One Identity Manager provides predefined standard reasons. These are added to the policy violation by One Identity Manager during automatic approval. You can use the usage type to specify which standard reasons can be selected in the Web Portal.
To change the usage type
-
In the Manager, select the Identity Audit > Basic configuration data > Standard reasons > Predefined category.
-
Select the standard reason whose usage type you want to change.
-
Select the Change main data task.
-
In the Usage type menu, set all the actions where you want to display the standard reason in the Web Portal.
Unset all the actions where you do not want to display the default reason.
- Save the changes.
Related topics
You can define rules for maintaining and monitoring regulatory requirements in a rule base. A rule in One Identity Manager not only contains a technical description but also properties such as rule violation level, owner, manager, or audit information. The rules can be also classified into categories (Compliance frameworks) and rule groups.
Once you have added a rule, an associated object for rule violations is added in the database. Everyone who violates the rule is added to this object.
A working copy is added to the database for every rule. Edit the working copies to create rule and change them. Changes to the rule do not take effect until the working copy is enabled.
NOTE: One Identity Manager users with the Identity & Access Governance | Identity Audit | Rule supervisors application role can edit existing rules if they are entered as a rule supervisor in the general data.
To create a new rule
-
In the Manager, select the Identity Audit > Rules category.
-
Click in the result list.
-
Enter the main data of the rule.
-
Save the changes.
This adds a working copy.
-
Select the Enable working copy task. Confirm the security prompt with OK.
This adds an enabled rule in the database. The working copy is retained and can be used to make changes later.
To edit an existing rule
- In the Manager, select the Identity Audit > Rules category.
-
Select the rule in the result list.
-
Select the Create working copy task.
The data from the existing working copy are overwritten by the data from the original rule after a prompt. This opens the working copy and you can edit it.
- OR -
In the Manager, select the Identity Audit > Rules > Working copies of rules category.
-
Select a working copy in the result list.
-
Select the Change main data task.
-
Edit the working copy's main data.
-
Save the changes.
-
Select the Enable working copy task. Confirm the security prompt with OK.
Changes to the working copy are transferred to the rule. This reenables a disabled rule on demand.
Enter the following main data of a rule.
Table 12: Setting up a rule
Rule |
Name for the rule.
A new objects for rule violations is added automatically with this name when a new rule is created.
NOTE: If you rename compliance rules, the name of the associated rule violation is not changed. |
Description |
Text field for additional explanation. |
Main version number |
Current revision of the rule as a version number. The version number is incremented in the One Identity Manager default installation each time you make a change to the rule condition. |
Working copy |
Specifies whether this is a working copy. |
Disabled |
Specifies whether the rule is disabled.
Only enabled rules are taken into account by rule checking. Use the tasks Enable rule or Disable rule to enable or disable a rule. The working copy rule is always disabled. |
Rule group |
Rule group to which the rule belongs in terms of content. Select a role group from the menu. To create a new rule group, click . Enter a name and description for the rule group. |
Rule supervisors |
Application role whose members are responsible for the rule in terms of content.
To create a new application role, click . Enter the application role name and assign a parent application role. |
Exception approval allowed |
Specifies whether exception approval is permitted when the rule is violated. Assignments or requests that cause the rule to be violated can be approved and issued anyway with this. |
Exception approver |
Application role, whose members are entitled to grant exception approval for violations to this rule.
To create a new application role, click . Enter the application role name and assign a parent application role. |
Mail template new violation |
Mail template used to generate an email to inform rule supervisors or exception approvers about new rule violations. |
Exception approval info |
Information, which the exception approver may require for making a decision. This advice should describe the risks and side effects of an exception. |
Max. days valid |
Time period for limiting exception approvals. Enter the number for which days the exception approval applies. When the validity period expires, the exception approvals are automatically lifted. |
Attestors |
Applications role whose members are authorized to approve attestation cases for compliance rules and rule violations.
To create a new application role, click . Enter the application role name and assign a parent application role.
NOTE: This property is available if the Attestation Module is installed. |
Functional area |
Functional area relevant to the rule. |
Department |
Department relevant to the rule. |
Rule for cyclic testing and risk assessment in the IT Shop. |
Specifies whether the rule is taken into account by risk assessment of IT Shop requests.
This option is only visible if the QER | ComplianceCheck | SimpleMode | NonSimpleAllowed configuration parameter is set. |
Rule only for cyclical testing |
Specifies whether the rule is only taken into account by cyclical testing.
This option is only visible if the QER | ComplianceCheck | SimpleMode | NonSimpleAllowed configuration parameter is set. |
Condition |
Conditions, which result in a rule violation. Use the Rule Editor to enter the conditions. |
Detailed information about this topic
Related topics