Use this task to maintain rule supervisors for the selected rule. To do this, assign employees who are allowed to edit this rule to the applications roles entered for exception approvers on the main data form.
NOTE: Changes apply to all the rules assigned to this application role.
To authorize employees as rule supervisors
-
In the Manager, select the Identity Audit > Rules category.
-
Select the rule in the result list.
-
Select the Maintain rule supervisors task.
-
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove assigned employees.
To remove an assignment
- Save the changes.
Related topics
In the rule condition, combine all the entitlements that lead to a rule violation. The affected employee group and entitlements are restricted separately in the rule condition. Employees and identities that the rule condition will be applied to, are determined by the employee group. The properties that result in a rule violation for the affected employees, are defined by the affected entitlements. The entitlements are determined through the object relations of the affected employees (PersonHasObject table).
The Rule Editor is there to help you formulate rule conditions. You can use predefined condition type and operator for this. The complete database query is composed internally. If the QER | ComplianceCheck | SimpleMode | ShowDescriptions configuration parameter is set, additional input fields are displayed in the simplified definition, providing a more detailed description of each rule block.
Figure 2: Rule Editor for simple definition of rules
The Rule Editor control elements supply operators and properties that you need for formulating partial conditions. You can only select one entry from the drop-down menu. You can select more entries from extended drop-down menus, where the properties are displayed hierarchically and then added to the condition using an "or" operator. You may enter text directly into input fields. Pop-up menus and input fields are shown and hidden dynamically.
A rule condition is made up of several rule blocks. A rule violation is detected when an employee, with properties and assignments, can be matched to all the rule blocks.
There are two types of rule blocks:
-
Affected groups of employees
Each rule must obtain exactly one rule block that specifies the employee group that the rule should be applied to. By default, all employees with all identities are taken into account. You can, however, restrict the employee groups more.
-
Entitlements affected
You need to define at least one rule block that finds affected entitlements. The properties that result in a rule violation in the employee group affected are defined here. You can check the following entitlements in the rule block: roles, target system groups, system entitlements, system roles, software, resources.
You can add any number of partial conditions within one rule block and link them with each other using the Rule Editor. Use the options All and At least one to specify whether one or all partial conditions in the block have to be fulfilled.
Table 21: Meaning of icons in the Rule Editor
|
Add another partial condition or another rule block. A new line is displayed for entering the condition. |
|
Delete the partial condition or rule block. The line is removed. |
|
Opens the preview window. Affected objects are shown. |
|
The list of affected objects is shown in the preview window. |
To display a preview of affected objects
-
Click the condition or partial condition Rule Editor in the .
-
Click in the preview window to display the list of affected objects.
Each rule has to contain exactly one rule block which specifies the employee group.
Figure 3: Rule block for the employee group affected
Use the following to options to limit the affected employee groups.
-
From all employees
All employees are taken into account.
-
Only from employees that fulfill all/at least one of the following conditions
You can limit the employee group with a condition, for example, "All employees in group A" or "All external employees". To determine the affected employee group, formulate the appropriate partial conditions.
You can specify a condition type in the first pop-up menu of the partial condition which restricts the affected employee group.
Table 22: Permitted condition types in Rule Editor
Property |
Properties of the employee The drop-down menu with permitted properties is already restricted to the most important employee properties. |
For the user account with the target system type |
Properties of the employee's user accounts with the selected target system type. |
SQL Query |
Input of a SQL query (WHERE clause). For more information about the WHERE clause, see the One Identity Manager User Guide for One Identity Manager Tools User Interface. |
-
A single identity
Table 23: Result of the rule check
violated |
The sub-identity or main identity of an employee fulfills the rule condition. |
not violated |
The main identity fulfills the rule condition only due to its sub-identities. |
-
The combination of all identities
The rule is violated:
For more information about identities, see the One Identity Manager Identity Management Base Module Administration Guide.
Related topics