Chat now with support
Chat with Support

Identity Manager 9.1.2 - Compliance Rules Administration Guide

Compliance rules and identity audit
One Identity Manager users for identity audit Basic data for setting up rules Setting up a rule base rule check Mail templates for notifying about identity auditing
Mitigating controls for compliance rules Configuration parameters for Identity Audit

Granting exception approval

Assignments that violate rules can be approved in hindsight. To do this, specially authorized employees can grant exception approval.

Prerequisites
  • The Exception approval allowed option is set for the rule.

  • The rule is assigned an application role for exception approvers.

  • Employees are assigned to this application role.

NOTE: If the Exception approval allowed option is not set, unedited rule violations for this rule are automatically denied. Existing exception approvals are withdrawn.

You must also decide whether exception approvers are allowed to approve their own rule violations. By default, an employee who violates a rule is determined to be the exception approver for this rule if they are a member of the Exception approvers application role for the rule. This means they can approve their own rule violations.

To prevent an employee from granting themselves exception approval

  • In the Designer, disable the QER | ComplianceCheck | DisableSelfExceptionGranting configuration parameter.

    Employees that violate a rule, are not determined to be exception approvers for this rule violation. Neither the rule violator's main identity nor its subidentities can grant exception approval.

Detailed information about this topic

Exception approval over a limited period

Exception approvals can be set for a limited period of time. To do this, you can specify a validity period for exception approvals on each rule. When the validity period expires, the applicable exception approvals are canceled. A scheduled process plan checks whether an exception approval is still valid.

Once an exception approval has been granted, the expiry date is calculated from the current date and the validity period stored with the rule. You can only change the expiry date for future exception approvals. The expiry date for existing exception approvals does not change.

To set a time limit on exception approvals

  1. Enter a validity period for a rule.

    1. In the Manager, select the Identity Audit > Rules > Working copies of rules category.

    2. Select a working copy from the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Validity period (max. # days) field, enter the number of days for which exception approvals may apply for this rule.

      If the value is 0, the exception approvals have no time limit.

    5. Save the changes.
    6. To transfer the change to the active rule, select the Enable working copy task.

  2. In the Designer, configure and enable the Reset exception approval of compliance rule violations schedule.

For more information about setting up schedules, see the One Identity Manager Operational Guide.

Granting exception approvals in the Manager

You use the Web Portal to edit rule violations and grant exception approval, by default. You can, however, grant exception approval in the Manager. To do this, log in as non role-based to the Manager. This function is not available in the Manager for role-based login.

To grant exception approval to employees violating a particular rule

  1. In the Manager, select the Identity Audit > Rule violations category.

  2. Select the rule violation in the result list.

  3. Select the Show rule violations task.

  4. Double-click to select the employee you want to grant exception approval to.

    This opens the Edit rule violations form.

  5. To obtain detailed information about the employee, select the employee.

  6. To obtain an overview of the rule violation, select the rule violation.

  7. Enter a reason

  8. To approve the rule violation for this employee, select Approve exception.

    The Approver and Approval date fields and set the Exception is approved and Checked options are preselected.

  9. To deny exception approval for this employee, select Deny exception.

    The Approver and Approval date fields and the Checked option are preselected.

  10. Save the changes.

To grant exception approval for rules violated by a specific employee

  1. In the Manager, select the Employees > Employees category.

  2. Select the employee in the result list.

  3. Select the Rule evaluation report.

  4. Double-click to select the rule violation for the employee to grant exception approval to.

    This opens the Edit rule violations form.

  5. To obtain detailed information about the employee, select the employee.

  6. To obtain an overview of the rule violation, select the rule violation.

  7. Enter a reason

  8. To approve the rule violation for this employee, select Approve exception.

    The Approver and Approval date fields and set the Exception is approved and Checked options are preselected.

  9. To deny exception approval for this employee, select Deny exception.

    The Approver and Approval date fields and the Checked option are preselected.

  10. Save the changes.
Related topics

Notifications about rule violations

After rule checking, email notifications can be sent to exception approvers and rule supervisors through new rule violation. The notification procedure uses mail templates to create notifications. The mail text in a mail template is defined in several languages. This ensures that the language of the recipient is taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.

Messages are not sent to the chief approval team by default. Fallback approvers are only notified if not enough approvers could be found for an approval step.

To use notification in the request process

  1. Ensure that the email notification system is configured in One Identity Manager. For more information, see the One Identity Manager Installation Guide.

  2. In the Designer, set the QER | ComplianceCheck | EmailNotification configuration parameter.

  3. In the Designer, set the QER | ComplianceCheck | EmailNotification | DefaultSenderAddress configuration parameter and enter the sender address used to send the email notifications.

  4. Ensure that all employees have a default email address. Notifications are sent to this address. For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  5. Ensure that a language can be determined for all employees. Only then can they receive email notifications in their own language. For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  6. Configure the notification procedure.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating