Ad-hoc policy checking
Various tasks for immediate policy checking are available for an enabled company policy.
To review a selected company policy immediately
-
In the Manager, select the Company Policies > Policies category.
-
Select the company policy in the result list.
-
Select the Change main data task.
-
Select the Recalculate policy task.
To review all company policies immediately
-
In the Manager, select the Company Policies > Policies category.
-
Select the company policy in the result list.
-
Select the Change main data task.
-
Select the Recalculate all task.
Reports about policy violations
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. You can generate the following reports for all enabled company policies and compliance frameworks.
Table 13: Reports about policy violations
Policy violation overview
(of a company policy) |
This report groups together all policy violations for the selected policy. All the objects that violate the company policy are listed. The result list is grouped by:
-
Policy violations that still need to be decided
-
Policy violations without exception approval
-
Policy violation with exception approval |
Policy violation overview
(of a policy group) |
This report groups together all policy violations for the selected policy group. All the objects that violate the company policy are listed. The number of granted, denied, and not yet processed policy violations are given in addition. |
Policy violation overview
(of a compliance framework) |
This report groups together all policy violations for the selected compliance framework. All the objects that violate the company policy are listed. The number of granted, denied, and not yet processed policy violations are given in addition. |
Granting exception approvals
There can be individual cases where it is not possible to adhere to company policy. Policy violations can only be accepted occasionally, but only if you take the required measures to ensure that these violations are regularly checked. For this purpose, you may grant exception approval for certain policy violations.
Use the Web Portal to grant exception approvals. For more information, see the One Identity Manager Web Designer Web Portal User Guide.
You store exception approvals with policy violations. You can see an overview of all unprocessed (new) company policies and policies that have been granted or denied on the overview form for a company policy.
Prerequisites
-
The Exception approval allowed option is set for the company policy.
-
The company policy is assigned an application role for exception approvers.
-
Employees are assigned to this application role.
NOTE: If the Exception approval allowed option is not set, unedited policy violations for this company policy are automatically denied. Existing exception approvals are withdrawn.
Detailed information about this topic
Notifications about policy violations
After policy checking, email notifications can be sent through new policy violations to exception approvers and policy supervisors. The notification procedure uses mail templates to create notifications. The mail text in a mail template is defined in several languages. This ensures that the language of the recipient is taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.
Messages are not sent to the chief approval team by default. Fallback approvers are only notified if not enough approvers could be found for an approval step.
To use notification in the request process
-
Ensure that the email notification system is configured in One Identity Manager. For more information, see the One Identity Manager Installation Guide.
-
In the Designer, set the QER | Policy | EmailNotification configuration parameter.
-
In the Designer, set the QER | Policy | EmailNotification | DefaultSenderAddress configuration parameter and enter the sender address used to send the email notifications.
-
Ensure that all employees have a default email address. Notifications are sent to this address. For more information, see the One Identity Manager Identity Management Base Module Administration Guide.
-
Ensure that a language can be determined for all employees. Only then can they receive email notifications in their own language. For more information, see the One Identity Manager Identity Management Base Module Administration Guide.
-
Configure the notification procedure.
Related topics