Rule supervisors
You can assign compliance rules to employees that are responsible for rule content. This may be an auditor or a auditing department, for example. To do this, assign compliance rules to an application role for rule supervisors. Assign employees to this application role who are authorized to edit working copies of compliance rules.
A default application role for target system managers is available in One Identity Manager. You may create other application roles as required. For detailed information about application roles, see the One Identity Manager Authorization and Authentication Guide.
Table 10: Default application role for rule supervisors
Rule supervisors |
Rule supervisors must be assigned to the Identity & Access Governance | Identity Audit | Rule supervisors application role or a child application role.
Users with this application role:
- Are responsible for compliance rule content, for example, an auditor or a auditing department.
- Edit the compliance rule working copies, which are assigned to the application role.
- Enable and disable compliance rules.
- Can start rule checking and view rule violations as required.
- Assign mitigating controls.
|
To edit a rule supervisor
- Select the Identity Audit | Basic configuration data | Rule supervisors category.
- Select the Change master data task.
- OR -
Select an application role in the result list. Select the Change master data task.
- OR -
Click in the result list.
- Edit the application role's master data.
Parent application role |
Assign the Identity & Access Governance | Identity Audit | Rule supervisor application role or a child application role. |
- Save the changes.
- Select the Assign employees task, to add members to the application role.
- In the Add assignments pane, assign employees.
- OR -
In the Remove assignments pane, remove employees.
- Save the changes.
Exception approvers
Employees who can issue exception approvals for rule violations can be assigned to compliance rules. To do this, assign an application role for exception approvers to the compliance rule. Assign those employees who are entitled to approve rule violation exceptions to this application role.
A default application role for exception approvers is available in One Identity Manager. You may create other application roles as required. For detailed information about application roles, see the One Identity Manager Authorization and Authentication Guide.
Table 11: Default application role for exception approvers
Exception approvers |
Administrators must be assigned to the Identity & Access Governance | Identity Audit | Exception approvers application role or a child application role.
Users with this application role:
- Edit rule violations in the Web Portal.
- Can grant exception approval or revoke it in the Web Portal.
|
To edit exception approvers
- Select the Identity Audit | Basic configuration data | Exception approvers category.
- Select the Change master data task.
- OR -
Select an application role in the result list. Select the Change master data task.
- OR -
Click in the result list.
- Edit the application role's master data.
Parent application role |
Assign the Identity & Access Governance | Identity Audit | Exception approvers application role or a child application role. |
- Save the changes.
- Select the Assign employees task, to add members to the application role.
- In the Add assignments pane, assign employees.
- OR -
In the Remove assignments pane, remove employees.
- Save the changes.
Related topics
Standard reasons
For exception approvals, you can specify reasons in the Web Portal that explain the individual approval decisions. You can freely formulate this text. You also have the option to predefine reasons. The exception approvers can select a suitable text from these standard reasons in the Web Portal and store it with the rule violation.
To edit standard reasons
- Select the Identity Audit | Basic configuration data | Standard reasons category.
-
Select a standard reason in the result list and run the Change master data task.
- OR -
Click in the result list.
-
Edit the master data for a standard reason.
- Save the changes.
Enter the following properties for the standard reason.
Table 12: General master data for a standard reason
Standard reason |
Reason text as displayed in the Web Portal. |
Description |
Text field for additional explanation. |
Automatic Approval |
Specifies whether the reason text is only used for automatic approvals by One Identity Manager for rule violations. This standard reason cannot be selected by exception approvals in the Web Portal.
Do not set the option if the you want to select the standard reason in the Web Portal. |
Additional text required |
Specifies whether an additional reason should be entered in free text for the exception approval. |
Usage type |
Usage type of standard reason. Assign one or more usage types to allow filtering of the standard reasons in the Web Portal. |
Predefined standard reasons
One Identity Manager supplies predefined standard reasons. These standard reasons are added to the rule violations by One Identity Manager, if approval is automatic.
To display predefined standard reasons
- Select the Identity Audit | Basic configuration data | Standard reasons | Predefined category.