立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.5 - Compliance Rules Administration Guide

Compliance rules and identity audit
One Identity Manager users for identity audit Basic data for setting up rules Setting up a rule base rule check Creating custom mail templates for notifications
Mitigating controls Configuration parameters for Identity Audit

rule check

To test a rule, processing tasks are created for the DBQueue Processor. For each rule, the DBQueue Processor determines which employees have violated that rule. Follow-up tasks assign the associated rule violation object to employees that have violated a rule. The specified rule approvers can test rule violations and if necessary grant exception approval.

Checking a rule

You can start rule checking in different ways to find the current rule violations in the One Identity Manager database.

  • Scheduled rule checking
  • Automatic rule checking after modifications
  • Ad-hoc rule checking

Only operational rules are checked during rule checking. Disabled rule are not tested. If a rule is violated, the effected employees are assigned the corresponding object for rule violations. You can check all the rules again for these employees. For more information, see Rule check analysis.

In addition to locating existing rule violations, One Identity Manager can also identify potential violations of IT Shop requests and business roles. For more information, see Determining potential rule violations.

Scheduled rule checking

The Compliance rule check schedule, is supplied with the One Identity Manager default installation to run a complete check of all rules. This schedule generates processing tasks at regular intervals for the DBQueue Processor.

Prerequisites

  • The rule is enabled.
  • The schedule stored with the rule is enabled.
Detailed information about this topic

Rule checking rule modifications

Table 29: Configuration parameters for rule checking
Configuration parameter Meaning if Set
QER | ComplianceCheck | CalculateImmediately Processing tasks for recalculating rule violations are immediately started when relevant changes occur.

A processing task for rule checking is generated the moment an active rule is modified or deleted. All employees are checked to see if they fulfill the affected rule.

When specific changes are made to entitlements, you can immediately queue or schedule the calculation tasks to check the rules. Specify the desired behavior in the "QER | ComplianceCheck | CalculateImmediately" configuration parameter. If the parameter is set, the processing task for recalculating rule violation for an employee are immediately queued. If the parameter is not set, the calculation task is started the next time the schedule is planned to run.

To trigger rule checks immediate after relevant changes have been made

  • In the Designer, set the "QER | ComplianceCheck | CalculateImmediately" configuration parameter.

    The processing task for recalculating rule violations for an employee is immediately started when relevant changes occur.

NOTE: This configuration parameter only applies if data changes are relevant. These include:

  • Changes to employee master data
  • Changes to employee assignments (for example, the PersonHasQERResource table)
  • Changes to employees' role memberships
  • Changes to membership in system entitlements (for example, the ADSAccountInADSGroup table)
  • Changes to SAP function matches (the SAPUserInSAPFunction table)
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级