サポートと今すぐチャット
サポートとのチャット

Identity Manager 8.2.1 - Risk Assessment Administration Guide

Default risk index functions

One Identity Manager supplies a comprehensive collection of default functions. These are used for calculating the risk index of all company resources assigned. These functions can be selected in Risk Index Functions category under the Assignments filter.

Additional factors, like the type of assignment or attestation, influence how the risk index is calculated. There is separate function stored for each factor additionally affecting a calculated risk index. These functions can be selected in Risk Index Functions category under the Properties filter.

The following object type risk indexes are determined to calculate the risk index of employees:

  • User accounts

    Risk index (calculated) of all user accounts connected to an employee

  • Company resources

    Risk index (calculated) of all company resources assigned (for example, software, resources, subscribable reports)

  • Rule violations

    Risk index of violated rule taking mitigating controls into accounts

  • Application roles

    Risk index of all application roles in which the employee is member

Risk index calculation for the different object types is described in more detail in the following sections.

NOTE: The default functions can be used to perform a risk assessment for most objects in One Identity Manager. This largely covers the standard requirements on this topic. The mode of calculation, weighting, and change values must be adjusted to suit you company’s requirements.

Before running a risk assessment

  • Check all default functions for relevance to your data situation.
  • Disable all unnecessary functions.
  • Adjust the calculation type, weighting, and change value in the enabled functions rules to suit your company.
  • Define additional functions if required.
Detailed information about this topic
Related topics

Risk index for user accounts

Installed modules:

Target System Base Module

Active Directory Module

Azure Active Directory Module

Oracle E-Business Suite Module

LDAP Module

Domino Module

SAP R/3 User Management module Module

SAP R/3 Analysis Authorizations Add-on Module

SharePoint Module

Google Workspace Module

Cloud Systems Management Module

Unix Based Target Systems Module

Privileged Account Governance Module

Attestation Module

First, the risk indexes of all system entitlements assigned to the user accounts are found in order to calculate user account risk indexes. There are functions stored for the assignments tables to do this (for example "Active Directory user accounts: assignments to groups", "User accounts: assignments to system entitlements"). The risk factor of these assignments depends on other factors. Each of these factors reduces the risk index found.

  • Assignment through inheritance (without IT Shop requests)
  • Assignment through an approved IT Shop request
  • The assignment is attested and approved

One Identity Manager determines the highest value from the assignment risk indexes (calculation type: "Maximum (weighted)") for each user account. There are functions stored for the user account tables to do this (for example: "Active Directory user account", "User accounts"). This value is reduced or increased by other factors.

  • The user account is attested and approved
  • The user account is not connected to an employee
  • The user account is disabled
  • The user account is member of too many system entitlements

The risk index of SAP user accounts is calculated from different individual risks.

  • Highest risk index of the assigned SAP groups
  • Highest risk index of the assigned structural profiles
  • Highest risk index (reduced) of the SAP functions matching an SAP user account

One Identity Manager finds the highest value of these individual risks for each SAP user account. This value is decreased or increased by given factors if the conditions are fulfilled.

The risk index of SharePoint user accounts is calculated from different individual risks.

  • Highest risk index of the assigned SharePoint groups
  • Highest risk index of the assigned SharePoint roles

One Identity Manager finds the highest value of these individual risks for each SharePoint user account. This value is decreased or increased by given factors if the conditions are fulfilled.

NOTE: User accounts can obtain a calculated index even if there are no risk indexes stored with the system entitlements. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a user account increases if:

  • The user account is not linked to an employee
  • The user account is a member of too many system entitlements
  • The user account is disabled

Risk index for system roles

Installed modules:

System Roles Module

Attestation Module

First, the risk indexes of all company resources assigned to the system roles are found in order to calculate system role risk indexes. There are functions stored for the assignments tables to do this ("System roles"). The system role risk index is made up of the risk indexes of the assigned objects. There is a separate function stored for each assignable object type.

One Identity Manager determines the highest value from the assignment risk indexes (calculation type: "Maximum") for each system role. There are functions stored for the "system role" table to do this. This value is reduced or increased by other factors.

  • The system role is attested and approved
  • The system role is not assigned to a manager
NOTE: Employees can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a user account increases if no manager is assigned.

Risk index for hierarchical roles and IT Shop structures

Installed modules:

Business Roles Module (for business role risk indexes)

Attestation Module

First, the risk indexes of all assigned company resources are established in order to calculate risk indexes for business roles, departments, locations, cost centers, and IT Shop structures. There are functions stored for the assignments tables to do this (for example "Roles and organizations: Subscribable report assignments", "Roles and organizations: E-Business Suite responsibility assignments"). The risk factor of these assignments depends on other factors. Each of these factors reduces the risk index found.

  • Assignment through an approved IT Shop request
  • The assignment is attested and approved

One Identity Manager determines the highest value from the assignment risk indexes (calculation type: "Maximum (weighted)") for each company resource. This value is reduced or increased by other factors.

  • The rule or IT Shop structure is attested and approved.
  • The role or IT Shop structure is not a assigned a manager (UID_PersonHead).
NOTE: Roles and IT Shop structures can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a role or IT Shop structure increases if no manager is assigned to the role or IT Shop structure.
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択