If new rule violations are discovered during a rule check, which cannot be issued with exception approval, rule supervisors are notified.
Prerequisites
To inform a rule supervisor about rule violations
-
In the Designer, set the QER | ComplianceCheck | EmailNotification | NotPermittedViolation configuration parameter.
Notification is sent by default using the Compliance - prohibited violation occurred mail template.
TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter.
In addition to locating existing rule violations, One Identity Manager can also identify potential violations of IT Shop requests. To do this, you add an approval step with the approval procedure "CR - Compliance check simplified" in the approval process in the IT Shop.
To identify rule violations through IT Shop requests, auxiliary tables are evaluated for object assignments and the affected employees. These auxiliary tables are regularly updated by the DBQueue Processor. Changes to a rule are calculated immediately in the auxiliary tables.
The default schedule compliance rule fill schedule is included in the One Identity Manager default installation to add changes, such as, changes to entitlements or an extended property in the rule check. This schedule generates processing tasks, on a cyclical basis, for updating the auxiliary table. Create your own schedule to customize the auxiliary table calculation cycle meet your own requirements.
To customize the auxiliary table calculation cycle to meet your requirements
- Select the Identity Audit | Basic configuration data | Schedules category.
-
Click 
in the result list.
- Edit the schedule’s master data.
- Save the changes.
- Select the Assign rules (for filling) task and assign all the rules to the schedule to which it applies.
- Save the changes.
NOTE:
Rule checking does not completely check the requests. It is possible that under the following conditions, rule checking does not identify a rule violation:
-
Customer permissions change after the auxiliary table have been calculated.
-
A rule is not violated by the requested product but rather an object inherited through the requested product. Inheritance is calculated after request approval and can therefore not be identified until after the auxiliary table is calculated again.
-
The customer does not belong to the rule's employee group affected until the request is made.
-
The rule condition was created in expert node or as a SQL query.
TIP: A complete check of assignments is achieved with cyclical testing of compliance rule using schedules. This finds all the rule violations that result from the request.
It is possible that under the following conditions, rule checking identifies a rule violation where one does not exist:
-
Two products violate one rule when they are assigned at the same time. The product requests are, however, for a limited period. The validity periods does not overlap. Still a potential rule violation is identified.
TIP: These requests can be approved after checking by exception approver as permitted by the definition of the violation rule.
For more detailed information about compliance checking IT Shop requests, see the One Identity Manager IT Shop Administration Guide.
Related topics
A mail template consists of general master data such as target format, importance, or mail notification confidentiality, and one or more mail definitions. Mail text is defined in several languages in the mail template. This ensures that the language of the recipient is taken into account when the email is generated.
In One Identity Manager, there is a Mail Template Editor to simplify writing notifications. You can use the Mail Template Editor to create and edit mail texts in WYSIWYG mode.
To edit mail templates
-
In the Manager, select the Identity Audit | Basic configuration data | Mail templates category.
This shows all the mail templates that can be used for Identity Audit in the result list.
-
Select a mail template in the result list and run the Change master data task.
- OR -
Click in the result list.
This opens the mail template editor.
-
Edit the mail template.
- Save the changes.
To copy a mail template
-
In the Manager, select the Identity Audit | Basic configuration data | Mail templates category.
This shows all the mail templates that can be used for Identity Audit in the result list.
-
Select the mail template that you want to copy in the result list and run the Change master data task.
-
Select the Copy mail template task.
-
Enter the name of the new mail template in the Name of copy field.
- Click OK.
To display a mail template preview
-
In the Manager, select the Identity Audit | Basic configuration data | Mail templates category.
This shows all the mail templates that can be used for Identity Audit in the result list.
-
Select a mail template in the result list and run the Change master data task.
-
Select the Preview task.
-
Select the base object.
- Click OK.
To delete a mail template
-
In the Manager, select the Identity Audit | Basic configuration data | Mail templates category.
This shows all the mail templates that can be used for Identity Audit in the result list.
- Select the template in the result list.
- Click
in the result list.
- Confirm the security prompt with Yes.
The following general properties are displayed for a mail template:
Table 35: Mail template properties
|
Mail template |
Name of the mail template. This name will be used to display the mail templates in the administration tools and in the Web Portal. Translate the given text using the  button. |
|
Base object |
Mail template base object. A base object only needs to be entered if the mail definition properties of the base object are referenced.
Use the ComplianceRule or PersonInNonCompliance base object for notifications about rule violations. |
|
Report (parameter set) |
Report, made available through the mail template. |
|
Description |
Mail template description. Translate the given text using the button. |
|
Target format |
Format in which to generate email notification. Permitted values are:
-
HTML: The email notification is formatted in HTML. Text formats, for example, different fonts, colored fonts, or other text formatting, can be included in HTML format.
-
TXT: The email notification is formatted as text. Text format does not support bold, italics, or colored font, or other text formatting. Images displayed directly in the message are not supported. |
|
Design type |
Design in which to generate the email notification. Permitted values are:
- Mail template: The generated email notification contains the mail body in accordance with the mail definition.
- Report: The generated email notification contains the report specified under Report (parameter set) as its mail body.
- Mail template, report in attachment: The generated email notification contains the mail body in accordance with the mail definition. The report specified under Report (parameter set) is attached to the notification as a PDF file.
|
|
Importance |
Importance for the email notification. Permitted values are Low, Normal, and High. |
|
Confidentiality |
Confidentiality for the email notification. Permitted values are Normal, Personal, Private, and Confidential. |
|
Can unsubscribe |
Specifies whether the recipient can unsubscribe email notification. If this option is set, the emails can be unsubscribed through the Web Portal. |
|
Deactivated |
Specifies whether this mail template is disabled. |
|
Mail definition |
Unique name for the mail definition. |
|
Language |
Language that applies to the mail template. The recipient's language preferences are taken into account when an email notification is generated. |
|
Subject |
Subject of the email message. |
|
Mail body |
Content of the email message. |
