Default risk index functions
One Identity Manager supplies a comprehensive collection of default functions. These are used for calculating the risk index of all company resources assigned. These functions can be selected in Risk Index Functions category under the Assignments filter.
Additional factors, like the type of assignment or attestation, influence how the risk index is calculated. There is separate function stored for each factor additionally affecting a calculated risk index. These functions can be selected in Risk Index Functions category under the Properties filter.
The following object type risk indexes are determined to calculate the risk index of employees:
- User accounts
Risk index (calculated) of all user accounts connected to an employee
- Company resources
Risk index (calculated) of all company resources assigned (for example, software, resources, subscribable reports)
- Rule violations
Risk index of violated rule taking mitigating controls into accounts
- Application roles
Risk index of all application roles in which the employee is member
Risk index calculation for the different object types is described in more detail in the following sections.
NOTE: The default functions can be used to perform a risk assessment for most objects in One Identity Manager. This largely covers the standard requirements on this topic. The mode of calculation, weighting, and change values must be adjusted to suit you company’s requirements.
Before running a risk assessment
- Check all default functions for relevance to your data situation.
- Disable all unnecessary functions.
- Adjust the calculation type, weighting, and change value in the enabled functions rules to suit your company.
- Define additional functions if required.
Detailed information about this topic
Related topics
Risk index for user accounts
|
Installed modules: |
Target System Base Module
Active Directory Module
Azure Active Directory Module
Oracle E-Business Suite Module
LDAP Module
Domino Module
SAP R/3 User Management module Module
SAP R/3 Analysis Authorizations Add-on Module
SharePoint Module
Google Workspace Module
Cloud Systems Management Module
Unix Based Target Systems Module
Privileged Account Governance Module
Attestation Module |
First, the risk indexes of all system entitlements assigned to the user accounts are found in order to calculate user account risk indexes. There are functions stored for the assignments tables to do this (for example "Active Directory user accounts: assignments to groups", "User accounts: assignments to system entitlements"). The risk factor of these assignments depends on other factors. Each of these factors reduces the risk index found.
- Assignment through inheritance (without IT Shop requests)
- Assignment through an approved IT Shop request
- The assignment is attested and approved
One Identity Manager determines the highest value from the assignment risk indexes (calculation type: "Maximum (weighted)") for each user account. There are functions stored for the user account tables to do this (for example: "Active Directory user account", "User accounts"). This value is reduced or increased by other factors.
- The user account is attested and approved
- The user account is not connected to an employee
- The user account is disabled
- The user account is member of too many system entitlements
The risk index of SAP user accounts is calculated from different individual risks.
- Highest risk index of the assigned SAP groups
- Highest risk index of the assigned structural profiles
- Highest risk index (reduced) of the SAP functions matching an SAP user account
One Identity Manager finds the highest value of these individual risks for each SAP user account. This value is decreased or increased by given factors if the conditions are fulfilled.
The risk index of SharePoint user accounts is calculated from different individual risks.
- Highest risk index of the assigned SharePoint groups
- Highest risk index of the assigned SharePoint roles
One Identity Manager finds the highest value of these individual risks for each SharePoint user account. This value is decreased or increased by given factors if the conditions are fulfilled.
NOTE: User accounts can obtain a calculated index even if there are no risk indexes stored with the system entitlements. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a user account increases if:
- The user account is not linked to an employee
- The user account is a member of too many system entitlements
- The user account is disabled
Risk index for system roles
|
Installed modules: |
System Roles Module
Attestation Module |
First, the risk indexes of all company resources assigned to the system roles are found in order to calculate system role risk indexes. There are functions stored for the assignments tables to do this ("System roles"). The system role risk index is made up of the risk indexes of the assigned objects. There is a separate function stored for each assignable object type.
One Identity Manager determines the highest value from the assignment risk indexes (calculation type: "Maximum") for each system role. There are functions stored for the "system role" table to do this. This value is reduced or increased by other factors.
- The system role is attested and approved
- The system role is not assigned to a manager
NOTE: Employees can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a user account increases if no manager is assigned.
Risk index for hierarchical roles and IT Shop structures
|
Installed modules: |
Business Roles Module (for business role risk indexes)
Attestation Module |
First, the risk indexes of all assigned company resources are established in order to calculate risk indexes for business roles, departments, locations, cost centers, and IT Shop structures. There are functions stored for the assignments tables to do this (for example "Roles and organizations: Subscribable report assignments", "Roles and organizations: E-Business Suite responsibility assignments"). The risk factor of these assignments depends on other factors. Each of these factors reduces the risk index found.
- Assignment through an approved IT Shop request
- The assignment is attested and approved
One Identity Manager determines the highest value from the assignment risk indexes (calculation type: "Maximum (weighted)") for each company resource. This value is reduced or increased by other factors.
- The rule or IT Shop structure is attested and approved.
- The role or IT Shop structure is not a assigned a manager (UID_PersonHead).
NOTE: Roles and IT Shop structures can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a role or IT Shop structure increases if no manager is assigned to the role or IT Shop structure.
