Chat now with support
Chat with Support

Identity Manager 8.0 - Compliance Rules Administration Guide

Compliance Rules and Identity Audit
One Identity Manager Users for the Identity Audit Base Data for Setting up Rules Setting up a Rule Base Rule check Creating Custom Mail Templates for Notifications
Mitigating Controls Configuration Parameters for Identity Audit

Exception Approval over a Limited Period

Exception approvals can be set for a limited period of time. To do this, you can specify a validity period for exception approvals on each rule. When the validity period expires, the applicable exception approvals are canceled. A scheduled process plan checks whether an exception approval is still valid.

Once an exception approval has been granted, the expiry date is calculated from the current date and the validity period stored with the rule. You can only change the expiry date for future exception approvals. The expiry date for existing exception approvals does not change.

To set a time limit on exception approvals

  1. Enter a validity period for a rule.
    1. Select the category Identity Audit | Rules | Working copies of rules.
    2. Select a working copy from the result list.
    3. Select Change master data in the task view.
    4. On the General tab, enter the number of days, in Max. # days, that the exception approval applies to this rule.

      If the value is "0", the exception approvals have no time limit.

    5. Save the changes.
    6. To transfer the changes to the current rule, select the task Enable rule.
  2. Configure and set the schedule "Reset exception approval of compliance violations" in the Designer.

Related Topics
  • One Identity Manager Configuration Guide

Granting Exception Approval in the Manager

Granting Exception Approval in the Manager

You use the Web Portal to edit rule violations and grant exception approval, by default. You can, however, grant exception approval in the Manager. To do this, log in as non role-based to the Manager. This function is not available in the Manager for role-based login.

To grant exception approval for all employees violating a particular rule

  1. Select the category  Identity Audit | Rule violations.
  2. Select the rule violation in the result list.
  3. Select Show rule violations in the task view.
  4. Select the employee for whom you want to grant exception approval by double-clicking.

    This opens the form Edit rule violations.

  5. To obtain detailed information about the employee, click on the employee.
  6. To obtain an overview of the rule violation, click on the rule violation.
  7. Enter a reason
  8. To approve the rule violation for this employee, click Approve exception.

    The data Approver and Approval date as well as the options Exception is approved and Checked are filled out on the form.

  9. To deny exception approval for this employee, click Deny exception.

    The data Approver and Approval date as well as the option Checked are filled out on this form.

  10. Save the changes.

To grant exception approval for all rules violated by a specific employee:

  1. Select the Employees | Employees.
  2. Select the employee in the result list.
  3. Select the report Rule evaluation.
  4. Double-click on the rule violation for which you want the employee to be grant exception approval.

    This opens the form Edit rule violations.

  5. To obtain detailed information about the employee, click on the employee.
  6. To obtain an overview of the rule violation, click on the rule violation.
  7. Enter a reason
  8. To approve the rule violation for this employee, click Approve exception.

    The data Approver and Approval date as well as the options Exception is approved and Checked are filled out on the form.

  9. To deny exception approval for this employee, click Deny exception.

    The data Approver and Approval date as well as the option Checked are filled out on this form.

  10. Save the changes.
Related Topics

Notifications about Rule Violations

Notifications about Rule Violations

Table 41: Configuration Parameter for Notifications
Configuration parameter Meaning
QER\ComplianceCheck\EmailNotification

This parameter is used for mail notifications.

Information about notifying during compliance checking is defined under this parameter.

QER\ComplianceCheck\EmailNotification\DefaultSenderAddress This configuration parameter contains the sender email address for automatically generated messages during rule checking.

After rule checking, email notifications can be sent to exception approvers and rule supervisors through new rule violation. The notification procedure uses mail templates to create notifications. The mail text in a mail template is defined in several languages. This ensures that the language of the recipient is taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.

Messages are not sent ti the chief approval team by default. Fallback approvers are only notified if not enough approvers could be found for an approval step.

To use notification in the request process

  1. Ensure that the email notification system is configured in One Identity Manager. For more detailed information, see the .One Identity Manager Configuration Guide
  2. Set the configuration parameter "QER\ComplianceCheck\EmailNotification" in the Designer.
  3. Set the configuration parameter "QER\ComplianceCheck\EmailNotification\DefaultSenderAddress" in the Designer and enter the sender address with which the email notifications are sent.
  4. Ensure that all employees have a default email address. Notifications are sent to this address. For more detailed information, see the .One Identity Manager Identity Management Base Module Administration Guide
  5. Ensure that a language culture can be determined for all employees. Only then can they receive email notifications in their own language. For more detailed information, see the .One Identity Manager Identity Management Base Module Administration Guide
  6. Configure the notification procedure.
Related Topics

Demands for Exception Approval

Demands for Exception Approval

Table 42: Configuration Parameters for Notifications about Rule Violations
Configuration parameter Meaning if Set
QER\ComplianceCheck\EmailNotification\NewExceptionApproval

This configuration parameter contains the name of the mail template, which is sent if an approval exception for a new rule violation is required.

If new rule violations are discovered during a rule check, exception approvers are notified and prompted to make an approval decision.

Prerequisites

  • The option Exception approval allowed is set for the rule.
  • An Exception approver application role is assigned to the rule.
  • Employees are assigned to this application role.

To send demands for exception approval

  • Set the configuration parameter "QER\ComplianceCheck\EmailNotification\NewExceptionApproval" in the Designer.

    Notification with the mail template "Compliance - new exception approval required" is sent to all exception approvers, by default.

TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter.
Related Documents