Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Compliance Rules Administration Guide

Compliance rules and identity audit
One Identity Manager users for identity audit Basic data for setting up rules Setting up a rule base rule check Mail templates for notifying about identity auditing
Mitigating controls for compliance rules Configuration parameters for Identity Audit

Compliance rules attestors

NOTE: This function is only available if the Attestation Module is installed.

Identities that can be used to attest attestation procedures can be assigned to compliance rules. Assign an application role for attestors to the compliance rules. Assign identities to this application role that are authorized to attest compliance rules. For more information about attestation, see the One Identity Manager Attestation Administration Guide.

A default application role for attestors is available in One Identity Manager. You may create other application roles as required. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Table 8: Default application roles for attestors
User Tasks

Attestors for Identity Audit

Attestors must be assigned to the Identity & Access Governance | Identity Audit | Attestors application role.

Users with this application role:

  • Attest compliance rules and exception approvals in the Web Portal for which they are responsible.

  • Can view main data for these compliance rules but not edit them.

NOTE: This application role is available if the module Attestation Module is installed.

To add identities to default application roles for attestors

  1. In the Manager, select the Identity Audit > Basic configuration data > Attestors category.

  2. Select the Assign identities task.

  3. In the Add assignments pane, add identities.

    TIP: In the Remove assignments pane, you can remove assigned identities.

    To remove an assignment

    • Select the identity and double-click .

  4. Save the changes.

Rule supervisors

You can assign compliance rules to identities that are responsible for rule content. This may be an auditor or a auditing department, for example. To do this, assign compliance rules to an application role for rule supervisors. Assign identities to this application role who are authorized to edit working copies of compliance rules.

A default application role for target system managers is available in One Identity Manager. You may create other application roles as required. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Table 9: Default application role for rule supervisors
User Tasks

Rule supervisors

Rule supervisors must be assigned to the Identity & Access Governance | Identity Audit | Rule supervisors application role or a child application role.

Users with this application role:

  • Are responsible for compliance rule content, for example, an auditor or a auditing department.

  • Edit the compliance rule working copies, which are assigned to the application role.

  • Enable and disable compliance rules.

  • Can start rule checking and view rule violations as required.

  • Assign mitigating controls.

To add the identities to the default application as rule supervisors

  1. In the Manager, select the Identity Audit > Basic configuration data > Rule supervisors category.

  2. Select the Assign identities task.

  3. In the Add assignments pane, add identities.

    TIP: In the Remove assignments pane, you can remove assigned identities.

    To remove an assignment

    • Select the identity and double-click .

  4. Save the changes.

Exception approvers

Identities that can issue exception approvals for rule violations can be assigned to compliance rules. To do this, assign an application role for exception approvers to the compliance rule. Assign those identities that are entitled to approve rule violation exceptions to this application role.

A default application role for exception approvers is available in One Identity Manager. You may create other application roles as required. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Table 10: Default application role for exception approvers
User Tasks

Exception approver

Administrators must be assigned to the Identity & Access Governance | Identity Audit | Exception approvers application role or a child application role.

Users with this application role:

  • Edit rule violations in the Web Portal.

  • Can grant exception approval or revoke it in the Web Portal.

To add identities to default application roles for exception approvers

  1. In the Manager, select the Identity Audit > Basic configuration data > Exception approvers category.

  2. Select the Assign identities task.

  3. In the Add assignments pane, add identities.

    TIP: In the Remove assignments pane, you can remove assigned identities.

    To remove an assignment

    • Select the identity and double-click .

  4. Save the changes.
Related topics

Standard reasons for rule violations

For exception approvals, you can specify reasons in the Web Portal that explain the individual approval decisions. You can freely formulate this text. You also have the option to predefine reasons. The exception approvers can select a suitable text from these standard reasons in the Web Portal and store it with the rule violation.

To create or edit standard reasons

  1. In the Manager, select the Identity Audit > Basic configuration data > Standard reasons category.

  2. Select a standard reason in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the main data of a standard reason.

  4. Save the changes.

Enter the following properties for the standard reason.

Table 11: General main data of a standard reason

Property

Description

Standard reason

Reason text as displayed in the Web Portal.

Description

Text field for additional explanation.

Automatic Approval

Specifies whether the reason text is only used for automatic approvals by One Identity Manager for rule violations. This standard reason cannot be selected by exception approvals in the Web Portal.

Do not set the option if the you want to select the standard reason in the Web Portal.

Additional text required

Specifies whether an additional reason should be entered in free text for the exception approval.

Usage type

Usage type of standard reason. Assign one or more usage types to allow filtering of the standard reasons in the Web Portal.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating