Chat now with support
Chat with Support

Identity Manager 8.0 - Compliance Rules Administration Guide

Compliance Rules and Identity Audit
One Identity Manager Users for the Identity Audit Base Data for Setting up Rules Setting up a Rule Base Rule check Creating Custom Mail Templates for Notifications
Mitigating Controls Configuration Parameters for Identity Audit

Notifications about Rule Violations without Exception Approval

Notifications about Rule Violations without Exception Approval

Table 43: Configuration Parameters for Notifications about Rule Violations
Configuration parameter Meaning if Set
QER\ComplianceCheck\EmailNotification\NotPermittedViolation

This configuration parameter contains the name of the mail template which is sent if a new rogue rule violation occurs.

If new rule violations are discovered during a rule check, which cannot be issued with exception approval, rule supervisors are notified.

Prerequisites

  • The option Exception approval allowed is not set for the rule.
  • A Rule supervisor application role is assigned to the rule.
  • Employees are assigned to this application role.

To inform a rule supervisor about rule violations

  • Set the configuration parameter "QER\ComplianceCheck\EmailNotification\NotPermittedViolation" in the Designer.

    Notification with the mail template "Compliance - prohibited violation occurred" is sent by default.

TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter.

Determining Potential Rule Violations

Determining Potential Rule Violations

In addition to locating existing rule violations, the One Identity Manager can also identify potential violations of IT Shop requests. To do this, you add an approval step with the approval procedure "CR - Compliance check simplified" in the approval process in the IT Shop.

To identify rule violations through IT Shop requests, auxiliary tables are evaluated for object assignments and the affected employees. These auxiliary tables are regularly updated by the DBQueue Processor. Changes to a rule are calculated immediately in the auxiliary tables.

The schedule "default schedule compliance rule fill" is included in the default One Identity Manager installation to add changes, such as, changes to entitlements or an extended property in the rule check. This schedule generates processing tasks, on a cyclical basis, for updating the auxiliary table. Create your own schedule to customize the auxiliary table calculation cycle meet your own requirements.

To customize the auxiliary table calculation cycle to meet your requirements

  1. Select the category Identity Audit | Basic configuration data | Schedules.
  2. Click in the result list toolbar.

  3. Edit the schedule’s master data.
  4. Save the changes.
  5. Select Assign rules (for filling) in the task view and assign all the rules to the schedule to which it applies.
  6. Save the changes.

NOTE:

Rule checking does not completely check the requests. It is possible that under the following conditions, rule checking does not identify a rule violation.

  • Customer permissions change after the auxiliary table have been calculated.
  • A rule is not violated by the requested product but by an object inherited through the requested product. Inheritance is calculated after request approval and can therefore not be identified until after the auxiliary table is calculated again.
  • The customer does not belong to the rule's employee group effected until the request is made.
  • The rule condition was created in expert node or as an SQL query.

TIP: A complete check of assignments is achieved with cyclical testing of compliance rule using schedules. This finds all the rule violations that result from the request.

It is possible that under the following conditions, rule checking identifies a rule violation where there isn't one.

  • Two products violate one rule when they are assigned at the same time. The product requests are, however, for a limited period. The validity periods does not overlap. Still a potential rule violation is identified.

TIP: These requests can be approved after checking by exception approver in so far as permitted by the definition of the violation rule.

For more detailed information about compliance checking IT Shop requests, see the One Identity Manager IT Shop Administration Guide.

Related Topics

Creating Custom Mail Templates for Notifications

Creating Custom Mail Templates for Notifications

A mail template consists of general master data such as target format, important or mail notification confidentiality and one or more mail definitions. Mail text is defined in several languages in the mail template. This ensures that the language of the recipient is taken into account when the email is generated.

There is a One Identity Manager in the Mail Template Editor to simplify writing notifications. You can use the Mail Template Editor to create and edit mail text in WYSIWYG mode.

To edit mail templates

  1. Select the category Identity Audit | Basic configuration data | Mail templates.

    This shows all the mail templates that can be used for Identity Audit in the result list.

  2. Select the mail template in the result list. Select Change master data in the task view.

    - OR -

    Click in the result list toolbar.

    This opens the mail template editor.

  3. Edit the mail template.
  4. Save the changes.

To copy a mail template

  1. Select the category Identity Audit | Basic configuration data | Mail templates.
  2. Select the mail template you want to copy from the result list. Select Change master data in the task view.
  3. Select Copy mail template... in the task view.
  4. Enter the name of the new mail template in Name of copy.
  5. Click OK.

To display a mail template preview

  1. Select the category Identity Audit | Basic configuration data | Mail templates.
  2. Select the template in the result list. Select Change master data in the task view.
  3. Select Preview... in the task view.
  4. Select the base object.
  5. Click OK.

To delete a mail template

  1. Select the category Identity Audit | Basic configuration data | Mail templates.
  2. Select the template in the result list.
  3. Click in the result list toolbar.
  4. Confirm the security prompt with Yes.

General Properties of a Mail Template

General Properties of a Mail Template

The following general properties are displayed for a mail template:

Table 44: Mail Template Properties
Property Meaning
Mail template Name of the mail template. This name will be used to display the mail templates in the administration tools and in the Web Portal. Translate the given text using the button.
Base object Mail template base object. A base object only needs to be entered if the mail definition properties of the base object are referenced.

Use the base object ComplianceRule or PersonInNonCompliance for notifications about rule violations.

Report (parameter set) Report, made available through the mail template.
Description Mail template description. Translate the given text using the button.
Target format Format in which to generate email notification. Permitted values are:
Value Description
HTML The email notification is formatted in HTML format. HTML format can contain formatting.
TXT The email notification is formatted in text format. Text format cannot contain any formatting.
Design type Design in which to generate the email notification. Permitted values are:
Value Description
Mail template The generated email notification contains mail text corresponding to the mail definition.
Report The email notification is generated with the report contained under Report (parameter set) as mail body.
Mail template, report as attachment The generated email notification contains mail text corresponding to the mail definition. The report entered in the Report (parameter set) field is attached to the mail as PDF file.
Importance Importance for the email notification. Permitted values are "low", "normal" and "high".
Confidentiality Confidentiality for the email notification. Permitted values are "normal", "personal", "private" and "confidential".
Can unsubscribe Specifies whether the recipient can unsubscribe email notification. If this option is set, the emails can be unsubscribed through the Web Portal.
Disabled Specifies whether this mail template is disabled.
Mail definitions Unique name for the mail definition.
Language culture Language which applies to the mail template.
Subject Subject of the email message
Mail body Content of the email message.
Related Documents