Chat now with support
Chat with Support

Identity Manager 8.1.2 - Compliance Rules Administration Guide

Compliance rules and Identity Audit
One Identity Manager users for the Identity Audit Basic data for setting up rules Setting up a rule base Rule check Creating custom mail templates for notifications
Mitigating controls Appendix: Configuration parameters for Identity Audit

Compliance rules and Identity Audit

Table 1: Configuration parameters for identity audit
Configuration parameter Meaning
QER\ComplianceCheck Preprocessor relevant configuration parameter to control component parts for Identity Audit. Changes to the parameter require recompiling the database.

If this parameter is enabled, the components can be used.

One Identity Manager can be used to define rules that maintain and monitor regulatory requirements and automatically deal with rule violations. Define compliance rules to test entitlements or combinations of entitlements in the context of identity audit for employees in the company. On the one hand, existing rule violations can be found by checking rules. On the other hand, possible rule violations can be preemptively identified and this prevented.

Figure 1: Identity Audit in One Identity Manager

Simple rule examples are:

  • An employee may not obtain two entitlements A and B at the same time.
  • Only employees with a particular department can have a particular entitlement.
  • Every user account has to have a manager assigned to it.

You can use the identity audit function of the One Identity Manager to:

  • Define rules for any employee assignments
  • Evaluate the risk of possible rule violations
  • Specify mitigating controls
  • Initiate regular or spontaneous rule checks
  • Detailed testing of edit permissions for employees within an SAP client (using SAP functions)
  • Evaluate rule violations with differing criteria
  • Create reports about rules and rule violations

Based on this information, you can made corrections to data in the One Identity Manager and transfer them to the connected target systems. The integrated report function in the One Identity Manager can be used to provide information for the appropriate tests.

To use the identity audit function

  • Set the configuration parameter "QER\ComplianceCheck" in the Designer.

One Identity Manager users for the Identity Audit

The following users are included in managing the rule base and editing rule violations.

Table 2: Users
Users Task

Administrators for Identity Audit

Administrators must be assigned to the Identity & Access Governance | Identity Audit | Administrators application role.

Users with this application role:

  • Enter base data for setting up company policies.
  • Create compliance rules and assign rule supervisors to them.
  • Can start rule checking and view rule violations as required.
  • Create reports about rule violations.
  • Enter mitigating controls.
  • Create and edit risk index functions.
  • Monitor Identity Audit functions.
  • Administer application roles for rule supervisors, exception approvers and attestors.
  • Set up other application roles as required.

Rule supervisors

Rule supervisors must be assigned to the Identity & Access Governance | Identity Audit | Rule supervisors application role or a child application role.

Users with this application role:

  • Are responsible for compliance rule content, for example, an auditor or a auditing department.
  • Edit the compliance rule working copies, which are assigned to the application role.
  • Enable and disable compliance rules.
  • Can start rule checking and view rule violations as required.
  • Assign mitigating controls.

One Identity Manager administrators

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

Exception approvers

Administrators must be assigned to the Identity & Access Governance | Identity Audit | Exception approvers application role or a child application role.

Users with this application role:

  • Edit rule violations in the Web Portal.
  • Can grant exception approval or revoke it in the Web Portal.

Compliance rules attestors

Attestors must be assigned to the Identity & Access Governance | Identity Audit | Attestors application role.

Users with this application role:

  • Attest compliance rules and exception approvals in the Web Portal for which they are responsible.
  • Can view master data for these compliance rules but not edit them.
NOTE: This application role is available if the module Attestation Module is installed.

Compliance and Security Officer

Compliance and security officers must be assigned to the Identity & Access Governance | Compliance & Security Officer application role.

Users with this application role:

  • View all compliance relevant information and other analysis in the Web Portal. This includes attestation policies, company policies and policy violations, compliance rules, and rule violations and risk index functions.
  • Edit attestation polices.

Auditors

Auditors are assigned to the Identity & Access Governance | Auditors application role.

Users with this application role:

  • See the Web Portal all the relevant data for an audit.

Basic data for setting up rules

Various basic data is required to create rules, run rule checks and handle rule violation.

Rule groups: Rule groups
Compliance frameworks: Compliance frameworks
Extended properties: Extended properties and property groups
Schedules: Schedules for checking rules
Functional areas: Functional areas
Attestors: Attestors
Rule supervisors: Rule supervisors
Exception approvers: Exception approvers
Standard reasons: Standard reasons
Mail templates: Creating custom mail templates for notifications

Rule groups

Use rule groups to group rules by functionality, for example, to group account policies, or to separate functions ("Segregation of duties").

To edit a rule group

  1. Select Identity Audit | Basic configuration data | Rule groups.
  2. Select a rule group in the result list. Select the Change master data task.

    - OR -

    Click in the result list.

  3. Edit the master data for the rule group.
  4. Save the changes.

Enter the following data for a rule group

Table 3: Rule group properties
Property Description
Group name Name of the rule group.
Description Spare field for additional explanation.
Parent group Rule group above this one in a hierarchy.

To organize rule groups hierarchically, select the parent rule group in the menu.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents