Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 9.2.1 - Company Policies Administration Guide

Company policies in One Identity Manager Defining company policies
Creating and editing company policies Using default company policies Deleting company policies Policy groups Compliance frameworks Schedules for checking policies Company policy attestors Policy supervisors for company policies Exception approvers for policy violations Standard reasons for policy violations Mail templates for company policy notifications
Checking company policies Automatic attestation of policy violations Mitigating controls for company policies General configuration parameter for company policies

General main data for company policies

Enter the following data for a company policy.

Table 2: General main data of company policies

Property

Description

Policy

Name of the company policy.

Description

Text field for additional explanation.

Main version number

Current state of the company policy as a version number. The version number is incremented in One Identity Manager's default installation each time you make a change to the condition.

Working copy

Specifies whether this is a working copy of the company policy.

Deactivated

Specifies whether the company policy is disabled or not.

Only company policies that are enabled are included in policy checking. Use the Enable policy or Disable policy tasks to enable or disable a company policy. The working copy company policy is always disabled.

Policy group

Policy group to which the company policy belongs, based on its content. Select a policy group from the menu. To create a new policy group, click . Enter a name and description for the policy group.

Policy supervisors

Application role whose members are responsible for the company policy, in terms of content.

To create a new application role, click . Enter the application role name and assign a parent application role.

Exception approval allowed

Specifies whether exception approval is permitted when the policy is violated. Assignments that cause the policy to be violated can be approved and issued anyway with this.

Attestation policy

Attestation policy to use for attesting objects that violate this company policy.

NOTE: Ensure that the same objects are determined by this attestation policy as by the company policy. Check the assigned tables and conditions.

This field is displayed only when the Attestation Module is installed.

This functionality is used by default in the context of Behavior Driven Governance. For more information about this, see the One Identity Manager Administration Guide for Behavior Driven Governance.

Start attestation of new rule violations immediately

Specifies whether an attestation case is created immediately for each new policy violation. If this option is enabled, assign an attestation policy.

This field is displayed only when the Attestation Module is installed.

This functionality is used by default in the context of Behavior Driven Governance. For more information about this, see the One Identity Manager Administration Guide for Behavior Driven Governance.

Exception approvers

Application role, whose members are entitled to grant exception approval for violations to this company policy.

To create a new application role, click . Enter the application role name and assign a parent application role.

Mail template new violation

Mail template used to generate an email to inform rule supervisors or exception approvers about new policy violations.

Exception approvers info

Information, which the exception approver may require for making a decision. This advice should describe the risks and side effects of an exception.

Attestors

Applications role whose members are authorized to approve attestation cases for company policies and policy violations.

To create a new application role, click . Enter the application role name and assign a parent application role.

Without condition

Specifies whether the company policy a direct relationship to the One Identity Manager data model or not. If this option is set, the Edit condition... button is disabled.

If the option is not set, a condition must be entered that finds all the objects that violate the policy.

Base table

Base table referenced by the company policy.

Based on this table, the system determines which objects violate the company policy.

Edit connection...

Starts the WHERE clause wizard. Use the WHERE clause wizard to set up a condition that finds all the objects in the base table that violate the company policy. Use the Expert view button to enter the condition in SQL syntax straight away.

Condition

Data query that finds all the objects that violate the company policy. This option is only available if the Show condition task has been run beforehand.

Detailed information about this topic
Related topics

Risk assessment for policy violations

For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

You can use One Identity Manager to evaluate the risk of policy violations. To do this, enter a risk index for the company policy. The risk index specifies the risk involved for the company if the company policy is violated. The risk index is given as a number in the range 0 ... 1. By doing this you specify whether a policy violation is not considered a risk for the company (risk index = 0) or whether every policy violation poses a problem (risk index = 1).

You can use the Report Editor to assess policy violations depending on the risk index by creating various reports. For more information about creating reports, see the One Identity Manager Configuration Guide.

To assess the risk of a policy violation enter values for grading company policies on the Assessment criteria tab.

Table 3: Assessment criteria for a rule
Property Description

Severity code

Specifies the impact on the company of violations to this company policy. Use the slider to enter a value between 0 and 1.

0 ... No impact

1 ... Every policy violation is a problem.

Significance

Provides a verbal description of the impact on the company of violations to this company policy. In the default installation, the values low, average, high, and critical are listed.

Risk index

Specifies the risk for the company of violations to this company policy. Use the slider to enter a value between 0 and 1.

0 ... No risk

1... Every rule violation is a problem.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

Risk index (reduced)

Show the risk index taking mitigating controls into account. The risk index for a company policy is reduced by the significance reduction value for all assigned mitigating controls. The risk index (reduced) is calculated for the original company policy. To copy the value to a working copy, run the task Create working copy.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set. The value is calculated by One Identity Manager and cannot be edited.

Transparency index

Specifies how traceable assignments are that are checked by this company policy. Use the slider to enter a value between 0 and 1.

0 ... No transparency

1 ... Full transparency

Max. number of rule violations

Number of policy violations allowed for this company policy.

Detailed information about this topic
Related topics

Additional data for company policies

You can enter additional comments about the company policy and revision data on the Extended tab.

Table 4: General main data of company policies
Property Description

Policy number

Additional identifier for the company policy.

Implementation notes

Text field for additional explanation. You can use implementation notes to enter explanations about the content of the policy condition, for example.

Status

Status of the company policy with respect to its audit status.

Schedule

Schedule for starting policy checks on a regular basis.

By default, the Policy Check schedule is assigned but you can assign your own schedule.

Related topics

Comparing working copies and original company policies

You can compare the results of a working copy with the original company policy. Company policies can only be compared when an original of the working copy exists.

TIP: All working copies with a different condition to that of the original company policy are displayed in the Company policies > Policies > Working copies of policies > Modified working copies category.

To compare a company policy with the working copy

  1. In the Manager, select the Company policies > Policies > Working copies of policies category.

  2. Select the working copy in the result list.

  3. Select the Change main data task.

  4. Select the Compare policy task.

    The comparison values are then displayed on the Policy comparison tab.

    Table 5: Results of a policy comparison
    Policy violations Lists all identities who, as a result of the change, would (not) violate the company policy as follows

    Newly added

    would violate the policy for the first time

    Identical

    would still violate the policy

    No longer included

    would no longer violate the policy

To display the policy comparison as report

  • Select the Show rule comparison report.
Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation