Chat now with support
Chat with Support

Identity Manager 9.1.2 - Risk Assessment Administration Guide

Risk assessment

Everyone with IT system authorization in a company represents a security risk for that company. For example, a person with permission to edit financial data in SAP carries a higher risk than an employee with permission to edit their own personal data. To quantify the risk, you can enter a risk value for every company resource in One Identity Manager. A risk index is calculated from this value for every person who is assigned this company resource, directly, or indirectly. Company resources include target system entitlements (for example, Active Directory groups or SAP profiles), system roles, subscribable reports, software, and resources. In this way, all the people that represent a particular risk to the company can be found.

Rules in the context of Identity Audit can also be given a risk index. Each rule violation can increase the security risk. Therefore, these risk indexes are also included in the employee’s risk calculation. You can define appropriate countermeasures through mitigating controls, and store them with the compliance rules.

Other factors can influence the calculation of employee risk indexes. These include: the type of resource assignment (approved request in the IT Shop or direct assignment), attestations, exception approvals for rule violations, employee responsibilities, and defined weightings. Furthermore, the risk index can be calculated for all business roles, organizations, and system roles that have company resources assigned to them. The user account risk index is calculated based on the system entitlements assigned.

One Identity Manager provides default functions for the risk index calculations described in the following. These are available if the respective modules are installed. You can also can set up custom functions.

To use risk assessment functionality

  • In the Designer, set the QER | CalculateRiskIndex configuration parameter and compile the database.

If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

One Identity Manager users for configuring risk assessment

The following users are used for specifying risk indexes and editing risk index functions.

Table 1: Users
Users Tasks

Employee responsible for individual company resources

The users are defined using different application roles for administrators and managers.

Users with these application roles:

  • Specify company resource risk indexes for which you are responsible.

Compliance rules administrators

Administrators must be assigned to the Identity & Access Governance | Identity Audit | Administrators application role.

Users with this application role:

  • Specify the risk indexes for compliance rules.

  • Specify mitigating controls.

  • Create and edit functions.

Administrators for attestation cases

Administrators are assigned to the Identity & Access Governance | Attestation | Administrators application role.

Users with this application role:

  • Specify risk indexes for attestation policies.

  • Specify mitigating controls.

  • Create and edit functions.

Company policy administrators

Administrators must be assigned to the Identity & Access Governance | Company policies | Administrators application role.

Users with this application role:

  • Specify risk indexes for company policies.

  • Specify mitigating controls.

  • Create and edit functions.

Employee administrators

Administrators must be assigned to the Identity Management | Employees | Administrators application role.

Users with this application role:

  • Create and edit functions.

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

 

Defining risk index functions

NOTE: Object types are defined in the One Identity Manager modules and are not available until the modules are installed.

The risk index can be entered for the following object types.

Table 2: Risk index for objects in the One Identity Manager
Object type Application Available in module

Target system entitlements, such as Active Directory groups or Google Workspace products and SKUs

Risk to the organization if the target system entitlement is assigned to a user account.

In the respective target system module

Software

Risk for the company if the account definition, software, or resource is assigned to an employee.

Software Management Module

Resources

always

Account definitions

Target System Base Module

Multi-request resources

Risk for the company if the resource is assigned to an IT Shop structure.

always

Multi requestable/unsubscribable resources

always

Assignment resources

always

Application roles

Risk for the company if an employee is a member of this application role.

always

Compliance rules

Risk for the company if a rule is violated.

Compliance Rules Module

SAP functions

Risk for the company if SAP user accounts match the SAP function.

SAP R/3 Compliance Add-on Module

Company policies

Risk for the company if a company policy is violated.

Company Policies Module

Attestation policies

Risk for the company if an attestation procedure denies approval for an attestation policy.

Attestation Module

Subscribable reports

Risk for the company if an employee has subscribed to a report.

Report Subscription Module

To enter a risk index

  1. In the Manager, open the object's main data form to enter a risk index.

  2. Enter the desired value in the Risk index field.

    The risk index must be given as a floating point number in the range 0.0... 1.0. This means:

    • 0,0: There is no risk

    • 1,0: There is an issue. A risk has been identified.

Calculating risk index functions

Based on the risk index history, resulting risk indexes are calculated for employees, user accounts, and hierarchical roles. All direct and indirectly assigned objects are taken into account.

The risk index is calculated for the following object types.

Table 3: Object types with a calculated risk index

Object type

Calculation

Available in Module

Employees

Calculated from the risk indexes of all associated user accounts, directly, and indirectly assigned software applications, resources, account definitions, and subscribable reports, membership in application roles, and rule violations.

always

User accounts, such as Active Directory user accounts or Google Workspace user accounts

Calculated from the risk indexes of all assigned target system entitlements.

In the respective target system module

Departments, locations, cost centers

Calculated from the risk indexes of all assigned company resources.

always

Business roles

Business Roles Module

System roles

System Roles Module

IT Shop structures

always

Rule violations

Determined by the risk index of the violated rule and the assigned mitigating control.

Compliance Rules Module

One Identity Manager supplies default functions for the risk indexes with risk functions defined for the objects types listed here. Certain properties of default functions can be edited in One Identity Manager. Furthermore, you can make custom functions.

Related topics
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating