Chat now with support
Chat with Support

Identity Manager 8.1.5 - Compliance Rules Administration Guide

Compliance rules and identity audit
One Identity Manager users for identity audit Basic data for setting up rules Setting up a rule base rule check Creating custom mail templates for notifications
Mitigating controls Configuration parameters for Identity Audit

Exception approval over a limited period

Exception approvals can be set for a limited period of time. To do this, you can specify a validity period for exception approvals on each rule. When the validity period expires, the applicable exception approvals are canceled. A scheduled process plan checks whether an exception approval is still valid.

Once an exception approval has been granted, the expiry date is calculated from the current date and the validity period stored with the rule. You can only change the expiry date for future exception approvals. The expiry date for existing exception approvals does not change.

To set a time limit on exception approvals

  1. Enter a validity period for a rule.
    1. Select the Identity Audit | Rules | Working copies of rules category.
    2. Select a working copy from the result list.
    3. Select the Change master data task.

    4. On the General tab, in the Validity period (max. # days) field, enter the number of days for which exception approvals may apply for this rule.

      If the value is 0, the exception approvals have no time limit.

    5. Save the changes.
    6. To transfer the change to the active rule, select Enable working copy task.
  2. In the Designer, configure and enable the Reset exception approval of compliance rule violations schedule.

For detailed information about setting up schedules, see the One Identity Manager Operational Guide.

Granting exception approvals in the manager

You use the Web Portal to edit rule violations and grant exception approval, by default. You can, however, grant exception approval in the Manager. To do this, log in as non role-based to the Manager. This function is not available in the Manager for role-based login.

To grant exception approval to employees violating a particular rule

  1. Select the Identity Audit | Rule violations category.
  2. Select the rule violation in the result list.
  3. Select the Show rule violations task.
  4. Double-click to select the employee you want to grant exception approval to.

    This opens the Edit rule violations form.

  5. To obtain detailed information about the employee, select the employee.
  6. To obtain an overview of the rule violation, select the rule violation.
  7. Enter a reason
  8. To approve the rule violation for this employee, select Approve exception.

    The Approver and Approval date fields and set the Exception is approved and Checked options are preselected.

  9. To deny exception approval for this employee, select Deny exception.

    On this form, the Approver and Approval date fields and the Checked option are completed.

  10. Save the changes.

To grant exception approval for rules violated by a specific employee:

  1. Select the Employees | Employees category.
  2. Select the employee in the result list.
  3. Select the Rule evaluation report.
  4. Double-click to select the rule violation for the employee to grant exception approval to.

    The form Edit rule violations is opened.

  5. To obtain detailed information about the employee, select the employee.
  6. To obtain an overview of the rule violation, select the rule violation.
  7. Enter a reason
  8. To approve the exception approval for this employee, select Approve exception.

    The Approver and Approval date fields and set the Exception is approved and Checked options are preselected.

  9. To deny exception approval for this employee, select Deny exception.

    The Approver and Approval date fields and the Checked option are preselected.

  10. Save the changes.
Related topics

Notifications about rule violations

After rule checking, email notifications can be sent to exception approvers and rule supervisors through new rule violation. The notification procedure uses mail templates to create notifications. The mail text in a mail template is defined in several languages. This ensures that the language of the recipient is taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.

Messages are not sent to the chief approval team by default. Fallback approvers are only notified if not enough approvers could be found for an approval step.

To use notification in the request process

  1. Ensure that the email notification system is configured in One Identity Manager. For more detailed information, see the One Identity Manager Installation Guide.

  2. In the Designer, set the QER | ComplianceCheck | EmailNotification configuration parameter.

  3. In the Designer, set the QER | ComplianceCheck | EmailNotification | DefaultSenderAddress configuration parameter and enter the sender address used to send the email notifications.

  4. Ensure that all employees have a default email address. Notifications are sent to this address. For more detailed information, see the One Identity Manager Identity Management Base Module Administration Guide.

  5. Ensure that a language can be determined for all employees. Only then can they receive email notifications in their own language. For more detailed information, see the One Identity Manager Identity Management Base Module Administration Guide.

  6. Configure the notification procedure.

Related topics

Request for exception approval

If new rule violations are discovered during a rule check, exception approvers are notified and prompted to make an approval decision.

Prerequisites

  • The Exception approval allowed option is set for the rule.
  • An Exception approver application role is assigned to the rule.
  • Employees are assigned to this application role.

To send demands for exception approval

  • In the Designer, set the QER | ComplianceCheck | EmailNotification | NewExceptionApproval configuration parameter.

    Notification with the Compliance - new exception approval required mail template is sent to all exception approvers, by default.

TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating