automatically not granted approval. The request is passed on to the approver of the next approval level for approval.
-
Exception approvers are found according to the given approval procedure.
-
If exception approval is granted, the request is approved and assigned.
-
If exception approval is not granted, the request is denied.
NOTE:
-
As opposed to the manager/deputy principle normally in place, an exception approver’s deputy is NOT permitted to grant exception approval alone.
-
You cannot determine fallback approvers for exception approvers. The request is canceled if no exception approver can be established.
-
The chief approval team cannot grant exception approvals.
Restricting exception approvers
By default, exception approvers can also make approval decisions about requests in which they are themselves requester (UID_PersonInserted) or recipient (UID_PersonOrdered). To prevent this, you can specify the desired behavior in the following configuration parameter and in the approval step:
-
QER | ComplianceCheck | DisableSelfExceptionGranting configuration parameter
-
QER | ITShop | PersonOrderedNoDecideCompliance configuration parameter
-
QER | ITShop | PersonInsertedNoDecideCompliance configuration parameter
-
Approval by affected identity option in the approval step for finding exception approvers
If the requester or approver is not allowed to grant approval exceptions, their main identity and all sub identities are removed from the circle of exception approvers.
Summary of configuration options
Requesters can grant exception approval for their own requests, if:
- PersonInsertedNoDecideCompliance configuration parameter is not set.
Recipients can grant exception approval for their own requests, if:
Requesters cannot grant exception approval, if:
Recipients cannot grant exception approval, if:
Related topics
Setting up exception approver restrictions
To prevent recipients of request becoming exception approvers
This configuration parameter takes effect:
-
When requests are granted approval exception.
-
During cyclical rule checking. For more information about cyclical rule checking, see the One Identity Manager Compliance Rules Administration Guide.
- OR -
-
In the Designer, enable the QER | ITShop | PersonOrderedNoDecideCompliance configuration parameter.
This configuration parameter takes effect:
To prevent requesters becoming exception approvers
-
In the Designer, set the QER | ITShop | PersonInsertedNoDecideCompliance configuration parameter.
This configuration parameter takes effect:
For individual approval workflows, you can allow exceptions to the general rule in the PersonInsertedNoDecide and PersonOrderedNoDecide configuration parameters. Use these options if the requester or recipient of requests is allowed to grant themselves exception approval only for certain requests.
To allow request recipients or requesters to become exception approvers in certain cases
Related topics