Chat now with support
Chat mit Support

Identity Manager On Demand Hosted - Compliance Rules Administration Guide

Compliance rules and identity audit
One Identity Manager users for identity audit Basic data for setting up rules Setting up a rule base rule check Mail templates for notifying about identity auditing
Mitigating controls Configuration parameters for Identity Audit

Risk assessment for rule violations

You can use One Identity Manager to evaluate the risk of rule violations. To do this, enter a risk index for the rule. The risk index specifies the risk involved for the company if the rule is violated. The risk index is given as a number in the range 0 ... 1. By doing this, you specify whether a rule violation is not considered a risk for the company (risk index = 0) or whether every rule violation poses a problem (risk index = 1).

When a rule condition is created, system entitlement risk indexes can already be included as an object property. By using rules of this type you can prevent system entitlements that exceed a specified risk index from being requested in the IT Shop.

You can create several reports with the Report Editor to evaluate objects, assignments, and rule violations depending on the risk index. For more information about creating scripts, see the One Identity Manager Configuration Guide.

To evaluate the risk of a rule violation in the context of identity audit, you can enter values for grading rules on the Assessment criteria tab.

Table 13: Assessment criteria for a rule
Property Description
Severity code Specifies the impact on the company of violations to this rule. Use the slider to enter a value between 0 and 1.

0 ... No impact

1 ... Every rule violation is a problem.

Significance Provides a verbal description of the significance for the company of violations to this rule. In the default installation, the values low, average, high, and critical are listed.
Risk index Specifies the risk for the company of violations to this rule. The template is given a risk index depending on the value of the effect.
Table 14: Risk index dependent on effects
Significance Risk index
Low 0.0
Medium 0.33
High 0.66
Critical 1.0

This value can be changed. Use the slider to enter a value between 0 and 1.

0 ... No risk

1 ... Every rule violation is a problem.

The template adjusts the risk index when the significance is changed.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

Risk index (reduced) Show the risk index taking mitigating controls into account. A rule’s risk index is reduced by the significance reduction of all mitigating controls assigned to it. The risk index (reduced) is calculated for the original rule. To copy the value to a working copy, run the task Create working copy.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set. The value is calculated by One Identity Manager and cannot be edited.

Transparency index Specifies how traceable assignments are that are checked by this rule. Use the slider to enter a value between 0 and 1.

0 ... No transparency

1 ... Full transparency

Max. number of rule violations Number of rule violation permitted for this rule.
Detailed information about this topic
Related topics

Extended data for compliance rules

You can enter additional comments about the rule and revision data on the Extended tab.

Table 15: Extended main data of a rule
Property Description

Rule number

Additional name for the rule.

Implementation notes

Text field for additional explanation. You can use implementation notes to enter explanations about the content of the rule condition, for example.

Test schedule

Schedule for starting rule checks on a regular basis.

By default, the Compliance rule check schedule is assigned but you can assign your own schedule.

Fill schedule

Schedule, which starts recalculation of the auxiliary tables for rule checking.

By default, the Fill compliance rule objects schedule is assigned but you can assign your own schedule.

Status

Rule status with respect to its audit status.

Auditor

Person that audited the rule the last time.

Date of Audit

Date of last rule audit.

Audit remarks

Remarks referring to the audit, for example, results that may be important for the next audit.

Related topics

Rule comparison

You can compare the results of a working copy with the original rule. The comparison values are then displayed on the Rule comparison tab on the main data form.

Table 16: Results of a rule comparison
Rule violations Lists all employees who, as a result of the change, would (not) violate the rule as follows

Newly added

Violate the rule for the first time

Identical

Still violate the rule

No longer included

Do not violate the rule anymore

TIP: In the Manager, all working copies with a different condition to that of the original rule are displayed in the Identity audit > Rules > Working copies of rules > Modified working copies category.

Detailed information about this topic

IT Shop properties for compliance rules

You can integrate checking requests for rule compliance into approval workflows in the IT Shop. On the IT Shop properties tab, specify how violations of this rule should be handled within an approval process for IT Shop requests.

NOTE: This tab is only shown if the rule condition is created in the simplified version. For more information, see Creating rule conditions.

To enter IT Shop properties for a rule

  1. In the Designer, set the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter.

  2. In the Manager, on the General tab of the rule's main data form, set the Rule for cyclical testing and risk assessment in the IT Shop option.

  3. Select the IT Shop properties tab.

  4. Edit the main data.

  5. Save the changes.
Table 17: IT Shop properties
Property Description

Rule violation identified

Specifies which rule violations are logged.

Table 18: Permitted values
Value Description

New rule violation due to a request

Only rule violations that are added through approval of the current request are logged.

Unapproved exception

Rule violations that are added through approval of the current request are logged. Already known rule violations that have not yet been granted an exception are also logged.

Any compliance violation

All rule violations are logged, independent of whether an exception approval has already been granted or not.

This value is automatically set when the Explicit exception approval option is set.

Explicit exception approval

Specifies whether exception approvals are presented again or whether existing exception approvals should be reused.

Table 19: Permitted values

Option is

Description

Enabled

A known rule violation must always be presented for exception approval, even if there is an exception approval from a previous violation of the rule.

Not set

A known rule violation is not presented again for exception approval if there is an exception approval from a previous violation of the rule. This exception approval is reused and the known rule violation is automatically granted exception.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen