If new rule violations are discovered during a rule check, exception approvers are notified and prompted to make an approval decision.
Prerequisites
-
Exception approvals for rule violations are permitted.
-
An Exception approver application role is assigned to the rule.
-
Employees are assigned to this application role.
To send demands for exception approval
Related topics
If new rule violations are discovered during a rule check, which cannot be issued with exception approval, rule supervisors are notified.
Prerequisites
-
Exception approvals for rule violations are not permitted.
-
A Rule supervisor application role is assigned to the rule.
-
Employees are assigned to this application role.
To inform a rule supervisor about rule violations
Related topics
In addition to locating existing rule violations, One Identity Manager can also identify potential violations of IT Shop requests. To do this, you add an approval step with the CR - Compliance check simplified approval procedure in the approval process in the IT Shop.
To identify rule violations through IT Shop requests, auxiliary tables are evaluated for object assignments and the affected employees. These auxiliary tables are regularly updated by the DBQueue Processor. Changes to a rule are calculated immediately in the auxiliary tables.
The default schedule compliance rule fill schedule is included in the One Identity Manager default installation to add changes, such as, changes to entitlements or an extended property in the rule check. This schedule generates processing tasks, on a cyclical basis, for updating the auxiliary table. Create your own schedule to customize the auxiliary table calculation cycle meet your own requirements.
To customize the auxiliary table calculation cycle to meet your requirements
-
In the Manager, select the Identity Audit > Basic configuration data > Schedules category.
-
Click in the result list.
-
Edit the schedule’s main data.
- Save the changes.
-
Select the Assign rules (for filling) task and assign all the rules to the schedule to which it applies.
- Save the changes.
NOTE:
Rule checking does not completely check the requests. It is possible that under the following conditions, rule checking does not identify a rule violation:
-
Customer permissions change after the auxiliary table have been calculated.
-
If memberships are requested in business role or organization, a rule is violated by an object that is inherited through the business role or organization. Inheritance is calculated after request approval and can therefore not be identified until after the auxiliary table is calculated again.
-
The customer does not belong to the rule's employee group affected until the request is made.
-
The rule condition was created in expert node or as a SQL query.
TIP: A complete check of assignments is achieved with cyclical testing of compliance rule using schedules. This finds all the rule violations that result from the request.
It is possible that under the following conditions, rule checking identifies a rule violation where one does not exist:
-
Two products violate one rule when they are assigned at the same time. The product requests are, however, for a limited period. The validity periods does not overlap. Still a potential rule violation is identified.
TIP: These requests can be approved after checking by exception approver as permitted by the definition of the violation rule.
For more information about compliance checking of IT Shop requests, see the One Identity Manager IT Shop Administration Guide.
Related topics
One Identity Manager supplies mail templates by default. These mail templates are available in English and German. If you require the mail body in other languages, you can add mail definitions for these languages to the default mail template.
To edit a default mail template
Related topics