Deleting compliance rules
NOTE: All the information about a rule condition and rule violations is irrevocably deleted when the rule is deleted! The data cannot be retrieved at a later date.
Therefore, we advise you to write a report about the rule and its current violations before you delete it, if you want to retain the information (for example, audit security).
You can delete a rule if there are no rule violations attached to it.
To delete a rule
In the Manager, select the Identity Audit > Rules category.
Select the rule to delete in the result list.
Select the Disable rule task.
Existing rule violations are removed by the DBQueue Processor.
Click in the toolbar.
The rule, the associated rule violation object and the working copy are all deleted.
To test a rule, processing tasks are created for the DBQueue Processor. For each rule, the DBQueue Processor determines which identities have violated that rule. Follow-up tasks assign the associated rule violation object to identities that have violated a rule. The specified rule approvers can test rule violations and if necessary grant exception approval.
By default, permissions that an identity receives because they can use an administrative user account with shared identity are included in the rule check.
To exclude administrative user accounts with shared identity from rule checking
In the Designer, disable the QER | ComplianceCheck | IncludeTSBPersonUsesAccount configuration parameter.
Object relations from the TSBPersonUsesAccount table are ignored when calculating entries for the PersonHasObject table.
Checking compliance rules
You can start rule checking in different ways to find the current rule violations in the One Identity Manager database.
Only operational rules are checked during rule checking. Disabled rule are not tested. If a rule is violated, the effected identities are assigned the corresponding object for rule violations. You can check all the rules again for these identities. For more information, see Rule check analysis.
In addition to locating existing rule violations, One Identity Manager can also identify potential violations of IT Shop requests and business roles. For more information, see Determining potential rule violations.
Scheduled rule checking
The Compliance rule check schedule, is supplied with the One Identity Manager default installation to run a complete check of all rules. This schedule generates processing tasks at regular intervals for the DBQueue Processor.
Detailed information about this topic