
Identity Manager 8.1.5 - Risk Assessment Administration Guide

Risk assessment

Everyone with IT system authorization in a company represents a security risk for that company. For example, an employee with permission to edit financial data in SAP carries a higher risk than an employee with permission to edit their own personal data. To quantify the risk, you can enter a risk value for every company resource in One Identity Manager. A risk index is calculated from this value for every employee who is assigned this company resource, directly, or indirectly. Company resources include target system entitlements (for example, Active Directory groups or SAP profiles), system roles, subscribable reports, software, and resources. In this way, all employees representing a particular risk to the company can be found.

Rules in the context of Identity Audit can also be given a risk index. Each rule violation can increase the security risk. Therefore, these risk indexes are also included in the employee’s risk calculation. You can define appropriate countermeasures through mitigating controls, and store them with the compliance rules.

Other factors can influence the calculation of employee risk indexes. These include: the type of resource assignment (approved request in the IT Shop or direct assignment), attestations, exception approvals for rule violations, employee responsibilities, and defined weightings. Furthermore, the risk index can be calculated for all business roles, organizations, and system roles that have company resources assigned to them. The user account risk index is calculated based on the system entitlements assigned.

One Identity Manager provides default functions for the risk index calculations described in the following. These are available if the respective module is installed. You can also can set up custom functions.

To use risk assessment functionality

  • In the Designer, set "QER | CalculateRiskIndex" and compile the database.

One Identity Manager users for configuring risk assessment

The following users are used for specifying risk indexes and editing risk index functions.

Table 1: Users
User Tasks

Employee responsible for individual company resources

The users are defined using different application roles for administrators and managers.

Users with these application roles:

  • Specify company resource risk indexes for which you are responsible.

Compliance rules administrators

Administrators must be assigned to the Identity & Access Governance | Identity Audit | Administrators application role.

Users with this application role:

  • Specify the risk indexes for compliance rules.
  • Specify mitigating controls.
  • Create and edit functions.

Administrators for attestation cases

Administrators are assigned to the Identity & Access Governance | Attestation | Administrators application role.

Users with this application role:

  • Specify risk indexes for attestation policies.
  • Specify mitigating controls.
  • Create and edit functions.

Company policy administrators

Administrators must be assigned to the Identity & Access Governance | Company policies | Administrators application role.

Users with this application role:

  • Specify risk indexes for company policies.
  • Specify mitigating controls.
  • Create and edit functions.
Employee administrators

Administrators must be assigned to the Identity Management | Employees | Administrators application role.

Users with this application role:

  • Create and edit functions.
One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.


Defining risk index functions

A risk index can be entered in One Identity Manager for the following objects types.

NOTE: Object types are defined in the One Identity Manager modules and are not available until the modules are installed.
Table 2: Risk index for objects in the One Identity Manager
Object type Application Available in Module

Active Directory groups

Risk for the company if target system entitlements are granted.

Active Directory Module

SAP groups, SAP roles, SAP profiles,

SAP R/3 User Management Module

Structural profiles

SAP R/3 Structural Profiles Add-on Module

BI analysis authorizations

SAP R/3 Analysis Authorizations Add-on Module

LDAP groups

LDAP Module

IBM Notes groups

IBM Notes Module

SharePoint groups,

SharePoint roles

SharePoint Module

E-Business Suite permissions

Oracle E-Business Suite Module
Azure Active Directory groups Azure Active Directory Module

G Suite groups

G Suite Module

G Suite products and SKUs

G Suite Module

UNIX groups Unix Based Target Systems Module
Cloud groups Cloud Systems Management Module

PAM user groups

Privileged Account Governance Module

System entitlements in the Unified Namespace

Target System Base Module


Risk for the company if the account definition, software, or resource is assigned to an employee.

Software Management Module



Account definitions Target System Base Module
Multi-request resources Risk for the company if the resource is assigned to an IT Shop structure. always
Multi-requestable/unsubscribable resources always
Assignment resources always

Application roles

Risk for the company if an employee is a member of this application role.


Compliance rules

Risk for the company if a rule is violated.

Compliance Rules Module

SAP functions

Risk for the company if SAP user accounts match the SAP function.

SAP R/3 Compliance Add-on Module

Company policies

Risk for the company if a company policy is violated.

Company Policies Module

Attestation policies

Risk for the company if an attestation procedure denies approval for an attestation policy.

Attestation Module

Subscribable reports

Risk for the company if an employee has subscribed to a report.

Report Subscription Module

To enter a risk index

  1. Open the master data form for the object for which you want to enter the risk index.
  2. Enter the desired value in the Risk index field.

    The risk index is specified as a floating point number in the range 0.0 ... 1.0. This means:

    • 0.0: no risk
    • 1.0: problem; risk involved

Calculating risk index functions

One Identity Manager calculates the resulting risk indexes for employees, user accounts, and hierarchical roles based on the risk indexes already stored. All direct and indirectly assigned objects are taken into account.

The risk index is calculated for the following object types.

Table 3: Object types with a calculated risk index

Object type


Available in Module


Calculated from the risk indexes of all associated user accounts, directly, and indirectly assigned software applications, resources, account definitions, and subscribable reports, membership in application roles, and rule violations.


Active Directory user accounts

Calculated from the risk indexes of all assigned target system entitlements.

Active Directory Module

SAP user accounts

SAP R/3 User Management Module

BI user accounts

SAP R/3 Analysis Authorizations Add-on Module

LDAP user accounts

LDAP Module

IBM Notes user accounts

IBM Notes Module

SharePoint user accounts

SharePoint Module

E-Business Suite user accounts

Oracle E-Business Suite Module

Azure Active Directory user accounts

Azure Active Directory Module

G Suite user accounts

G Suite Module

UNIX user accounts

Unix Based Target Systems Module

Cloud user accounts

Cloud Systems Management Module

PAM user accounts

Privileged Account Governance Module

User accounts

Target System Base Module

Departments, locations, cost centers

Calculated from the risk indexes of all assigned company resources.


Business roles

Business Roles Module

System roles

System Roles Module

IT Shop structures


Rule violations

Determined by the risk index of the violated rule and the assigned mitigating control.

Compliance Rules Module

NOTE: If you work with the Data Governance Edition, you can also specify and calculate risk indexes for data under governance. These are included in the employee’s risk index calculation. For more information, see the Data Governance User Guide.

One Identity Manager supplies default functions for the risk indexes with risk functions defined for the objects types listed here. Certain properties of default functions can be edited in One Identity Manager. Furthermore, you can make custom functions.

Related topics
获得许可 帮助

The document was helpful.


I easily found the information I needed.
