Which rules are violated by a specific employee?
To view which rules the employee violates
- Select the Employees | Employees category.
- Select an employee in the result list.
- Select the Rule evaluation report.
This not only shows the rule that the employee has violated with or without exception, but also those with no violations.
Table 32: Meaning of icons in employee rule analysis
 |
The rule is not violated. |
 |
The rule is violated. No exception approval has been granted for this rule exception. |
 |
The rule is violated. No exception approval has been granted for this rule exception. |
Reports about rule violations
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. You can generate the following reports for all active rules, rule groups, and compliance frameworks.
NOTE: Other sections may be available depending on the which modules are installed.
Table 33: Reports about rule violations
| Overview of all assignments
(for a rule) |
This report shows all employees that violate the selected rule. The report shows which roles of a role class the employee belongs to. Employees that are not members of any role are not taken into account. |
| Rule violation overview
(for a rule) |
This report groups together all rule violations for the selected rule. All employees are listed that have objects that violation the rule. The result list is grouped by:
- Employees pending a rule violation decision.
- Employees without exception approval.
- Employees with exception approval.
|
| Show historical rule violations
(for a rule) |
This report groups together all historical rule violations for the selected rule. All employees are listed that violate the rule as well as the time period covering the rule violation. |
| Rule violation overview
(for a rule group) |
This report groups together all rule violations for the selected rule group. All rule violations are listed. The number of granted, denied, and not yet processed rule violations are given in addition. |
| Rule violation overview
(for a compliance framework) |
This report groups together all rule violations for the selected compliance framework. All rule violations are listed. The number of granted, denied, and not yet processed rule violations are given in addition. |
| Detailed list of rule violations
(for a compliance framework) |
This report groups together all rule violations for the selected compliance framework. All rule violations are listed. For each rule, the employee that violated the rule, the date and the reason for the approval decision are given. |
Related topics
Overview of all assignments
The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.
Examples
- If the report is created for a resource, all roles are determined in which there are employees with this resource.
- If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.
- If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.
- If the report is created for a department, all roles are determined in which employees of the selected department are also members.
- If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.
To display detailed information about assignments
Figure 9: Toolbar of the Overview of all assignments report.
Table 34: Meaning of icons in the report toolbar
|
|
Show the legend with the meaning of the report control elements |
|
|
Saves the current report view as a graphic. |
|
|
Selects the role class used to generate the report. |
|
|
Displays all roles or only the affected roles. |
Granting exception approval
Assignments that violate rules can be approved in hindsight. To do this, specially authorized employees can grant exception approval.
Prerequisites
- The Exception approval allowed option is set for the rule.
- The rule is assigned an application role for exception approvers.
- Employees are assigned to this application role.
NOTE: If the Exception approval allowed option is not set, unedited rule violations for this rule are automatically denied. Existing exception approvals are withdrawn.
You must also decide whether exception approvers are allowed to approve their own rule violations. By default, an employee who violates a rule is determined to be the exception approver for this rule if they are a member of the Exception approvers application role for the rule. This means they can approve their own rule violations.
To prevent an employee from granting themselves exception approval
-
In the Designer, disable the QER | ComplianceCheck | DisableSelfExceptionGranting configuration parameter.
Employees that violate a rule, are not determined to be exception approvers for this rule violation. Neither the rule violator's main identity nor its subidentities can grant exception approval.
Detailed information about this topic
button in a role's control, you display all employees in the role with the base object.