Overview of Behavior Driven Governance
Behavior Driven Governance allows IT administrators and those responsible for compliance to administer entitlements on the basis of usage behavior. This allows entitlements that are no longer needed to be identified and removed. Regular checks and recertification of these entitlements ensure that only entitlements that are really required are always assigned. One Identity Manager provides various default policies and processes for Behavior Driven Governance.
OneLogin integration
If OneLogin Cloud Directory data is synchronized with One Identity Manager, access to OneLogin applications can be recertified and managed depending on usage behavior. Data from the OneLogin change history is used to do this. There are default policies available for the following tasks:
-
Find access to OneLogin application access that has not been used for a specified period of time
-
Find OneLogin applications that have not been used by anyone for a specified period of time
-
Find OneLogin applications that are assigned to more than OneLogin role.
-
Find OneLogin roles that ensure access to more than one OneLogin application
Unused applications can be removed automatically if configured accordingly.
Integration with other Unified Namespace target systems
If there are target systems mapped in the Unified Namespace, administrators can use a default company policy to determine all the user accounts that have not been used for a specified amount of time. They can use this information to verify and correct target system access permissions. This can reduce the security risks associated with unused but enabled user accounts. The prerequisite being that these target systems provide information about the how long the user accounts were in use and that this data is synchronized.
Required modules
Behavior Driven Governance can be used if the following modules are installed:
Detailed information about this topic
Behavior Driven Governance for OneLogin
NOTE: This functionality is only available if the OneLogin Module in installed.
One Identity Manager provides various company policies and attestation policies to test and recertify or remove access to OneLogin applications depending on usage patterns. This means the following scenarios can be handled:
-
Access to OneLogin applications that are not used
OneLogin users should use the applications assigned to them at least once within the given time period. If, according to its application history, an application has not been used, the application assignment to the OneLogin user account should be recertified or deleted.
A company policy finds all unused access to OneLogin applications. Exception approvers are informed about the applications and user accounts involved. At the same time, a recertification process is launched. During the recertification process, users and their managers or target system managers clarify whether the applications are still required. If not, access to unused applications can be subsequently removed, automatically or manually.
-
OneLogin applications that are not used by anyone
Applications should be used at least once by at least on OneLogin user within the given time period. If, according to its application history, an application has not been used, the application assignments to the OneLogin user account should be recertified or deleted.
A company policy finds all unused OneLogin applications. Exception approvers are informed about the affected applications. Recertification can be used to clarify whether the applications are still needed. Access to unused applications can be subsequently removed, automatically or manually.
-
Non-unique assignment of OneLogin application to OneLogin roles
Access of OneLogin users to applications is controlled by roles. If access is to be removed, the assignment of OneLogin roles to user accounts must be removed. So that no other permissions are removed that may still be required, precisely one application can be assigned to the roles. If the assignment of applications to roles is unique, unused access to applications can be removed automatically.
Company policies are used to identify all OneLogin roles that have more than one application assigned to them, as well as all applications that are assigned to more than one role. Exception approvers are informed about the affected roles and applications and can take appropriate action.
The time period after which applications are considered unused is defined in the TargetSystem | OneLogin | UnusedApplicationThresholdInDays configuration parameter. The default value is 90 days.
For more information about mapping OneLogin applications, OneLogin user accounts, and OneLogin roles, see the One Identity Manager Administration Guide for Integration with OneLogin Cloud Directory.
Detailed information about this topic
Related topics
Prerequisites for automatic withdrawal of unused OneLogin applications
In order to automatically remove OneLogin user account access to OneLogin applications, One Identity Manager determines which OneLogin roles were used to assign the applications. If a role found in this way is assigned to just one unused application, the user account membership in this role can be removed. This causes the user account to lose its access to the application. If more than one application is assigned to one OneLogin role, the membership is not automatically deleted to ensure that all the other applications in the role still have their access.
NOTE: Applications assigned directly to user accounts cannot be removed in One Identity Manager. Direct assignments must be removed manually after attestation is denied in the target system.
Prerequisites
To find and recertify unused applications, the following requirements must be met:
-
The OneLogin change history is synchronized. At least the events with types 5, 6, 7, 8, 11, 22, 29 are synchronized (event_type_id=5,6,7,8,11,22,29).
-
The TargetSystem | OneLogin | UnusedApplicationThresholdInDays configuration parameter is set. This value specifies after how many days without access a OneLogin application is considered to be unused.
-
The identities linked to the user accounts must have a manager assigned to them.
-
A target system manager must be specified for OneLogin.
To remove access from an unused application automatically, the following requirements must be met:
-
OneLogin applications are only assigned to user accounts via OneLogin roles. Only these assignments can be removed automatically or manually in One Identity Manager.
-
Only one OneLogin application is assigned to each OneLogin role.
TIP: Use the OneLogin role(s) control only one OneLogin application company policy to identify roles with more than one application.
Detailed information about this topic
Identifying unused access to OneLogin applications
OneLogin users are expected to use the applications assigned to them at least once within the given time span. You can use a default company policy to identify all OneLogin application assignments to user accounts that, according to the change history, have not been used during this period. Exception approvers are informed about the applications and user accounts involved. At the same time, a recertification process is launched. During the recertification process, users and their managers or target system managers clarify whether the applications are still required. If not, access to unused applications can be subsequently removed, automatically or manually.
Assignments are identified as unused when the following conditions apply:
-
The assignment is in effect (OLGUserHasApplication.XIsInEffect=1).
-
The OneLogin user has logged in to OneLogin at least once (OLGUser.LastLogin).
-
The number of days between the date of the last application login (OLGEvent.CreatedAt) and the current date is greater than or equal to the value of the TargetSystem | OneLogin | UnusedApplicationThresholdInDays configuration parameter.
- OR -
There is no application login date for the user account in the change history. Therefore, the user has never used the application.
To find and recertify unused assignments
-
(Optional) Configure automatic withdrawal of entitlements.
Depending on the method used to assign OneLogin user accounts to OneLogin roles (directly, via IT Shop request, through hierarchical roles or system roles), different configuration parameters must be set. For more information about this, see the One Identity Manager Attestation Administration Guide.
-
(Optional) Check whether policy violation notifications and attestation notifications are set up in the attestation case.
For more information, see the One Identity Manager Company Policies Administration Guide and the One Identity Manager Attestation Administration Guide.
-
(Optional) Assign identities to the Identity & Access Governance | Company policies | Exception approvers application role if they are to be informed about unused OneLogin applications. These identities are allowed to approve exceptions if necessary.
-
In the Manager, select the Company Policies > Basic configuration data > Exception approvers category.
-
Select the Assign identities task.
-
In the Add assignments pane, add identities.
TIP: In the Remove assignments pane, you can remove assigned identities.
To remove an assignment
- Save the changes.
-
(Optional) To change the recertification period after an application has been identified as unused, in the Web Portal, edit the Unused OneLogin application access attestation attestation policy.
For more information about this, see the One Identity Manager Web Portal User Guide.
-
Enable the working copy of the Access to OneLogin applications is used regularly company policy.
-
In the Manager, select the Company policies > Policies > Working copies of policies > Predefined category.
-
Select the working copy in the result list.
-
Select Enable working copy.
- Confirm the security prompt with Yes.
- Enable the original policy. Confirm the prompt with Yes.
This starts the policy check.
TIP: If an enabled company policy already exists, you can start the policy check with the Recalculate policy task.
A predefined schedule starts the policy check once a month.
NOTE: If you want to prevent new policy violations from being attested immediately, disable Start attestation for new policy violations immediately.
-
(Optional) To periodically recertify approved unused assignments, assign an enabled schedule to the Unused OneLogin application access attestation attestation policy.
-
In the Manager, select the Attestation > Attestation policies > Predefined category.
-
Select the attestation policy in the result list.
-
Select the Change main data task.
-
Select an enabled schedule from the Calculation schedule menu.
- OR -
Click to create a new schedule.
- Save the changes.
Procedure
-
In the Manager, verification of the Access to OneLogin applications is used regularly company policy is either scheduled or started by the Recalculate policy task.
-
It finds all assignments of OneLogin applications to user accounts where the user account has either never logged in or has not logged in within the specified time period.
-
Exception approvers are notified of policy violations via email.
-
If any assignment violates the policy, it is automatically attested with the Unused OneLogin application access attestation attestation policy.
Approval sequence:
-
Is the user account linked to an identity?
-
The linked identity confirms whether the assigned application is required.
-
The manager of the linked identity decides whether the assignment stays.
-
If attestation was denied in an approval level, automatic removal of the assignment is reviewed. This finds all OneLogin roles used to assign applications to the user account.
-
If no other applications are assigned to a role, automatic withdrawal of this role is initiated. This removes the assignment of the role to the user account and provisions the change in the target system, thus removing the entitlement for using the application from the OneLogin user.
With the subsequent synchronization, assignment of the application to the user account is marked as pending or deleted in the One Identity Manager database, depending on the configuration of the synchronization. Run a full target system synchronization to irrevocably delete pending assignments.
-
If the application is assigned directly to the user account or access to multiple applications is granted through a OneLogin role, the attestation case is submitted to the target system managers for final processing.
If the manager or target system managers have approved the attestation, the assignment stays. If the assignment is again found to be unused during the subsequent scheduled or manual check, it is resubmitted to the attestors for review.
Related topics