Chat now with support
Chat with Support

Identity Manager 8.0 - Risk Assessment Administration Guide

Default Risk Index Functions

Default Risk Index Functions

The One Identity Manager supplies a comprehensive collection of default functions. These are necessary for calculating the risk index of all company resources assigned. These functions can be selected in the category Risk index functions under the Assignment filter.

Additional factors, like the type of assignment or attestation, influence how the risk index is calculated. There is separate function stored for each factor additionally affecting a calculated risk index. These functions can be selected in the category Risk index functions under the Properties filter.

The following object type risk indexes are determined to calculate the risk index of employees:

  • User accounts

    Risk index (calculated) of all user accounts connected to an employee

  • Company resources

    Risk index (calculated) of all company resources assigned (for example, applications, resources, subscribable reports)

  • Rule violations

    Risk index of violated rule taking mitigating controls into accounts

  • Application Roles

    Risk index of all application roles in which the employee is member

Risk index calculation for the different object types is described in more detail in the following sections.

NOTE: The default functions allow a complete risk assessment for all objects in the One Identity Manager. The mode of calculation, weighting and change values must be adjusted to suit you company’s requirements.

Before running a risk assessment

  • Check all default functions for relevance to your data situation.
  • Disable all unnecessary functions.
  • Modify the calculation type, weighting and change value to meet your requirements.
  • Define custom functions if required.
Detailed information about this topic
Related Topics

User Account Risk Indexes

User Account Risk Indexes

Installed Module:

Target System Base Module

Active Directory Module

Azure Active Directory Module

Oracle E-Business Suite Module

LDAP Module

IBM Notes Module

SAP R/3 User Management module Module

SAP R/3 Analysis Authorizations Add-on Module

SharePoint Module

G Suite Module

Cloud Systems Management Module

Unix Based Target Systems Module

Attestation Module

First, the risk indexes of all system entitlements assigned to the user accounts are found in order to calculate user account risk indexes. There are functions stored for the assignments tables to do this (for example "Active Directory user accounts: assignments to groups", "User accounts: assignments to system entitlements"). The risk factor of these assignments depends on other factors. Each of these factors reduces the risk index found.

  • Assignment through inheritance (without IT Shop requests)
  • Assignment through an approved IT Shop request
  • The assignment is attested and approved

The One Identity Manager determines the highest value from the assignment risk indexes (calculation type: "Maximum (weighted)") for each user account. There are functions stored for the user account tables to do this (for example: "Active Directory user account", "User accounts"). This value is reduced or increased by other factors.

  • The user account is attested and approved
  • The user account is not connected to an employee
  • The user account is disabled
  • The user account is member of too many system entitlements

The risk index of SAP user accounts is calculated from different individual risks.

  • Highest risk index of the assigned SAP groups
  • Highest risk index of the assigned structural profiles
  • Highest risk index (reduced) of the SAP functions matching an SAP user account

The One Identity Manager finds the highest value of these individual risks for each SAP user account. This value is decreased or increased by given factors if the conditions are fulfilled.

The risk index of SharePoint user accounts is calculated from different individual risks.

  • Highest risk index of the assigned SharePoint groups
  • Highest risk index of the assigned SharePoint roles

The One Identity Manager finds the highest value of these individual risks for each SharePoint user account. This value is decreased or increased by given factors if the conditions are fulfilled.

NOTE: User accounts can obtain a calculated index even if there are no risk indexes stored with the system entitlements. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a user account increases if:

  • The user account is not linked to an employee
  • The user account is a member of too many system entitlements
  • The user account is disabled

System Role Risk Indexes

System Role Risk Indexes

Installed Module:

System Roles Module

Attestation Module

First, the risk indexes of all company resources assigned to the system roles are found in order to calculate system role risk indexes. There are functions stored for the assignments tables to do this ("System roles"). The system role risk index is made up of the risk indexes of the assigned objects. There is a separate function stored for each assignable object type.

The One Identity Manager determines the highest value from the assignment risk indexes (calculation type: "Maximum") for each system role. There are functions stored for the "system role" table to do this. This value is reduced or increased by other factors.

  • The system role is attested and approved
  • The system role is not assigned to a manager

NOTE: Employees can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a user account increases if no manager is assigned.

Hierarchical Role and IT Shop Structure Risk Indexes

Hierarchical Role and IT Shop Structure Risk Indexes

Installed Modules:

Business Roles Module (for business role risk indexes)

Attestation Module

First, the risk indexes of all assigned company resources are established in order to calculate risk indexes for business roles, departments, locations, cost centers and IT Shop structures. There are functions stored for the assignments tables to do this (for example "Roles and organizations: Subscribable report assignments", "Roles and organizations: E-Business Suite responsibility assignments"). The risk factor of these assignments depends on other factors. Each of these factors reduces the risk index found.

  • Assignment through an approved IT Shop request
  • The assignment is attested and approved

The One Identity Manager determines the highest value from the assignment risk indexes (calculation type: "Maximum (weighted)") for each company resource. This value is reduced or increased by other factors.

  • The rule or IT Shop structure is attested and approved.
  • The role or IT Shop structure is not a assigned a manager (UID_PersonHead).

NOTE: Roles and IT Shop structures can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of a role or IT Shop structure increases if no manager is assigned to the role or IT Shop structure.
Related Documents