Chat now with support
Chat with Support

Identity Manager 8.1.5 - Compliance Rules Administration Guide

Compliance rules and identity audit
One Identity Manager users for identity audit Basic data for setting up rules Setting up a rule base rule check Creating custom mail templates for notifications
Mitigating controls Configuration parameters for Identity Audit

Which rules are violated by a specific employee?

To view which rules the employee violates

  1. Select the Employees | Employees category.
  2. Select an employee in the result list.
  3. Select the Rule evaluation report.

    This not only shows the rule that the employee has violated with or without exception, but also those with no violations.

Table 32: Meaning of icons in employee rule analysis
Icon Meaning
The rule is not violated.
The rule is violated. No exception approval has been granted for this rule exception.
The rule is violated. No exception approval has been granted for this rule exception.

Reports about rule violations

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. You can generate the following reports for all active rules, rule groups, and compliance frameworks.

NOTE: Other sections may be available depending on the which modules are installed.
Table 33: Reports about rule violations
Report Description
Overview of all assignments

(for a rule)

This report shows all employees that violate the selected rule. The report shows which roles of a role class the employee belongs to. Employees that are not members of any role are not taken into account.
Rule violation overview

(for a rule)

This report groups together all rule violations for the selected rule. All employees are listed that have objects that violation the rule. The result list is grouped by:

  • Employees pending a rule violation decision.
  • Employees without exception approval.
  • Employees with exception approval.
Show historical rule violations

(for a rule)

This report groups together all historical rule violations for the selected rule. All employees are listed that violate the rule as well as the time period covering the rule violation.
Rule violation overview

(for a rule group)

This report groups together all rule violations for the selected rule group. All rule violations are listed. The number of granted, denied, and not yet processed rule violations are given in addition.
Rule violation overview

(for a compliance framework)

This report groups together all rule violations for the selected compliance framework. All rule violations are listed. The number of granted, denied, and not yet processed rule violations are given in addition.
Detailed list of rule violations

(for a compliance framework)

This report groups together all rule violations for the selected compliance framework. All rule violations are listed. For each rule, the employee that violated the rule, the date and the reason for the approval decision are given.
Related topics

Overview of all assignments

The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Examples
  • If the report is created for a resource, all roles are determined in which there are employees with this resource.
  • If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.
  • If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.
  • If the report is created for a department, all roles are determined in which employees of the selected department are also members.
  • If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.
  • Click the Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain employees with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the icon in the report's toolbar.

  • Double-click a control to show all child roles belonging to the selected role.
  • By clicking the button in a role's control, you display all employees in the role with the base object.
  • Use the small arrow next to to start a wizard that allows you to bookmark this list of employees for tracking. This creates a new business role to which the employees are assigned.

Figure 9: Toolbar of the Overview of all assignments report.

Table 34: Meaning of icons in the report toolbar

Icon

Meaning

Show the legend with the meaning of the report control elements

Saves the current report view as a graphic.

Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Granting exception approval

Assignments that violate rules can be approved in hindsight. To do this, specially authorized employees can grant exception approval.

Prerequisites

  • The Exception approval allowed option is set for the rule.
  • The rule is assigned an application role for exception approvers.
  • Employees are assigned to this application role.
NOTE: If the Exception approval allowed option is not set, unedited rule violations for this rule are automatically denied. Existing exception approvals are withdrawn.

You must also decide whether exception approvers are allowed to approve their own rule violations. By default, an employee who violates a rule is determined to be the exception approver for this rule if they are a member of the Exception approvers application role for the rule. This means they can approve their own rule violations.

To prevent an employee from granting themselves exception approval

  • In the Designer, disable the QER | ComplianceCheck | DisableSelfExceptionGranting configuration parameter.

    Employees that violate a rule, are not determined to be exception approvers for this rule violation. Neither the rule violator's main identity nor its subidentities can grant exception approval.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating