Chat now with support
Chat with Support

Identity Manager 9.1.2 - Compliance Rules Administration Guide

Compliance rules and identity audit
One Identity Manager users for identity audit Basic data for setting up rules Setting up a rule base rule check Mail templates for notifying about identity auditing
Mitigating controls for compliance rules Configuration parameters for Identity Audit

Specifying affected entitlements

In order to take entitlements into account in the rule, you must define at least one rule block that determines the affected entitlements for employee groups. Each rule block can contain more than one partial condition. The partial conditions are linked through the options all or at least one.

Figure 4: Rule block for affected entitlements

Use the following to options to limit the affected entitlements:

  • At least one entitlement

    Define one entitlement per rule block.

    Select the type of entitlement, such as a target system type or the Resource type, and define the partial condition (see Table 24).

    Rules can be created for all the system entitlements displayed in the Unified Namespace. The rule conditions access the Unified Namespace database layers to do this.

  • At least one role or organization assignment

    For each rule block, define the membership in a hierarchical role (application role, department, location, cost center, business role).

    Select the type of role, such as Departments, and define the partial condition (see Table 24).

  • At least one function

    Enter at least one SAP function to replace the rule.

    This option can only be selected if the SAP R/3 Compliance Add-on Module module is installed. For more information, see the One Identity Manager Administration Guide for the SAP R/3 Compliance Add-on.

  • Number of entitlements

    You specify how many entitlements the employee must have to violate the rule.

    By default, a rule violation is identified, if one of the employee of the employee group affected, is assigned an object that fulfills the condition of the rule block. You can increase this number. The value 0 is not valid.

Table 24: Defining the partial condition

Partial condition

Description

Properties

Properties of the objects, such as Defined name or Resource type.

Assignment in other objects

Assignments of the objects to other objects, such as the assignment of a department as the primary department for various employees.

Memberships

Memberships of entitlements in hierarchical roles and IT Shop structures Assignments to employees or workdesks if the System roles permissions type has been selected.

Assignments of company resources to the roles, such as DepartmentHasADSGroup.

Permissions controls

Permissions elements defined for the selected target system

NOTE: permissions controls are only created for custom target systems.

Has extended property

Extended properties assigned to the objects

Has extended property in group

Extended properties from the selected extended property group that are assigned to the objects

Has extended property in range

Extended properties assigned to the objects and for which a range of values is defined. The rule verifies the correct value.

SQL Query

Input of an SQL query (WHERE clause). For more information about the WHERE clause, see the One Identity Manager User Guide for One Identity Manager Tools User Interface.

Related topics

A simple rule example

The following examples show how rules can be created with the help of the Rule Editor and the effects of each option.

Example 1

Employees from department A may not belong to department B at the same time.

Define:

  1. The option by all employees and the combination of all the employee's identities in the rule block for the affected employee group.

  2. Two rule blocks for the affected entitlements with the option at least one role or organization assignment.

Figure 5: Rule condition for example 1

Example 2

Employees from the sales or purchasing department are not permitted to access the Active Directory group "Development". This rule is only checked for enabled employees.

Define:

  1. The by all employees, all and one of the employee's identities options in the rule block for the affected employee group.

  2. Two rule blocks for the affected entitlements with the options:

    1. at least one role or organization assignment and

    2. at least one entitlement.

Figure 6: Rule condition for example 2

Example 3

All permitted entitlements are assigned to employees over system roles. One employee can have a maximum of two system roles. If an employee has more than one identity, the rule is also violated if the entitlements of all subidentities together result in a rule violation.

There are three system roles: Pool for finance, Pool for purchasing, Pool for sales

Chris User2 has two subidentities. The main identity and both subidentities are respectively assigned to a system role.

Chris User2 (HI): Pool for finance

Chris User2 (SI1): Pool for purchasing

Chris User2 (SI2): Pool for sales

Define:

  1. The options by all employees and the combination of all the employee's identities in the rule block for the affected employee group.

  2. One rule block for the affected entitlements with the option at least one entitlement of type System roles that fulfill all the following partial conditions

  3. A partial condition: Display name contains "Pool for"

  4. The number of entitlements assigned to the employee is larger or equal to 3.

Because Chris User2's main identity includes all three system roles due to their subidentities, the main identity violates this (and only this) rule.

Rule checking finds the same result if the rule is formulated as follows:

Rule conditions in advanced mode

There are two ways of defining rule conditions, the simple definition and advanced mode. The simple definition is used as default to create rule conditions with the Rule Editor. For more information, see Basics for using the Rule Editor.

In advanced mode, employee's properties are defined in the rule condition that lead to a rule violation. The assignments are determined directly by the respective base tables, which contain the selected objects (for example, PersonHasSAPGRoup or Person).

To use advanced mode

  1. In the Designer, set the QER | ComplianceCheck | SimpleMode | NonSimpleAllowed configuration parameter.

    On the main data form for a rule, the options Rule for cyclical testing and risk assessment in IT Shop and Rule only for cyclical testing are displayed.

  2. Set Rule only for cyclical testing.

  3. Confirm the security prompt with Yes.

    The filter designer is displayed.

NOTE:

  • You cannot return to the simple definition once a rule condition has been entered in advanced mode!

  • Rules in advanced mode are not taken into account by rule checks in the IT Shop request approval processes. No IT Shop properties can be defined for these rules. The IT Shop properties tab does not appear on the main data form for this rule.

Figure 7: Advanced mode condition

Rule conditions in advanced mode are based on the Employees base object (Person table). The completed database query is put together internally:

Select Firstname, Lastname from Person where <Rule condition>order by 1,2

NOTE: If you select the For the account with the target system type or For the entitlement with target system type condition type in the filter designer, only columns that are mapped in Unified Namespace and for which the Display in the filter designer column property is enabled can be selected.

For more information about using the filter designer, see the One Identity Manager User Guide for One Identity Manager Tools User Interface.

Table 25: Permitted condition types

Condition Type

Meaning

Property

Employee object properties. The drop-down menu with permitted properties is already restricted to the most important employee properties.

For the account with the target system type

Employee’s user account. Valid user account properties depend on which target system is selected.

For entitlements with the target system type

Employee target system group. Valid group properties depend on which target system is selected.

SQL Query

Free choice of SQL query (WHERE clause). To use the WHERE clause wizard, click .

Rule condition as SQL query

You can formulate rule conditions directly in advanced mode as an SQL query.

To formulate a rule condition directly as an SQL query

  1. In the Designer, set the QER | ComplianceCheck | PlainSQL configuration parameter.

  2. Select Rule only for cyclical testing.

  3. Select the Enable SQL definition task for the working copy.

NOTE: Rule conditions can only be formulated through an SQL query if the QER | ComplianceCheck | SimpleMode configuration parameter is not set and the QER | ComplianceCheck | PlainSQL configuration parameter is set.

Figure 8: Direct SQL query input

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating