Everyone with IT system authorization in a company represents a security risk for that company. For example, an employee with permission to edit financial data in SAP carries a higher risk than an employee with permission to edit their own personal data. To quantify the risk, you can enter a risk value for every company resource in One Identity Manager. A risk index is calculated from this value for every employee who is assigned this company resource, directly, or indirectly. Company resources include target system entitlements (for example, Active Directory groups or SAP profiles), system roles, subscribable reports, software, and resources. In this way, all employees representing a particular risk to the company can be found.
Rules in the context of Identity Audit can also be given a risk index. Each rule violation can increase the security risk. Therefore, these risk indexes are also included in the employee’s risk calculation. You can define appropriate countermeasures through mitigating controls, and store them with the compliance rules.
Other factors can influence the calculation of employee risk indexes. These include: the type of resource assignment (approved request in the IT Shop or direct assignment), attestations, exception approvals for rule violations, employee responsibilities, and defined weightings. Furthermore, the risk index can be calculated for all business roles, organizations, and system roles that have company resources assigned to them. The user account risk index is calculated based on the system entitlements assigned.
One Identity Manager provides default functions for the risk index calculations described in the following. These are available if the respective module is installed. You can also can set up custom functions.
To use risk assessment functionality
- In the Designer, set "QER | CalculateRiskIndex" and compile the database.
The following users are used for specifying risk indexes and editing risk index functions.
Table 1: Users
|
Employee responsible for individual company resources |
The users are defined using different application roles for administrators and managers.
Users with these application roles:
- Specify company resource risk indexes for which you are responsible.
|
|
Compliance rules administrators |
Administrators must be assigned to the Identity & Access Governance | Identity Audit | Administrators application role.
Users with this application role:
- Specify the risk indexes for compliance rules.
- Specify mitigating controls.
- Create and edit functions.
|
|
Administrators for attestation cases |
Administrators are assigned to the Identity & Access Governance | Attestation | Administrators application role.
Users with this application role:
- Specify risk indexes for attestation policies.
- Specify mitigating controls.
- Create and edit functions.
|
|
Company policy administrators |
Administrators must be assigned to the Identity & Access Governance | Company policies | Administrators application role.
Users with this application role:
- Specify risk indexes for company policies.
- Specify mitigating controls.
- Create and edit functions.
|
| Employee administrators |
Administrators must be assigned to the Identity Management | Employees | Administrators application role.
Users with this application role:
- Create and edit functions.
|
| One Identity Manager administrators |
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required.
-
Create and configure password policies as required. |
A risk index can be entered in One Identity Manager for the following objects types.
NOTE: Object types are defined in the One Identity Manager modules and are not available until the modules are installed.
Table 2: Risk index for objects in the One Identity Manager
|
Active Directory groups |
Risk for the company if target system entitlements are granted. |
Active Directory Module |
|
SAP groups, SAP roles, SAP profiles, |
SAP R/3 User Management Module |
|
Structural profiles |
SAP R/3 Structural Profiles Add-on Module |
|
BI analysis authorizations |
SAP R/3 Analysis Authorizations Add-on Module |
|
LDAP groups |
LDAP Module |
|
IBM Notes groups |
IBM Notes Module |
|
SharePoint groups,
SharePoint roles |
SharePoint Module |
|
E-Business Suite permissions |
Oracle E-Business Suite Module |
| Azure Active Directory groups |
Azure Active Directory Module |
|
G Suite groups |
G Suite Module |
|
G Suite products and SKUs |
G Suite Module |
| UNIX groups |
Unix Based Target Systems Module |
| Cloud groups |
Cloud Systems Management Module |
|
PAM user groups |
Privileged Account Governance Module |
|
System entitlements in the Unified Namespace |
Target System Base Module |
|
Software |
Risk for the company if the account definition, software, or resource is assigned to an employee. |
Software Management Module |
|
Resources |
always |
| Account definitions |
Target System Base Module |
| Multi-request resources |
Risk for the company if the resource is assigned to an IT Shop structure. |
always |
| Multi-requestable/unsubscribable resources |
always |
| Assignment resources |
always |
|
Application roles |
Risk for the company if an employee is a member of this application role. |
always |
|
Compliance rules |
Risk for the company if a rule is violated. |
Compliance Rules Module |
|
SAP functions |
Risk for the company if SAP user accounts match the SAP function. |
SAP R/3 Compliance Add-on Module |
|
Company policies |
Risk for the company if a company policy is violated. |
Company Policies Module |
|
Attestation policies |
Risk for the company if an attestation procedure denies approval for an attestation policy. |
Attestation Module |
|
Subscribable reports |
Risk for the company if an employee has subscribed to a report. |
Report Subscription Module |
To enter a risk index
- Open the master data form for the object for which you want to enter the risk index.
- Enter the desired value in the Risk index field.
The risk index is specified as a floating point number in the range 0.0 ... 1.0. This means:
- 0.0: no risk
- 1.0: problem; risk involved
One Identity Manager calculates the resulting risk indexes for employees, user accounts, and hierarchical roles based on the risk indexes already stored. All direct and indirectly assigned objects are taken into account.
The risk index is calculated for the following object types.
Table 3: Object types with a calculated risk index
|
Employees |
Calculated from the risk indexes of all associated user accounts, directly, and indirectly assigned software applications, resources, account definitions, and subscribable reports, membership in application roles, and rule violations. |
always |
|
Active Directory user accounts |
Calculated from the risk indexes of all assigned target system entitlements. |
Active Directory Module |
|
SAP user accounts |
SAP R/3 User Management Module |
|
BI user accounts |
SAP R/3 Analysis Authorizations Add-on Module |
|
LDAP user accounts |
LDAP Module |
|
IBM Notes user accounts |
IBM Notes Module |
|
SharePoint user accounts |
SharePoint Module |
|
E-Business Suite user accounts |
Oracle E-Business Suite Module |
|
Azure Active Directory user accounts |
Azure Active Directory Module |
|
G Suite user accounts |
G Suite Module |
|
UNIX user accounts |
Unix Based Target Systems Module |
|
Cloud user accounts |
Cloud Systems Management Module |
|
PAM user accounts |
Privileged Account Governance Module |
|
User accounts |
Target System Base Module |
|
Departments, locations, cost centers |
Calculated from the risk indexes of all assigned company resources. |
always |
|
Business roles |
Business Roles Module |
|
System roles |
System Roles Module |
|
IT Shop structures |
always |
|
Rule violations |
Determined by the risk index of the violated rule and the assigned mitigating control. |
Compliance Rules Module |
NOTE: If you work with the Data Governance Edition, you can also specify and calculate risk indexes for data under governance. These are included in the employee’s risk index calculation. For more information, see the Data Governance User Guide.
One Identity Manager supplies default functions for the risk indexes with risk functions defined for the objects types listed here. Certain properties of default functions can be edited in One Identity Manager. Furthermore, you can make custom functions.
Related topics
