Everyone with IT system authorization in a company represents a security risk for that company. For example, an identity with permission to edit financial data in SAP carries a higher risk than an identity with permission to edit their own main data. To quantify the risk, you can enter a risk value for every company resource in One Identity Manager. A risk index is calculated from this value for every identity that has this company resource assigned to it directly or indirectly. Company resources include target system entitlements (for example, Active Directory groups or SAP profiles), system roles, subscribable reports, software, and resources. In this way, all the people that represent a particular risk to the company can be found.
Rules in the context of Identity Audit can also be given a risk index. Each rule violation can increase the security risk. Therefore, these risk indexes are also included in the identity’s risk calculation. You can define appropriate countermeasures through mitigating controls, and store them with the compliance rules.
Other factors can influence the calculation of identities' risk indexes. These include: the type of resource assignment (approved request in the IT Shop or direct assignment), attestations, exception approvals for rule violations, identity responsibilities, and defined weightings. Furthermore, the risk index can be calculated for all business roles, organizations, and system roles that have company resources assigned to them. The user account risk index is calculated based on the system entitlements assigned.
One Identity Manager provides default functions for the risk index calculations described in the following. These are available if the respective modules are installed. You can also can set up custom functions.
To use risk assessment functionality
- In the Designer, set the QER | CalculateRiskIndex configuration parameter and compile the database.
If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
The following users are used for specifying risk indexes and editing risk index functions.
Table 1: Users
|
Responsible for individual company resources |
The users are defined using different application roles for administrators and managers.
Users with these application roles:
|
|
Compliance rules administrators |
Administrators must be assigned to the Identity & Access Governance | Identity Audit | Administrators application role.
Users with this application role:
-
Specify the risk indexes for compliance rules.
-
Specify mitigating controls.
-
Create and edit functions. |
|
Administrators for attestation cases |
Administrators are assigned to the Identity & Access Governance | Attestation | Administrators application role.
Users with this application role:
-
Specify risk indexes for attestation policies.
-
Specify mitigating controls.
-
Create and edit functions. |
|
Company policy administrators |
Administrators must be assigned to the Identity & Access Governance | Company policies | Administrators application role.
Users with this application role:
-
Specify risk indexes for company policies.
-
Specify mitigating controls.
-
Create and edit functions. |
| Identity administrators |
Administrators must be assigned to the Identity Management | Identities | Administrators application role.
Users with this application role:
|
| One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required. |
NOTE: Object types are defined in the One Identity Manager modules and are not available until the modules are installed.
The risk index can be entered for the following object types.
Table 2: Risk index for objects in the One Identity Manager
|
Target system entitlements, such as Active Directory groups or Google Workspace products and SKUs |
Risk to the organization if the target system entitlement is assigned to a user account. |
In the respective target system module |
|
Software |
Risk for the company if the account definition, software, or resource is assigned to an identity. |
Software Management Module |
|
Resources |
always |
|
Account definitions |
Target System Base Module |
|
Multi-request resources |
Risk for the company if the resource is assigned to an IT Shop structure. |
always |
|
Multi requestable/unsubscribable resources |
always |
|
Assignment resources |
always |
|
Application roles |
Risk for the company if an identity is a member of this application role. |
always |
|
Compliance rules |
Risk for the company if a rule is violated. |
Compliance Rules Module |
|
SAP functions |
Risk for the company if SAP user accounts match the SAP function. |
SAP R/3 Compliance Add-on Module |
|
Company policies |
Risk for the company if a company policy is violated. |
Company Policies Module |
|
Attestation policies |
Risk for the company if an attestation procedure denies approval for an attestation policy. |
Attestation Module |
|
Subscribable reports |
Risk for the company if an identity has subscribed to a report. |
Report Subscription Module |
To enter a risk index
-
In the Manager, open the object's main data form to enter a risk index.
-
Enter the desired value in the Risk index field.
The risk index must be given as a floating point number in the range 0.0... 1.0. This means:
Based on the risk index history, resulting risk indexes are calculated for identities, user accounts, and hierarchical roles. All direct and indirectly assigned objects are taken into account.
The risk index is calculated for the following object types.
Table 3: Object types with a calculated risk index
|
Identities |
Calculated from the risk indexes of all associated user accounts, directly, and indirectly assigned software applications, resources, account definitions, and subscribable reports, membership in application roles, and rule violations. |
always |
|
User accounts, such as Active Directory user accounts or Google Workspace user accounts |
Calculated from the risk indexes of all assigned target system entitlements. |
In the respective target system module |
|
Departments, locations, cost centers |
Calculated from the risk indexes of all assigned company resources. |
always |
|
Business roles |
Business Roles Module |
|
System roles |
System Roles Module |
|
IT Shop structures |
always |
|
Rule violations |
Determined by the risk index of the violated rule and the assigned mitigating control. |
Compliance Rules Module |
One Identity Manager supplies default functions for the risk indexes with risk functions defined for the objects types listed here. Certain properties of default functions can be edited in One Identity Manager. Furthermore, you can make custom functions.
Related topics
