Creating and changing company policies
A working copy is added for every company policy. Edit the working copies to create company policies and change them. Changes to the company policy do not take effect until the working copy is enabled.
NOTE: One Identity Manager users with the Identity & Access Governance | Identity Audit | Policy supervisors application role can edit existing working copies that they are entered as being responsible for in the main data.
To create a new company policy
- Select the Company Policies > Policies category.
-
Click 
in the result list.
- Enter the company policy's main data.
- Save the changes.
This adds a working copy.
- Select the Enable working copy task. Confirm the security prompt with OK.
This adds an enabled company policy. The working copy is retained and can be used to make changes later.
To edit an existing company policy
- Select the Company Policies > Policies category.
- Select the company policy in the result list.
- Select the Create working copy task.
The data from the existing working copy are overwritten by the data from the original company policy after a security prompt. The working copy is opened and can be edited.
- OR -
Select the Company policies > Policies > Working copies of policies category.
- Select a working copy in the result list.
-
Select the Change main data task.
- Edit the working copy's main data.
- Save the changes.
- Select Enable working copy. Confirm the security prompt with OK.
Changes to the working copy are transferred to the company policy. This can reenable a disabled company policy if required.
General main data for company policies
Enter the following data for a company policy.
Table 11: General main data of company policies
|
Policy |
Name of the company policy. |
|
Description |
Text field for additional explanation. |
|
Main version number |
Current state of the company policy as a version number. The version number is incremented in One Identity Manager's default installation each time you make a change to the condition. |
|
Working copy |
Specifies whether this is a working copy of the company policy. |
|
Deactivated |
Specifies whether the company policy is disabled or not.
Only company policies that are enabled are included in policy checking. Use the Enable policy or Disable policy tasks to enable or disable a company policy. The working copy company policy is always disabled. |
|
Policy group |
Policy group to which the company policy belongs, based on its content. Select a policy group from the menu. To create a new policy group, click . Enter a name and description for the policy group. |
|
Policy supervisors |
Application role whose members are responsible for the company policy, in terms of content.
To create a new application role, click . Enter the application role name and assign a parent application role. |
|
Exception approval allowed |
Specifies whether exception approval is permitted when the policy is violated. Assignments that cause the policy to be violated can be approved and issued anyway with this. |
|
Exception approvers |
Application role, whose members are entitled to grant exception approval for violations to this company policy.
To create a new application role, click . Enter the application role name and assign a parent application role. |
|
Mail template new violation |
Mail template used to generate an email to inform rule supervisors or exception approvers about new policy violations. |
|
Exception approvers info |
Information, which the exception approver may require for making a decision. This advice should describe the risks and side effects of an exception. |
|
Attestors |
Applications role whose members are authorized to approve attestation cases for company policies and policy violations.
To create a new application role, click . Enter the application role name and assign a parent application role. |
|
Without condition |
Specifies whether the company policy a direct relationship to the One Identity Manager data model or not. If this option is set, the Edit condition... button is disabled.
If the option is not set, a condition must be entered that finds all the objects that violate the policy. |
|
Base table |
Base table referenced by the company policy.
Based on this table, the system determines which objects violate the company policy. |
|
Edit connection... |
Starts the WHERE clause wizard. Use the WHERE clause wizard to set up a condition that finds all the objects in the base table that violate the company policy. Use the Expert view button to enter the condition in SQL syntax straight away. |
|
Condition |
Data query that finds all the objects that violate the company policy. This option is only available if the Show condition task has been run beforehand. |
Detailed information about this topic
Related topics
Risk assessment
Table 12: Configuration parameter for risk assessment
| QER\CalculateRiskIndex |
Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.
If the parameter is enabled, values for the risk index can be entered and calculated. |
You can use One Identity Manager to evaluate the risk of policy violations. To do this, enter a risk index for the company policy. The risk index specifies the risk involved for the company if the company policy is violated. The risk index is given as a number in the range 0 to 1. By doing this you specify whether a policy violation is not considered a risk for the company (risk index = 0) or whether every policy violation poses a problem (risk index = 1).
You can use the Report Editor to assess policy violations depending on the risk index by creating various reports.
To assess the risk of a policy violation enter values for grading company policies on the Assessment criteria tab.
Table 13: Assessment criteria for a rule
| Severity code |
Specifies the impact on the company of violations to this company policy. Use the slider to enter a value between 0 and 1.
0 means no impact
1 means that every policy violation is a problem. |
| Significance |
Provides a verbal description of the impact on the company of violations to this company policy. In the default installation value list is displayed with the entries {NONE, ‘low’, ‘average’, ‘high’, ‘critical’}. |
| Risk index |
Specifies the risk for the company of violations to this company policy. Use the slider to enter a value between 0 and 1.
0 means no risk
1 means every rule violation is a problem.
The field is only visible if the "QER | CalculateRiskIndex" configuration parameter is set. |
| Risk index (reduced) |
Show the risk index taking mitigating controls into account. The risk index for a company policy is reduced by the significance reduction value for all assigned mitigating controls. The risk index (reduced) is calculated for the original company policy. To copy the value to a working copy, run the task Create working copy.
The field is only visible if the "QER | CalculateRiskIndex" configuration parameter is set. The value is calculated by One Identity Manager and cannot be edited. |
| Transparency index |
Specifies how traceable assignments are that are checked by this company policy. Use the slider to enter a value between 0 and 1.
0 means no transparency
1 means full transparency |
| Max. number of rule violations |
Number of policy violations allowed for this company policy. |
Detailed information about this topic
- Mitigating controls
- One Identity Manager Risk Assessment Administration Guide
- Report Editor in the One Identity Manager Configuration Guide
Related topics
Additional data on company policies
You can enter additional comments about the company policy and revision data on the Extended tab.
Table 14: General main data of company policies
| Policy number |
Additional identifier for the company policy. |
| Implementation notes |
Text field for additional explanation. You can use implementation notes to enter explanations about the content of the policy condition, for example. |
| Status |
Status of the company policy with respect to its audit status. |
| Schedule |
Schedule for starting policy checks on a regular basis.
The "Default schedule policies" schedule is assigned by default. You can assign your own schedule. |
Related topics
