Chat now with support
Chat with Support

Identity Manager 8.0 - Compliance Rules Administration Guide

Compliance Rules and Identity Audit
One Identity Manager Users for the Identity Audit Base Data for Setting up Rules Setting up a Rule Base Rule check Creating Custom Mail Templates for Notifications
Mitigating Controls Configuration Parameters for Identity Audit

Rule check

To test a rule, processing tasks are created for the DBQueue Processor. The DBQueue Processor determines for each rule, which employees have violated the rule. Follow-up tasks assign the associated rule violation object to employees that have violated a rule. The specified rule approvers can test rule violations and if necessary grant exception approval.

Checking a Rule

Checking a Rule

You can start rule checking in different ways to find the current rule violations in the One Identity Manager database.

  • Scheduled rule checking
  • Automatic rule checking after modifications
  • Ad hoc rule checking

Only operational rules are checked during rule checking. Disabled rule are not tested. If a rule is violated, the effected employees are assigned the corresponding object for rule violations. You can check all the rules again for these employees. For more information, see Rule Check Analysis.

In addition to locating existing rule violations, the One Identity Manager can also identify potential violations of IT Shop requests and business roles. For more information, see Determining Potential Rule Violations.

Scheduled Rule Checking

Scheduled Rule Checking

The schedule "default schedule compliance rule check" One Identity Manager is supplied with the default installation to run a complete check of all rules. This schedule generates processing tasks at regular intervals for the DBQueue Processor.

Prerequisites

  • The rule is enabled.
  • The schedule stored with the rule is enabled.
Detailed information about this topic

Checking Rule after Modifications

Checking Rule after Modifications

Table 34: Configuration Parameters for Rule Checking
Configuration parameter Meaning if Set
QER\ComplianceCheck\CalculateImmediately Processing tasks for recalculating rule violations are immediately started when relevant changes occur.

A processing task for rule checking is generated the moment an active rule is modified or deleted. All employees are checked to see if they fulfill the affected rule.

When specific changes are made to entitlements, you can immediately queue or schedule the calculation tasks to check the rules. Specify the desired behavior in the configuration parameter "QER\ComplianceCheck\CalculateImmediately". If the parameter is set, the processing task for recalculating rule violation for an employee are immediately queued. If the parameter is not set, the calculation task is started the next time the schedule is planned to run.

To trigger rule checks immediate after relevant changes have been made

  • Set the configuration parameter "QER\ComplianceCheck\CalculateImmediately" in the Designer.

    The processing task for recalculating rule violations for an employee is immediately started when relevant changes occur.

NOTE: This configuration parameter only applies if data changes are relevant. These include:

  • Changes to employee master data
  • Changes to employee assignments (for example, table PersonHasQERResource)
  • Changes to employees' role memberships
  • Changes to membership in system entitlements (for example, table ADSAccountInADSGroup)
  • Changes to SAP function matches (table SAPUserInSAPFunction)
Related Documents