Chat now with support
Chat with Support

Identity Manager 8.0 - Compliance Rules Administration Guide

Compliance Rules and Identity Audit
One Identity Manager Users for the Identity Audit Base Data for Setting up Rules Setting up a Rule Base Rule check Creating Custom Mail Templates for Notifications
Mitigating Controls Configuration Parameters for Identity Audit

Which rules are violated by a specific employee?

Which rules are violated by a specific employee?

To view which rules the employee violates

  1. Select the Employees | Employees.
  2. Select an employee in the result list.
  3. Select the report Rule evaluation.

    This not only shows the rule that the employee has violated with or without exception, but also those with no violations.

Table 37: Meaning of Icons in Employee Rule Analysis
Icon Meaning
The rule is not violated.
The rule is violated. No exception approval has been granted for this rule exception.
The rule is violated. No exception approval has been granted for this rule exception.

Reports about Rule Violations

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. You can generate the following reports for all active rules, rule groups and compliance frameworks.

NOTE: Other sections may be available depending on the which modules are installed.
Table 38: Reports about Rule Violations
Report Description
Overview of all Assignments

(for a rule)

This report shows all employees that violate the selected rule. The report shows which roles of a role class the employee belongs to. Employees that are not members of any role are not taken into account.
Rule violation overview

(for a rule)

This report groups together all rule violations for the selected rule. All employees are listed that have objects that violation the rule. The result list is grouped by:

  • Employees pending a rule violation decision.
  • Employees without exception approval.
  • Employees with exception approval.
Show historical rule violations

(for a rule)

This report groups together all historical rule violations for the selected rule. All employees are listed that violate the rule as well as the time period covering the rule violation.
Rule violation overview

(for a rule group)

This report groups together all rule violations for the selected rule group. All rule violations are listed. The number of granted, denied and not yet processed rule violations are given in addition.
Rule violation overview

(for a compliance framework)

This report groups together all rule violations for the selected compliance framework. All rule violations are listed. The number of granted, denied and not yet processed rule violations are given in addition.
Detailed list of rule violations

(for a compliance framework)

This report groups together all rule violations for the selected compliance framework. All rule violations are listed. For each rule, the employee that violated the rule, the date and the reason for the approval decision are given.
Related Topics

Overview of all Assignments

The report "Overview of all Assignments" is displayed for certain objects, for example, permissions, compliance rules or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles and IT Shop structures in which there are employee who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Example
  • If the report is created for a resource, all roles are determined in which there are employees with this resource.
  • If the report is created for a group, all roles are determined in which there are employees with this group.
  • If the report is created for a compliance rule, all roles are determined in which there are employees with this compliance rule.
  • If the report is created for a department, all roles are determined in which employees of the selected department are also members.
  • If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the report Overview of all assignments.
  • Use the Used by button in the report's toolbar to select the role class (department, location, business role or IT Shop structure) for which you determine if roles exist in which there are employees with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. In the report's toolbar, click to open the legend.

  • Double-click a control to show all child roles belonging to the selected role.
  • By clicking the button in a role's control, you display all employees in the role with the base object.
  • Use the small arrow next to to start a wizard that allows you to bookmark this list of employee for tracking. This creates a new business role to which the employees are assigned.

Figure 9: Toolbar for Report "Overview of all assignments"

Table 39: Meaning of Icons in the Report Toolbar
Icon Meaning
Show the legend with the meaning of the report control elements
Saves the current report view as a graphic.
Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Granting Exception Approval

Granting Exception Approval

Table 40: Configuration Parameters for Exception Approvals
Configuration parameter Meaning if Set
QER\ComplianceCheck\DisableSelfExceptionGranting Excludes rule violators from becoming exception approvers. If this parameter is set, no one can approve their own rule violations.

Assignments, which violate rules, can be approved with hindsight. To do this, specially authorized employees can grant exception approval.

Prerequisites

  • The option Exception approval allowed is set for the rule.
  • The rule is assigned an application role for exception approvers.
  • Employees are assigned to this application role.

NOTE: If the option Exception approval allowed is not set, unedited rule violations for this rule are automatically denied. Existing exception approvals are withdrawn.

You must also decide whether exception approvers are allowed to approve their own rule violations. By default, an employee who violates a rule is determined to be the exception approver for this rule if they are a member of the application role Exception approvers for the rule. This means they can approve their own rule violations.

To prevent an employee from granting themselves exception approval

  • Set the configuration parameter "QER\ComplianceCheck\DisableSelfExceptionGranting".

    Employees that violate a rule, are not determined to be exception approvers for this rule violation. Neither the rule violator's main identity nor its subidentities can grant exception approval.

Detailed information about this topic
Related Documents