Risk Assessment
Everyone with IT system authorization in a company represents a security risk for that company. For example, a employee editing financial data in an SAP system carries a higher risk than a employee who can edit their own personal data. To quantify the risk, you can enter a risk value for every company resource in the One Identity Manager. A risk index is calculated from this value for every employee who is assigned this company resource, directly or indirectly. Company resources include target system entitlements (for example, Active Directory groups or SAP profiles), subscribable reports, applications and resources. In this way, all employees representing a particular risk to the company can be found.
Rules in the context of Identity Audit can also be given a risk index. Each rule violation can increase the security risk of those that violate the rule. Therefore, these risk indexes are also included in the employee’s risk calculation. You can define appropriate counter measures through mitigating controls and store them with the compliance rules.
Other factors can influence the calculation of employee risk indexes. These are, the type of resource assignment (approved request in the IT Shop or direct assignment), attestations, rule violation exception approvals, employee responsibilities and defined weightings. Furthermore, the risk index can be calculated for all business roles, organizations and system roles that have company resources assigned to them. The user account risk index is calculated based on the system entitlements assigned.
The One Identity Manager provides default functions for the risk index calculations described in the following. These are available if the respective module is installed. Furthermore, you can set up custom functions.
To use risk assessment functionality
- Set the configuration parameter "QER\CalculateRiskIndex" in the Designer and compile the database.
One Identity Manager Users for Configuring Risk Assessment
The following users are connected with specifying risk indexes and editing risk index functions.
| User | Task |
|---|---|
|
Employee responsible for individual company resources |
The users are defined using different application roles for administrators and managers. Users with these application roles:
|
|
Compliance rules administrators |
Administrators must be assigned to the application role Identity & Access Governance | Identity Audit | Administrators. Users with this application role:
|
|
Administrators for attestation cases |
Administrators are assigned to the application roles Identity & Access Governance | Attestation | Administrators. Users with this application role:
|
|
Company policy administrators |
Administrators must be assigned to the application role Identity & Access Governance | Company policies | Administrators. Users with this application role:
|
| Employee administrators |
Administrators must be assigned to the application role Identity Management | Employees | Administrators. Users with this application role:
|
| One Identity Manager administrators |
|
Defining Risk Indexes
A risk index can be entered in One Identity Manager for the following objects types.
|
|
Note: Object types are defined in the One Identity Manager modules and are not available until the modules are installed. |
| Object Type | Use Case | Available in Module |
|---|---|---|
|
Active Directory groups |
Risk for the company if target system entitlements are granted. |
Active Directory Module |
|
SAP groups, SAP roles, SAP profiles, |
SAP R/3 User Management module Module | |
|
Structural profiles |
SAP R/3 Structural Profiles Add-on Module | |
|
BI analysis authorizations |
SAP R/3 Analysis Authorizations Add-on Module | |
|
LDAP groups |
LDAP Module | |
|
IBM Notes groups |
IBM Notes Module | |
|
SharePoint groups, SharePoint roles |
SharePoint Module | |
|
E-Business Suite entitlements |
Oracle E-Business Suite Module | |
| Azure Active Directory groups | Azure Active Directory Module | |
|
G Suite groups |
G Suite Module | |
|
G Suite products and SKUs |
G Suite Module | |
| UNIX groups | Unix Based Target Systems Module | |
| Cloud Groups | Cloud Systems Management Module | |
|
System Entitlements in the Unified Namespace |
Target System Base Module | |
|
Applications |
Risk for the company if the account definition, application or resource is assigned to an employee. |
Application Management Module |
|
Resources |
always | |
| Account definitions | Target System Base Module | |
| Multi-request resources | Risk for the company if the resource is assigned to an IT Shop structure. | always |
| Multi-requestable/unsubscribable resources | always | |
| Assign resources | always | |
|
application roles |
Risk for the company if an employee is a member of this application role. |
always |
|
Compliance rules |
Risk for the company if a rule is violated. |
Compliance Rules Module |
|
SAP functions |
Risk for the company if SAP user accounts match the SAP function. |
SAP R/3 Compliance Add-on Module |
|
company policies |
Risk for the company if a company policy is violated. |
Company Policies Module |
|
Attestation Policies |
Risk for the company if an attestation procedure denies approval for an attestation policy. |
Attestation Module |
|
Subscribable reports |
Risk for the company if an employee has subscribed to a report. |
Report Subscription Module |
To enter a risk index
- Open the master data form for the object for which you want to enter the risk index.
- Enter the desired value in Risk index.
The risk index is given as a floating-point number in the range 0.0 ... 1.0 This means:
- 0,0: no risk
- 1,0: problem; risk involved
Calculating Risk Indexes
The One Identity Manager calculates the resulting risk indexes for employees, user accounts and hierarchical roles based on the risk indexes already stored. All direct and indirectly assigned objects are taken into account.
The risk index is calculated for the following object types.
|
Object Type |
Calculation |
Available in Module |
|---|---|---|
|
Employees |
Calculated from the risk indexes of all associated user accounts, directly and indirectly assigned applications, resources, account definitions and subscribable reports, membership in application roles and rule violations. |
always |
|
Active Directory user accounts |
Calculated from the risk indexes of all assigned target system entitlements. |
Active Directory Module |
|
SAP user accounts |
SAP R/3 User Management module Module | |
|
BI user accounts |
SAP R/3 Analysis Authorizations Add-on Module | |
|
LDAP user accounts |
LDAP Module | |
|
IBM Notes user accounts |
IBM Notes Module | |
|
SharePoint user accounts |
SharePoint Module | |
|
E-Business Suite user accounts |
Oracle E-Business Suite Module | |
|
Azure Active Directory user accounts |
Azure Active Directory Module | |
|
G Suite user accounts |
G Suite Module | |
|
UNIX User Accounts |
Unix Based Target Systems Module | |
|
Cloud User Accounts |
Cloud Systems Management Module | |
|
User accounts |
Target System Base Module | |
|
Departments, locations, cost centers |
Calculated from the risk indexes of all assigned company resources. |
always |
|
Business roles |
Business Roles Module | |
|
System roles |
System Roles Module | |
|
IT Shop structures |
always | |
|
Rule violations |
Determined by the risk index of the violated rule and the assigned mitigating control. |
Compliance Rules Module |
|
|
NOTE: If you work with the Data Governance Edition, you can also specify and calculate risk indexes for data under governance. These are included in the employee’s risk index calculation. For more information, see the Data Governance User Guide. |
The One Identity Manager supplies default functions for the risk indexes with risk functions defined for the objects types listed here. Certain properties of default functions can be edited in the One Identity Manager. Furthermore, you can make custom functions.