Specifying affected entitlements
In order to take entitlements into account in the rule, you must define at least one rule block that determines the affected entitlements for employee groups. Each rule block can contain more than one partial condition. The partial conditions are linked through the options all or at least one.
Figure 4: Rule block for affected entitlements
Use the following to options to limit the affected entitlements:
-
At least one entitlement
Define one entitlement per rule block.
Select the type of entitlement, such as a target system type or the Resource type, and define the partial condition (see Table 24).
Rules can be created for all the system entitlements displayed in the Unified Namespace. The rule conditions access the Unified Namespace database layers to do this.
-
At least one role or organization assignment
For each rule block, define the membership in a hierarchical role (application role, department, location, cost center, business role).
Select the type of role, such as Departments, and define the partial condition (see Table 24).
-
At least one function
Enter at least one SAP function to replace the rule.
This option can only be selected if the SAP R/3 Compliance Add-on Module module is installed. For more information, see the One Identity Manager Administration Guide for the SAP R/3 Compliance Add-on.
-
Number of entitlements
You specify how many entitlements the employee must have to violate the rule.
By default, a rule violation is identified, if one of the employee of the employee group affected, is assigned an object that fulfills the condition of the rule block. You can increase this number. The value 0 is not valid.
Table 24: Defining the partial condition
Properties |
Properties of the objects, such as Defined name or Resource type. |
Assignment in other objects |
Assignments of the objects to other objects, such as the assignment of a department as the primary department for various employees. |
Memberships |
Memberships of entitlements in hierarchical roles and IT Shop structures Assignments to employees or workdesks if the System roles permissions type has been selected.
Assignments of company resources to the roles, such as DepartmentHasADSGroup. |
Permissions controls |
Permissions elements defined for the selected target system
NOTE: permissions controls are only created for custom target systems. |
Has extended property |
Extended properties assigned to the objects |
Has extended property in group |
Extended properties from the selected extended property group that are assigned to the objects |
Has extended property in range |
Extended properties assigned to the objects and for which a range of values is defined. The rule verifies the correct value. |
SQL Query |
Input of a SQL query (WHERE clause). For more information about the WHERE clause, see the One Identity Manager User Guide for One Identity Manager Tools User Interface. |
Related topics
A simple rule example
The following examples show how rules can be created with the help of the Rule Editor and the effects of each option.
Example 1
Employees from department A may not belong to department B at the same time.
Define:
-
The option by all employees and the combination of all the employee's identities in the rule block for the affected employee group.
-
Two rule blocks for the affected entitlements with the option at least one role or organization assignment.
Figure 5: Rule condition for example 1
Example 2
Employees from the sales or purchasing department are not permitted to access the Active Directory group "Development". This rule is only checked for enabled employees.
Define:
-
The by all employees, all and one of the employee's identities options in the rule block for the affected employee group.
-
Two rule blocks for the affected entitlements with the options:
-
at least one role or organization assignment and
-
at least one entitlement.
Figure 6: Rule condition for example 2
Example 3
All permitted entitlements are assigned to employees over system roles. One employee can have a maximum of two system roles. If an employee has more than one identity, the rule is also violated if the entitlements of all subidentities together result in a rule violation.
There are three system roles: Pool for finance, Pool for purchasing, Pool for sales
Chris User2 has two subidentities. The main identity and both subidentities are respectively assigned to a system role.
Chris User2 (HI): Pool for finance
Chris User2 (SI1): Pool for purchasing
Chris User2 (SI2): Pool for sales
Define:
-
The options by all employees and the combination of all the employee's identities in the rule block for the affected employee group.
-
One rule block for the affected entitlements with the option at least one entitlement of type System roles that fulfill all the following partial conditions
-
A partial condition: Display name contains "Pool for"
-
The number of entitlements assigned to the employee is larger or equal to 3.
Because Chris User2's main identity includes all three system roles due to their subidentities, the main identity violates this (and only this) rule.
Rule checking finds the same result if the rule is formulated as follows:
Rule conditions in advanced mode
There are two ways of defining rule conditions, the simple definition and advanced mode. The simple definition is used as default to create rule conditions with the Rule Editor. For more information, see Basics for using the Rule Editor.
In advanced mode, employee's properties are defined in the rule condition that lead to a rule violation. The assignments are determined directly by the respective base tables, which contain the selected objects (for example, PersonHasSAPGRoup or Person).
To use advanced mode
-
In the Designer, set the QER | ComplianceCheck | SimpleMode | NonSimpleAllowed configuration parameter.
On the main data form for a rule, the options Rule for cyclical testing and risk assessment in IT Shop and Rule only for cyclical testing are displayed.
-
Set Rule only for cyclical testing.
-
Confirm the security prompt with Yes.
The filter designer is displayed.
NOTE:
-
You cannot return to the simple definition once a rule condition has been entered in advanced mode!
-
Rules in advanced mode are not taken into account by rule checks in the IT Shop request approval processes. No IT Shop properties can be defined for these rules. The IT Shop properties tab does not appear on the main data form for this rule.
Figure 7: Advanced mode condition
Rule conditions in advanced mode are based on the Employees base object (Person table). The completed database query is put together internally:
Select Firstname, Lastname from Person where <Rule condition>order by 1,2
NOTE: If you select the For the account with the target system type or For the entitlement with target system type condition type in the filter designer, only columns that are mapped in Unified Namespace and for which the Display in the filter designer column property is enabled can be selected.
For more information about using the filter designer, see the One Identity Manager User Guide for One Identity Manager Tools User Interface.
Table 25: Permitted condition types
Property |
Employee object properties. The drop-down menu with permitted properties is already restricted to the most important employee properties. |
For the account with the target system type |
Employee’s user account. Valid user account properties depend on which target system is selected. |
For entitlements with the target system type |
Employee target system group. Valid group properties depend on which target system is selected. |
SQL Query |
Free choice of SQL query (WHERE clause). To use the WHERE clause wizard, click . |
Rule condition as SQL query
You can formulate rule conditions directly in advanced mode as a SQL query.
To formulate a rule condition directly as a SQL query
-
In the Designer, set the QER | ComplianceCheck | PlainSQL configuration parameter.
-
Select Rule only for cyclical testing.
-
Select the Enable SQL definition task for the working copy.
NOTE: Rule conditions can only be formulated through a SQL query if the QER | ComplianceCheck | SimpleMode configuration parameter is not set and the QER | ComplianceCheck | PlainSQL configuration parameter is set.
Figure 8: Direct SQL query input