Reports about policy violations
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. You can generate the following reports for all enabled company policies and compliance frameworks.
Table 18: Reports about policy violations
| Policy violation overview
(of a company policy) |
This report groups together all policy violations for the selected policy. All the objects that violate the company policy are listed. The result list is grouped by:
- Policy violations that still need to be decided
- Policy violations without exception approval
- Policy violation with exception approval
|
| Policy violation overview
(of a policy group) |
This report groups together all policy violations for the selected policy group. All the objects that violate the company policy are listed. The number of granted, denied, and not yet processed policy violations are given in addition. |
| Policy violation overview
(for a compliance framework) |
This report groups together all policy violations for the selected compliance framework. All the objects that violate the company policy are listed. The number of granted, denied, and not yet processed policy violations are given in addition. |
Granting exception approval
There can be individual cases where it is not possible to adhere to company policy. Policy violations can only be accepted occasionally, but only if you take the required measures to ensure that these violations are regularly checked. For this purpose, you may grant exception approval for certain policy violations.
You store exception approvals with policy violations. You can see an overview of all unprocessed (new) company policies and policies that have been granted or denied on the overview form for a company policy.
Prerequisites
- The Exception approval allowed option is set for the company policy.
- The company policy is assigned an application role for exception approvers.
- Employees are assigned to this application role.
Use the Web Portal to grant exception approvals.
NOTE: If the Exception approval allowed option is not set, unedited policy violations for this company policy are automatically denied. Existing exception approvals are withdrawn.
Detailed information about this topic
Notifications about policy violations
After policy checking, email notifications can be sent through new policy violations to exception approvers and policy supervisors. The notification procedure uses mail templates to create notifications. The mail text in a mail template is defined in several languages. This ensures that the language of the recipient is taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.
Messages are not sent to the chief approval team by default. Fallback approvers are only notified if not enough approvers could be found for an approval step.
To use notification in the request process
-
Ensure that the email notification system is configured in One Identity Manager. For more detailed information, see the One Identity Manager Installation Guide.
-
In the Designer, set the QER | Policy | EmailNotification configuration parameter.
-
In the Designer, set the QER | Policy | EmailNotification | DefaultSenderAddress configuration parameter and enter the sender address used to send the email notifications.
-
Ensure that all employees have a default email address. Notifications are sent to this address. For more detailed information, see the One Identity Manager Identity Management Base Module Administration Guide.
-
Ensure that a language can be determined for all employees. Only then can they receive email notifications in their own language. For more detailed information, see the One Identity Manager Identity Management Base Module Administration Guide.
-
Configure the notification procedure.
Related topics
Request for exception approval
Table 19: Configuration parameters for notifications about policy violations
| QER | Policy | EmailNotification | NewExceptionApproval |
This configuration parameter contains the name of the mail template, which is sent if an approval exception for a new policy violation is required. |
If new policy violations are discovered during a policy check, exception approvers are notified and prompted to make an approval decision.
Prerequisites
To send demands for exception approval
-
Set configuration parameter "QER | Policy | EmailNotification | NewExceptionApproval" in Designer.
Notification, using the "Policies - new exception approval required" mail template, is sent to all exception approvers by default.
TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter.
