Chat now with support
Chat with Support

Identity Manager On Demand Hosted - Compliance Rules Administration Guide

Compliance rules and identity audit
One Identity Manager users for identity audit Basic data for setting up rules Setting up a rule base rule check Mail templates for notifying about identity auditing
Mitigating controls Configuration parameters for Identity Audit

Deleting compliance rules

NOTE: All the information about a rule condition and rule violations is irrevocably deleted when the rule is deleted! The data cannot be retrieved at a later date.

Therefore, we advise you to write a report about the rule and its current violations before you delete it, if you want to retain the information (for example, audit security).

You can delete a rule if there are no rule violations attached to it.

To delete a rule

  1. In the Manager, select the Identity Audit > Rules category.

  2. Select the rule to delete in the result list.

  3. Select the Disable rule task.

    Existing rule violations are removed by the DBQueue Processor.

  4. Click in the toolbar.

    The rule, the associated rule violation object and the working copy are all deleted.

rule check

To test a rule, processing tasks are created for the DBQueue Processor. For each rule, the DBQueue Processor determines which employees have violated that rule. Follow-up tasks assign the associated rule violation object to employees that have violated a rule. The specified rule approvers can test rule violations and if necessary grant exception approval.

By default, permissions that an employee receives because they can use an administrative user account with shared identity are included in the rule check.

To exclude administrative user accounts with shared identity from rule checking

  • In the Designer, disable the QER | ComplianceCheck | IncludeTSBPersonUsesAccount configuration parameter.

    Object relations from the TSBPersonUsesAccount table are ignored when calculating entries for the PersonHasObject table.

Checking compliance rules

You can start rule checking in different ways to find the current rule violations in the One Identity Manager database.

  • Scheduled rule checking

  • Automatic rule checking after modifications

  • Ad-hoc rule checking

Only operational rules are checked during rule checking. Disabled rule are not tested. If a rule is violated, the effected employees are assigned the corresponding object for rule violations. You can check all the rules again for these employees. For more information, see Rule check analysis.

In addition to locating existing rule violations, One Identity Manager can also identify potential violations of IT Shop requests and business roles. For more information, see Determining potential rule violations.

Scheduled rule checking

The Compliance rule check schedule, is supplied with the One Identity Manager default installation to run a complete check of all rules. This schedule generates processing tasks at regular intervals for the DBQueue Processor.

Prerequisites
  • The rule is enabled.

  • The schedule stored with the rule is enabled.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating