Setting up a Rule Base
Setting up a Rule Base
You can define rules for maintaining and monitoring regulatory requirements in a rule base. A rule in the One Identity Manager not only contains a technical description but also properties such as rule violation level, owner, manager or audit information. The rules can be also classified into categories ("compliance framework") and rule groups.
Once you have added a rule, an associated object for rule violations is added in the database. Everyone who violates the rule is added to this object.
Creating Rules
Creating Rules
A working copy is added to the database for every rule. Edit the working copies to create rule and change them. Changes to the rule do not take effect until the working copy is enabled.
|
|
NOTE: One Identity Manager users with the application role Identity & Access Governance | Identity Audit | Rule supervisors can edit existing rules if they are entered as a rule supervisor in the general data. |
To create a new rule
- Select the category Identity Audit | Rules.
-
Click
in the result list toolbar.
- Enter the master data for the rule.
- Save the changes.
This adds a working copy.
- Select Enable working copy from the task view. Confirm the security prompt with OK.
This adds an enabled rule in the database. The working copy remains and can be used for making changes to the rule later.
To edit an existing rule
- Select the category Identity Audit | Rules.
- Select the rule in the result list.
- Select Create copy in the task view.
The data from the existing working copy are overwritten by the data from the original rule after a security prompt. The working copy is opened and can be edited.
- OR -
Select the category Identity Audit | Rules | Working copies of rules.
- Select the working copy in the result list.
- Select Change master data in the task view.
- Edit the working copy's master data.
- Save the changes.
- Select Enable working copy from the task view. Confirm the security prompt with OK.
The changes to the working copy are transferred to the rule. This reenables a disabled rule on demand.
Setting Up a Rule
Setting Up a Rule
Enter the following master data for a rule.
|
Property |
Description | ||
|---|---|---|---|
|
Rule |
Name for the rule. A new objects for rule violations is added automatically with this name when a new rule is created.
| ||
|
Description |
Spare text box for additional explanation. | ||
|
Main version number |
Current revision of the rule as a version number. The version number is incremented in the One Identity Manager default installation each time you make a change to the rule condition. | ||
|
Working copy |
Specifies whether this is a working copy. | ||
|
Disabled |
Specifies whether the rule is disabled. Only enabled rules are taken into account by rule checking. Use the tasks Enable rule or Disable rule to enable or disable a rule. The working copy rule is always disabled. | ||
|
Rule group |
Rule group to which the rule belongs in terms of content. Select a role group from the menu. To create a new rule group, click | ||
|
Rule supervisor |
Application role whose members are responsible for the rule in terms of content. To create a new application role, click | ||
|
Exception approval allowed |
Specifies whether exception approval is permitted when the rule is violated. Assignments or requests that cause the rule to be violated can be approved and issued anyway with this. | ||
|
Exception approver |
Application role, whose members are entitled to grant exception approval for violations to this rule. To create a new application role, click | ||
|
Exception approvers info |
Information, which the exception approver may require for making a decision. This advice should describe the risks and side effects of an exception. | ||
|
Validity period |
Time period for limiting exception approvals. Enter the number for which days the exception approval applies. When the validity period expires, the exception approvals are automatically lifted. | ||
|
Attestors |
Applications role whose members are authorized to approve attestation cases for compliance rules and rule violations. To create a new application role, click
| ||
|
Functional area |
Functional area relevant to the rule. | ||
|
Department |
Department relevant to the rule. | ||
|
Rule for cyclic testing and risk assessment in the IT Shop. |
Specifies whether the rule is taken into account by risk assessment of IT Shop requests. This option is only visible if the configuration parameter "QER\ComplianceCheck\SimpleMode\NonSimpleAllowed" is set. | ||
|
Rule only for cyclical testing |
Specifies whether the rule is only taken into account by cyclical testing. This option is only visible if the configuration parameter "QER\ComplianceCheck\SimpleMode\NonSimpleAllowed" is set. | ||
|
Condition |
Conditions, which result in a rule violation. Use the Rule Editor to enter the conditions. |
Detailed information about this topic
- Creating Rule Conditions
- Enabling and Disabling Rules
- Rule groups
- Rule Supervisors
- Exception Approvers
- Exception Approval over a Limited Period
- Attestors
- Functional Areas
- Creating Rule Conditions
- Rule Conditions in Advanced Mode
Related Topics
Risk Assessment
Risk Assessment
| Configuration parameter | Active Meaning |
|---|---|
| QER\CalculateRiskIndex | Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated for the risk index. |
You can use the One Identity Manager to evaluate the risk of rule violations. To do this, enter a risk index for the rule. The risk index specifies the risk involved for the company if the rule is violated. The risk index is given as a number in the range 0-1. By doing this you specify whether a rule violation is not considered a risk for the company (risk index = 0) or whether every rule violation poses a problem (risk index = 1).
When a rule condition is created, system entitlement risk indexes can already be included as an object property. By using rules of this type you can prevent system entitlements that exceed a specified risk index from being requested in the IT Shop.
You can create several reports with the Report Editor to evaluate objects, assignments and rule violations depending on the risk index.
To evaluate the risk of a rule violation in the context of identity audit, you can enter values for grading rules on the Assessment criteria tab.
| Property | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Severity | Specifies the impact on the company of violations to this rule. Use the slider to enter a value between 0 and 1.
0 ... no impact 1 ... every rule violation is a problem. | ||||||||||
| Significance | Provides a verbal description of the significance for the company of violations to this rule. In the default installation value list is displayed with the entries {NONE, ‘low’, ‘average’, ‘high’, ‘critical’}. | ||||||||||
| Risk index | Specifies the risk for the company of violations to this rule. The template is given a risk index depending on the value of the effect.
Risk index in connection with significanc Use the slider to enter a value between 0 and 1. 0 ... no risk 1 ... every rule violation is a problem. The template adjusts the risk index when the significance is changed. This property is only visible when the configuration parameter QER\CalculateRiskIndex is set. | ||||||||||
| Risk index (reduced) | Show the risk index taking mitigating controls into account. A rule’s risk index is reduced by the significance reduction of all mitigating controls assigned to it. The risk index (reduced) is calculated for the original rule. To copy the value to a working copy, run the task Create working copy.
This property is only visible when the configuration parameter QER\CalculateRiskIndex is set. The value is calculated by One Identity Manager and cannot be edited. | ||||||||||
| Transparency index | Specifies how traceable assignments are that are checked by this rule. Use the slider to enter a value between 0 and 1.
0 ... no transparency 1 ... full transparency | ||||||||||
| Max. number of rule violations | Number of rule violation permitted for this rule. |
Detailed information about this topic
- One Identity Manager Risk Assessment Administration Guide
- Report Editor in the One Identity Manager Configuration Guide
- Mitigating Controls