Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 8.0.5 - Compliance Rules Administration Guide

Table of Contents

Compliance Rules and Identity Audit

One Identity Manager Users for the Identity Audit Base Data for Setting up Rules

Additional Tasks for Rule Groups

Overview of Rule Groups Assign Rules

Compliance Frameworks

Additional Tasks for Compliance Frameworks

The Compliance Framework Overview Assign Rules

Schedules for Checking Rules

Default Schedules Additional Tasks for Schedules

The Schedule Overview Assign Rules Starting Schedules Immediately

Extended Properties and Property Groups

Create Property Groups Edit Extended Properties

Extended Property Master Data Specifying Scoped Boundaries

Additional Tasks for Extended Properties

Extended Property Overview Assign Objects Assign Property Groups

Functional Areas Attestors Rule supervisor Exception approver Standard Reasons

Predefined Standard Reasons

Setting up a Rule Base

Setting Up a Rule Risk Assessment Extended Rule Input Rule Comparison IT Shop Properties for a Rule Additional Tasks for Working Copies

Overview of Working Copies Assigning Compliance Frameworks Mitigating Controls

Assigning Mitigating Controls Creating Mitigating Controls

Enabling Working Copies Recalculate Copy Rule Comparing a Rule Working Copy with the Original Maintain Exception Approver Maintain Rule Supervisors Enable SQL Definition

Additional Tasks for Rules

Overview of the Rule Creating a Working Copy Enabling and Disabling Rules Recalculate Copy Rule Maintain Exception Approver Maintain Rule Supervisors

Creating Rule Conditions

Basics for Using the Rule Editor Specifying the Affected Employee Group Specifying Affected Entitlements A Simple Rule Example Rule Conditions in Advanced Mode Rule Condition as SQL Query

Checking a Rule

Scheduled rule checking Checking Rule after Modifications Ad hoc rule checking Speeding up Rule Checking

Rule Check Analysis

Which employees violate a specific rule? Which rules are violated by a specific employee?

Reports about Rule Violations

Overview of all Assignments

Granting Exception Approval

Exception Approval over a Limited Period Granting Exception Approval in the Manager

Notifications about Rule Violations

Demands for Exception Approval Notifications about Rule Violations without Exception Approval

Determining Potential Rule Violations

Creating Custom Mail Templates for Notifications

General Properties of a Mail Template Creating and Editing an Email Definition

Using Base Object Properties Use of Hyperlinks in the Web Portal

Default Functions for Creating Hyperlinks

Customizing Email Signatures

Mitigating Controls

General Master Data for a Mitigating Control Additional Tasks for Mitigating Controls

The Mitigating Controls Overview Assigning Rules

Calculating Mitigation

Configuration Parameters for Identity Audit

Compliance Rules and Identity Audit

Table 1: Configuration Parameters for Identity Audit
Configuration parameter	Meaning
QER\ComplianceCheck	Preprocessor relevant configuration parameter to control component parts for Identity Audit. Changes to the parameter require recompiling the database. If the parameter is set the components can be used.

The One Identity Manager can be used to define rules that maintain and monitor regulatory requirements and automatically deal with rule violations. Define compliance rules, to test entitlements or combinations of entitlements in the context of identity audit for employees in the company. On the one hand, existing rule violations can be found by checking rules. On the other hand, possible rule violations can be preemptively identified and this prevented.

Figure 1: Identity Audit in One Identity Manager

Simple rule examples are:

An employee may not obtain two entitlements A and B at the same time.
Only employees with a particular department can have a particular entitlement.
Every user account has to have a manager assigned to it.

You can use the identity audit function of the One Identity Manager to:

Define rules for any employee assignments
Evaluate the risk of possible rule violations
Specify mitigating controls
Initiate regular or spontaneous rule checks
Detailed testing of edit permissions for employees within an SAP client (using SAP functions)
Evaluate rule violations with differing criteria
Create reports about rules and rule violations

Based on this information, you can make corrections to data in the One Identity Manager and transfer them to the connected target systems. The integrated report function in the One Identity Manager can be used to provide information for the appropriate tests.

To use the identity audit function

Set the configuration parameter "QER\ComplianceCheck" in the Designer.

One Identity Manager Users for the Identity Audit

The following users are included in managing the rule base and editing rule violations.

Table 2: User

User

Task

Administrators for Identity Audit

Administrators must be assigned to the application role Identity & Access Governance | Identity Audit | Administrators.

Users with this application role:

Enter base data for for setting up company policies.
Create compliance rules and assign rule supervisors to them.
Can start rule checking and view rule violations as required.
Create reports about rule violations.
Enter mitigating controls.
Create and edit risk index functions.
Monitor Identity Audit functions.
Administer application roles for rule supervisors, exception approvers and attestors.
Set up other application roles as required.

Rule supervisors

Rule supervisors must be assigned to the application role Identity & Access Governance | Identity Audit | Rule supervisors or to a child role.

Users with this application role:

Are responsible for compliance rule content, for example, an auditor or a auditing department.
Edit the compliance rule working copies, which are assigned to the application role.
Enable and disable compliance rules.
Can start rule checking and view rule violations as required.
Assign mitigating controls.

One Identity Manager administrators

Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
Create system users and permissions groups for non-role based login to administration tools, as required.
Enable or disable additional configuration parameters in the Designer, as required.
Create custom processes in the Designer, as required.
Create and configures schedules, as required.
Create and configure password policies, as required.

Exception approvers

Administrators must be assigned to the application role Identity & Access Governance | Identity Audit | Exception approvers or to a child role.

Users with this application role:

Edit rule violations in the Web Portal.
Can grant exception approval or revoke it in the Web Portal.

Compliance rules attestors

Attestors must be assigned to the application role Identity & Access Governance | Identity Audit | Attestors.

Users with this application role:

Attest compliance rules and exception approvals in the Web Portal for which they are responsible.
Can view master data for these compliance rules but not edit them.

NOTE: This application role is available if the module Attestation Module is installed.

Compliance & Security officers

Compliance and security officers must be assigned to the application role Identity & Access Governance | Compliance & Security Officer.

Users with this application role:

View all compliance relevant information and other analysis in the Web Portal. This includes attestation policies, company policies and policy violations, compliance rules and rule violations and risk index functions.
Edit attestation polices

Auditors

Auditors are assigned to the application role Identity & Access Governance | Auditors.

Users with this application role:

See the Web Portal all the relevant data for an audit.

Base Data for Setting up Rules

Various basic data is required to create rules, run rule checks and handle rule violation.

Rule groups:	Rule groups
Compliance frameworks:	Compliance Frameworks
Extended properties:	Extended Properties and Property Groups
Schedules:	Schedules for Checking Rules
Functional areas:	Functional Areas
Attestors:	Attestors
Rule supervisors:	Rule supervisor
Exception approvers:	Exception approver
Standard reasons:	Standard Reasons
Mail templates:	Creating Custom Mail Templates for Notifications

Rule groups

Use rule groups to group rules by functionality, for example, to group account policies or separate functions ("Segregation of duties").

To edit a rule group

Select the category Identity Audit | Basic configuration data | Rule groups.
Select a rule group in the result list. Select Change master data in the task view.
- OR -

Click in the result list toolbar.
Edit the master data for the rule group.
Save the changes.

Enter the following data for a rule group

Table 3: Rule Group Properties
Property	Description
Group name	Name of the rule group.
Description	Spare text box for additional explanation.
Parent group	Rule group above this one in a hierarchy. To organize rule groups hierarchically, select the parent rule group in the menu.

Self Service Tools: Knowledge Base; Notifications & Alerts; Product Support; Software Downloads; Technical Documentation; User Forums; Video Tutorials; RSS Feed

Contact Us: Licensing Assistance; Technical Support; View All

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy