For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.
You can use One Identity Manager to evaluate the risk of rule violations. To do this, enter a risk index for the rule. The risk index specifies the risk involved for the company if the rule is violated. The risk index is given as a number in the range 0 ... 1. By doing this, you specify whether a rule violation is not considered a risk for the company (risk index = 0) or whether every rule violation poses a problem (risk index = 1).
When a rule condition is created, system entitlement risk indexes can already be included as an object property. By using rules of this type you can prevent system entitlements that exceed a specified risk index from being requested in the IT Shop.
You can create several reports with the Report Editor to evaluate objects, assignments, and rule violations depending on the risk index. For more information about creating reports, see the One Identity Manager Configuration Guide.
To evaluate the risk of a rule violation in the context of identity audit, you can enter values for grading rules on the Assessment criteria tab.
Table 13: Assessment criteria for a rule
Severity code |
Specifies the impact on the company of violations to this rule. Use the slider to enter a value between 0 and 1.
0 ... No impact
1 ... Every rule violation is a problem. |
Significance |
Provides a verbal description of the significance for the company of violations to this rule. In the default installation, the values low, average, high, and critical are listed. |
Risk index |
Specifies the risk for the company of violations to this rule. The template is given a risk index depending on the value of the effect.
Table 14: Risk index dependent on effects
Low |
0.0 |
Medium |
0.33 |
High |
0.66 |
Critical |
1.0 |
This value can be changed. Use the slider to enter a value between 0 and 1.
0 ... No risk
1 ... Every rule violation is a problem.
The template adjusts the risk index when the significance is changed.
This field is only visible if the QER | CalculateRiskIndex configuration parameter is set. |
Risk index (reduced) |
Show the risk index taking mitigating controls into account. A rule’s risk index is reduced by the significance reduction of all mitigating controls assigned to it. The risk index (reduced) is calculated for the original rule. To copy the value to a working copy, run the task Create working copy.
This field is only visible if the QER | CalculateRiskIndex configuration parameter is set. The value is calculated by One Identity Manager and cannot be edited. |
Transparency index |
Specifies how traceable assignments are that are checked by this rule. Use the slider to enter a value between 0 and 1.
0 ... No transparency
1 ... Full transparency |
Max. number of rule violations |
Number of rule violation permitted for this rule. |
Detailed information about this topic
Related topics
You can enter additional comments about the rule and revision data on the Extended tab.
Table 15: Extended main data of a rule
Rule number |
Additional name for the rule. |
Implementation notes |
Text field for additional explanation. You can use implementation notes to enter explanations about the content of the rule condition, for example. |
Test schedule |
Schedule for starting rule checks on a regular basis.
By default, the Compliance rule check schedule is assigned but you can assign your own schedule. |
Fill schedule |
Schedule, which starts recalculation of the auxiliary tables for rule checking.
By default, the Fill compliance rule objects schedule is assigned but you can assign your own schedule. |
Status |
Rule status with respect to its audit status. |
Auditor |
Person that audited the rule the last time. |
Date of Audit |
Date of last rule audit. |
Audit remarks |
Remarks referring to the audit, for example, results that may be important for the next audit. |
Related topics
You can compare the results of a working copy with the original rule. The comparison values are then displayed on the Rule comparison tab on the main data form.
Table 16: Results of a rule comparison
Newly added |
Violate the rule for the first time |
Identical |
Still violate the rule |
No longer included |
Do not violate the rule anymore |
TIP: In the Manager, all working copies with a different condition to that of the original rule are displayed in the Identity audit > Rules > Working copies of rules > Modified working copies category.
Detailed information about this topic
You can integrate checking requests for rule compliance into approval workflows in the IT Shop. On the IT Shop properties tab, specify how violations of this rule should be handled within an approval process for IT Shop requests.
To enter IT Shop properties for a rule
-
In the Designer, set the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter.
-
In the Manager, on the General tab of the rule's main data form, set the Rule for cyclical testing and risk assessment in the IT Shop option.
-
Select the IT Shop properties tab.
-
Edit the main data.
- Save the changes.
Table 17: IT Shop properties
Rule violation identified |
Specifies which rule violations are logged.
Table 18: Permitted values
New rule violation due to a request |
Only rule violations that are added through approval of the current request are logged. |
Unapproved exception |
Rule violations that are added through approval of the current request are logged. Already known rule violations that have not yet been granted an exception are also logged. |
Any compliance violation |
All rule violations are logged, independent of whether an exception approval has already been granted or not.
This value is automatically set when the Explicit exception approval option is set. | |
Explicit exception approval |
Specifies whether exception approvals are presented again or whether existing exception approvals should be reused.
Table 19: Permitted values
Enabled |
A known rule violation must always be presented for exception approval, even if there is an exception approval from a previous violation of the rule. |
Not set |
A known rule violation is not presented again for exception approval if there is an exception approval from a previous violation of the rule. This exception approval is reused and the known rule violation is automatically granted exception. | |