Sun Identity Manager 8.1 Business Administrator's Guide

Chapter 15 Auditing: Monitoring Compliance

This chapter describes how to conduct audit reviews and implement practices that help you manage compliance with federally mandated regulations.

In this chapter, you will learn about the following concepts and tasks:

Audit Policy Scans and Reports

This section provides information about audit policy scans, and provides procedures for running and managing audit scans.

Scanning Users and Organizations

A scan runs selected audit policies on individual users or organizations. You might want to scan a user or organization for a specific violation or execute policies not assigned to the user or organization. Launch scans from the Accounts area of the interface.

Note –

You can also launch or schedule an audit policy scan from the Server Tasks tab.

ProcedureTo Scan a User Account or Organization

  1. In the Administrator interface, select Accounts from the main menu.

  2. In the Accounts list, perform one of these actions:

    1. Select one or more users, and then select Scan from the User Actions options list.

    2. Select one or more organizations and then select Scan from the Organization Actions options list.

      The Launch Task dialog displays. Figure 15–1 is an example of the Launch Task page for an audit policy user scan.

      Figure 15–1 Launch Task Dialog

      Figure showing the Launch Task dialog

  3. Enter a title for the scan in the Report Title field. (required)

  4. Specify the remaining options.

    These options include:

    • Report Summary: Enter a description for the scan.

    • Add Policies: Select one or more audit policies to run. You must specify at least one policy.

    • Policy Mode: Select a policy mode, which determines how the selected policies interact with users who already have policy assignments. Assignments can come directly from the user or from the organization to which the user is assigned.

    • Do not create violations: Enable this box if you want audit policies evaluated and violations reported, but do not want compliance violations to be created or updated, and do not want remediation workflows to be executed. Task results from the scan do show which violations would have been created, making this option useful when testing audit policies.

    • Execute Remediation Workflow?: Enable this box to run the remediation workflow assigned in the audit policy. If the audit policy does not define a remediation workflow, no remediation workflow will run.

    • Violation Limit: Edit this box to set the maximum number of compliance violations that can be emitted by the scan before it aborts. This value is a safeguard to limit risk when running an audit policy that may be overly aggressive in its checks. An empty value means no limit is set.

    • Email Report: Enable this box to specify recipients for the report. You might also have Identity Manager attach a file containing a report in CSV (comma-separated values) format.

    • Override default PDF options: Enable this box to override the default PDF options.

  5. Click Launch to begin the scan.

    To view the reports resulting from an audit scan, view the Auditor Reports.

Working with Auditor Reports

Identity Manager provides a number of Auditor Reports. The following table describes these reports.

Table 15–1 Auditor Reports Descriptions

Auditor Report Type 


Access Review Coverage 

Shows the overlap or differences among the users that are implied by the selected access reviews. Because most access reviews have a user scope that is specified by a query or some membership operation, the exact set of users is expected to change over time. This report can show the overlap, differences, or both, between users specified by two different access reviews (to see if the reviews are going to be efficient in operation); between entitlements generated by two different access reviews (so you can see if the coverage changes over time); or between users and entitlements (so you can see if the entitlements were generated for all users scoped by the review. 

Access Review Detail 

Shows the current status of all user entitlement records. This report can be filtered by a user’s organization, Access Review and Access Review Instance, state of an entitlement record, and attestor. 

Access Review Summary 

Provides summary information about all access reviews. It summarizes the status of users scanned, policies scanned, and attestation activities for each access review scan listed. 

Access Scan User Scope Coverage 

Compares selected scans to determine which users are included in the scan scope. It shows the overlap (users included in all scans) or difference (users not included in all scans, but included in more than one). This report is useful when trying to organize multiple access scans to cover the same or different users, depending on the needs of the scan. 

Audit Policy Summary 

Summarizes the key elements of all audit policies, including the rules, remediators, and workflow for each policy. 

Audited Attribute 

Shows all audit records indicating a change of a specified resource account attribute. 

This report mines the audit data for any auditable attributes that have been stored. It will mine the data based on any extended attributes, which can be specified from WorkflowServices or resource attributes marked as auditable. For information on configuring this report, see Configuring the Audited Attribute Report.

Audit Policy Violation History 

Graphical view of all compliance violations per policy that were created during a specified period of time. This report can be filtered by policy, and grouped by day, week, month, or quarter. 

User Access 

Shows the audit record and user attributes for a specified user. 

Organization Violation History 

Graphical view of all compliance violations per resource, that were created during a specific period of time. Can be filtered by organization, and grouped by day, week, month, or Quarter. 

Resource Violation History 

Graphical view of all compliance violations per resource that were created during the specified time range. 

Separation of Duties 

Shows separation of duties violations arranged in a conflicts table. Using a Web-based interface, you can access additional information by clicking the links. 

This report can be filtered by organization, and grouped by day, week, month, or quarter. 

Violation Summary 

Shows all current compliance violations. This report can be filtered by remediator, resource, rule, user, or policy 

The reports are available from the Reports tab in the Identity Manager interface.

Note –

The RULE_EVAL_COUNT value equals the number of rules that were evaluated during a policy scan. This value is sometimes included in reports.

Identity Manager calculates the RULE_EVAL_COUNT value as follows:

# of users scanned x (# of rules in policy + 1)

The +1 is included in the calculation because Identity Manager also counts the policy rule, which is the rule that actually decides if a policy is violated. The policy rule inspects the audit rule results, and performs the boolean logic to come up with a policy result.

For example, if you have Policy A with three rules and Policy B with two rules, and you scanned ten users, the RULE_EVAL_COUNT value equals 70 because

10 users x (3 + 1 + 2 + 1 rules)

Creating an Auditor Report

To run a report, you must first create the report template. You can specify various criteria for the report, including specifying email recipients to receive the report results. After a report template has been created and saved, it is available from the Run Reports page.

The following figure shows an example of the Run Reports page with a list of defined Auditor Reports.

Figure 15–2 Run Reports Page Selections

Figure showing an example Run Reports page with a list
of defined Auditor Reports

ProcedureTo Create an Auditor Report

  1. In the Administrator interface, click Reports in the main menu.

    The Run Reports page opens.

  2. Select Auditor Reports for the report type.

  3. In the New list of reports, select a report.

    The Define a Report page appears. The fields and layout of the report dialog varies for each type of report. Refer to Identity Manager Help for information about specifying the report criteria.

    After entering and selecting report criteria, you can:

    • Run the report without saving.

      Click Run to start running the report. Identity Manager does not save the report (if you defined a new report) or the changed report criteria (if you edited an existing report).

    • Save the report.

      Click Save to save the report. After it is saved, you can run the report from the Run Reports page (the list of reports). After running a report from the Run Reports page, you can view the output immediately or at a later time from the View Reports tab.

    For information about scheduling a report, see Scheduling Reports.

Configuring the Audited Attribute Report

The Audited Attribute Report (see Table 15–1) can report attribute-level changes to Identity Manager users and accounts. Standard audit logging, however, does not generate enough audit log data to support a full query expression.

Standard audit logging does write the changed attributes to the acctAttrChanges field in the audit log, but the changed attributes are written in a way that the report query can only match records based on the changed attribute’s name. The report query cannot accurately match the attribute’s value.

You can configure this report to match records containing changes to the attribute lastname, by specifying the following parameters:

Attribute Name = ’acctAttrChanges’
Condition = ’contains’
Value = ’lastname’

Note –

Using Condition=’contains’ is necessary because of the way data is stored in the acctAttrChanges field. This field is not multi-valued. Essentially, it is a data structure that contains the before/after values of all changed attributes in the form attrname=value. Consequently, the preceding settings allow the report query to match any instances of lastname=xxx.

It is also possible to capture only those audit records that have a specific attribute with a specific value. To do this, follow the procedure in the Configuring the Audit Tab section. Select the Audit entire workflow checkbox, click the Add Attribute button to select the attributes you want to record for reporting purposes, and click Save.

Next, enable the task template configuration (if it is not already enabled). To do this, follow the procedure in the Enabling the Task Templates section. Do not change the default value in the Selected Process Types list, just click Save.

The workflow can now provide audit records that are suitable for matching both the attribute name and the value. Although turning on this level of auditing provides much more information, be aware that there is a significant performance cost and your workflows will run slower.

Compliance Violation Remediation and Mitigation

This section describes how to use Identity Manager Remediation to protect your critical assets.

The following topics discuss elements of the Identity Manager Remediation process:

About Remediation

When Identity Manager detects an unresolved (not mitigated) audit policy compliance violation, it creates a remediation request, which must be addressed by a remediator A remediator is a designated user who is allowed to evaluate and respond to audit policy violations.

Remediator Escalation

Identity Manager allows you to define three levels of remediator escalation. Remediation requests are initially sent to Level 1 remediators. If a Level 1 remediator does not act on a remediation request before the timeout period expires, Identity Manager escalates the violation to the Level 2 remediators and begins a new timeout period. If a Level 2 remediator does not respond before the timeout period expires, then the request is escalated once again to the Level 3 remediator.

To perform remediation, you must designate at least one remediator for your enterprise. Specifying more than one remediator for each level is optional, but recommended. Multiple remediators help ensure workflow is not delayed or halted.

Remediation Security Access

These authorization options are for work items of authType RemediationWorkItem.

By default, the behavior for authorization checks is one of the following:

The second and third checks are independently configurable by modifying these options:

These options can be added or modified in the following:

UserForm: Remediation List

Remediation Workflow Process

Identity Manager provides the Standard Remediation Workflow to provide remediation processing for Audit Policy scans.

The Standard Remediation Workflow generates a remediation request (a review-type work item) containing information about the compliance violation and sends an email notification to each Level 1 remediator named in the audit policy. When a remediator mitigates the violation, the workflow changes the state of, and assigns an expiration to, the existing compliance violation object.

A compliance violation is uniquely identified by the combination of the user, policy name, and rulename. When an audit policy evaluates to true, a new compliance violation is created for each user/policy/rule combination, if an existing violation for this combination does not already exist. If a violation does exist for the combination, and the violation is in a mitigated state, then the workflow process takes no action. If the existing violation is not mitigated, then its recurrent count is incremented.

For more information about remediation workflows, see About Audit Policies.

Remediation Responses

By default, three response options are given to each remediator:

Remediation Example

Your enterprise establishes a rule in which a user cannot be responsible for both Accounts Payable and Accounts Receivable, and you receive notice that a user is violating this rule.

Remediation Email Template

Identity Manager provides a Policy Violation Notice email template (available by selecting the Configuration tab, then the Email Templates subtab. You can configure this template to notify remediators of pending violations. For more information, see Customizing Email Templates in Chapter 4, Configuring Business Administration Objects.

Working with the Remediations Page

Select Work Items -> Remediations to access the Remediations page.

You can use this page to:

Viewing Policy Violations

You can use the Remediations page to view details about violations before taking action on them.

Depending on your capabilities or place in the Identity Manager capabilities hierarchy, you may be able to view and take action on violations for other remediators.

The following topics are related to viewing violations:

Viewing Pending Requests

Pending requests assigned to you are, by default, displayed in the Remediation table.

You can use the List Remediations for option to view pending remediation requests for a different remediator:

The resulting table provides the following information about each request:

Note –

Each user can choose a custom form that displays remediation data relevant to that particular remediator. To assign a custom form, select the Compliance tab on the user form.

Viewing Completed Requests

To view your completed remediation requests, click the My Work Items tab, and then click the History tab. A list of previously remediated work items displays.

The resulting table (which is generated by an AuditLog report) provides the following information about each remediation request:

Clicking a timestamp in the table opens an Audit Events Details page.

The Audit Events Details page provides information about the completed request, including information about the remediation or mitigation, event parameters (if applicable), and auditable attributes.

Updating the Table

To update the information provided in the Remediations table, click Refresh. The Remediation page updates the table with any new remediation requests.

Prioritizing Policy Violations

You can prioritize policy violations by assigning them a priority, severity, or both. Prioritize violations from the Remediations page.

ProcedureTo Edit the Priority or Severity for Violations

  1. Select one or more violations in the list.

  2. Click Prioritize.

    The Prioritize Policy Violations page appears.

  3. Optionally set a severity for the violation. Selections are None, Low, Medium, High, or Critical.

  4. Optionally set a priority for the violation. Selections are None, Low, Medium, High, or Urgent.

  5. Click OK when you have finished making selections. Identity Manager returns to the list of remediations.

    Note –

    Severity and priority values can be set only on remediations of type CV (Compliance Violation).

Mitigating Policy Violations

You can mitigate policy violations from the Remediations and Review Policy Violations pages.

From the Remediations Page

ProcedureTo Mitigate Pending Policy Violations From the Remediations Page

  1. Select rows in the table to specify which requests to mitigate.

    • Enable one or more individual options to specify requests to be mitigated.

    • Enable the option in the table header to mitigate all requests listed in the table.

    Identity Manager allows you to enter only one set of comments to describe a mitigation action. You may not want to perform a bulk mitigation unless the violations are related and a single comment will suffice.

    You can mitigate only those requests that include compliance violations. Other remediation requests cannot be mitigated.

  2. Click Mitigate.

    The Mitigate Policy Violation page (or Mitigate Multiple Policy Violations page) appears.

    Figure 15–3 Mitigate Policy Violation Page

    Figure showing the Mitigate Multiples Policy Violations

  3. Enter comments about the mitigation into the Explanation field. (required)

    Your comments provide an audit trail for this action, so be sure to enter complete and meaningful information. For example, explain why you are mitigating the policy violation, the date, and why you chose the exemption period.

  4. Provide an expiration date for the exemption by typing the date (in the format YYYY-MM-DD) directly into the Expiration Date field, or by clicking the date button and selecting a date from the calendar.

    Note –

    If you do not provide a date, the exemption is valid indefinitely.

  5. Click OK to save your changes and return to the Remediations page.

Remediating Policy Violations

ProcedureTo Remediate One or More Policy Violations

  1. Use the check boxes in the table to specify which requests to remediate.

    • Enable one or more individual check boxes in the table to specify requests to remediate.

    • Enable the check box in the table header to remediate all requests listed in the table.

      If selecting more than one request, keep in mind that Identity Manager allows you to enter only one set of comments to describe a remediation action. You may not want to perform a bulk remediation unless the violations are related and a single comment will suffice.

  2. Click Remediate.

  3. The Remediate Policy Violation page (or Remediate Multiple Policy Violations page) displays.

  4. Enter your comments about the remediation into the Comments field.

  5. Click OK to save your changes and return to the Remediations page.

    Note –

    Audit policies that are directly assigned to a user (who is assigned through a user account or an organization assignment) are always re-evaluated when a violation for that user is remediated.

Forwarding Remediation Requests

You can forward one or more remediation requests to another remediator.

ProcedureTo Forward Remediation Requests

  1. Use the check boxes in the table to specify which requests to forward.

    • Enable the check box in the table header to forward all requests listed in the table.

    • Enable individual check boxes in the table to forward one or more requests.

  2. Click Forward.

    The Select and Confirm Forwarding page appears.

    Figure 15–4 Select and Confirm Forwarding Page

    Figure showing the Select and Confirm Forwarding page

  3. Enter a remediator name in the Forward to field, and then click OK. Alternatively, you can click ... (More) to search for a remediator name. Select a name from the search list, and then click Set to enter that name in the Forward to field. Click Dismiss to close the search area.

    When the Remediations page reappears, the new remediator’s name displays in the Remediator column of the table.

Editing a User from a Remediation Work Item

From a remediation work item, you can (with appropriate user editing capabilities) edit a user to remediate problems (as described in the associated entitlement history).

To edit a user, click Edit User from the Review Remediation Request page. The displayed Edit User page shows:

After making changes to the user, click Save.

Note –

Saving user edits causes the Update User workflow to run. Because this workflow may have approvals, it is possible that the changes to the user accounts are not in effect for a period of time after the save. If the audit policy allows re-scans, and the Update User workflow has not completed, then the subsequent policy scan may detect the same violation.

Periodic Access Reviews and Attestation

Identity Manager provides a process for conducting access reviews that enable managers or other responsible parties to review and verify user access privileges. This process helps to identify and manage user privilege accumulation over time, and helps to maintain compliance with Sarbanes-Oxley, GLBA, and other federally regulated mandates.

Access reviews can be performed as needed or scheduled to occur periodically. such as every calendar quarter, enabling you to conduct periodic access reviews to maintain the correct level of user privileges. An access review can optionally include audit policy scans.

About Periodic Access Reviews

Periodic access review is the periodic process of attesting that a set of employees has the appropriate privileges on the appropriate resources at a specific point in time.

A periodic access review involves the following activities:

A user entitlement is a detailed record of a user’s accounts on a specific set of resources.

Access Review Scans

To initiate a periodic access review, you must first define at least one access scan.

The access scan defines who will be scanned, which resources will be included in the scan, any optional audit policies to be evaluated during the scan, and rules to determine which entitlement records will be manually attested, and by whom.

Access Review Workflow Process

In general, the Identity Manager access review workflow:

See Access Review Remediation for a description of the remediation capabilities.

Required Administrator Capabilities

To conduct a periodic access review and manage the review processes, a user must have the Auditor Periodic Access Review Administrator capability. A user with Auditor Access Scan Administrator capability can create and manage access scans.

To assign these capabilities, edit the user account and modify the security attributes. For more information about these and other capabilities, see Understanding and Managing Capabilities in Chapter 6, Administration.

Attestation Process

Attestation is the certification process performed by one or more designated attestors to confirm a user entitlement as it exists on a specific date. During an access review, the attestor (or attestors) receives notice of the access review attestation requests through email notification. An attestor must be an Identity Manager user, but is not required to be an Identity Manager administrator.

Attestation Workflow

Identity Manager uses an attestation workflow that is launched when an access scan identifies entitlement records requiring review. The access scan makes this determination based on the rules defined in the access scan.

A rule evaluated by the access scan determines if the user entitlement record needs to be manually attested, or if it can be automatically approved or rejected. If the user entitlement record needs to be manually attested, then the access scan uses a second rule to determine who the appropriate attestors are.

Each user entitlement record to be manually attested is assigned to a workflow, with one work item per attestor. Notification to the attestor of these work items can be sent using a ScanNotification workflow that bundles the items into one notification, per attestor, per scan. Unless the ScanNotification workflow is selected, notification will be per user entitlement. This means an attestor could receive multiple notifications per scan, and possibly a large number depending on the number of users scanned.

Attestation Security Access

These authorization options are for work items of authType AttestationWorkItem:

By default, the behavior for authorization checks is one of the following:

The second and third checks are independently configurable by modifying these form properties:

The integer value for lastLevel defaults to -1, meaning direct and indirect subordinates.

You can add or modify these options in the following:

UserForm: AccessApprovalList.

Note –

If you set security on attestations to organization-controlled, then the Auditor Attestor capability is also required to modify another user’s attestations.

Delegated Attestation

By default, the access scan workflow respects delegations, for work items of type Access Review Attestation and Access Review Remediation, created by users for attestation work items and notifications. The access scan administrator may deselect the Follow Delegation option to ignore delegation settings. If an attestor has delegated all work items to another user but the Follow Delegation option is not set for an access review scan, then the attestor, not the user to which delegations have been assigned, will receive attestation request notifications and work items.

Planning for a Periodic Access Review

An access review can be a labor- and time-intensive process for any business enterprise. The Identity Manager periodic access review process helps minimize the cost and time involved by automating many parts of the process. However, some of the processes still are time-consuming. For example, the process of fetching user account data from a number of locations for thousands of users can take a considerable amount of time. The act of manually attesting records can be time-consuming as well. Proper planning improves the efficiency of the process and greatly reduces the effort involved.

Planning for a periodic access review involves the following considerations:

Tuning Scan Tasks

During the scan process, multiple threads access the user’s view, potentially accessing resources on which the user has accounts. After the view is accessed, multiple audit policies and rules are evaluated, which may result in the creation of compliance violations.

To prevent two threads from updating the same user view at the same time, the process establishes an in-memory lock on the user name. If this lock cannot be established in (by default) 5 seconds, then an error is written to the scan task and the user is skipped, thus providing protection for concurrent scans that are processing the same set of users.

You can edit the values of several “tunable parameters” that are provided as task arguments to the scan task:

To change the values of these parameters, edit the corresponding Task Definition form. For more information, see Chapter 3, Identity Manager Forms, in Sun Identity Manager Deployment Reference.

Creating an Access Scan

ProcedureTo Define the Access Review Scan

  1. Select Compliance -> Manage Access Scans.

  2. Click New to display the Create New Access Scan page.

  3. Assign a name to the access scan.

    Note –

    Access scan names must not contain these characters:

    ’ (apostrophe), . (period), | (pipe), [ (left bracket), ] (right bracket), , (comma), : (colon), $ (dollar sign), “ (double quote), \ (backslash), or = (equals sign)

    Also, avoid using these characters: _ (underscore), % (percent-sign), ^ (caret), and * (asterisk)

  4. Add a description that is meaningful in identifying the scan (optional).

  5. Enable the Dynamic entitlements option to give attestors additional options.

    These options include:

    • A pending attestation can be immediately re-scanned to refresh the entitlement data and reevaluate the need for attestation.

    • A pending attestation can be routed to another user for remediation. Following remediation, the entitlement data is refreshed and reevaluated to determine the need for attestation.

  6. Specify the User Scope Type (required).

    Choose from the following options:

    • According to attribute condition rule. Scan users according to a selected User Scope Rule.

      Identity Manager provides these default rules:

      • All Administrators

        Note –

        You can add user scoping rules by using the Identity Manager IDE. For information about the Identity Manager IDE, go to

      • All My Reports

      • All Non-Administrators

      • My Direct Reports

      • Users without a Manager

    • Assigned to resources. Scan all users that have an account on one or more selected resources. When you choose this option, the page displays the User Scope Resources, which lets you specify resources.

    • According to a specific role. Scan all members who have at least one role, or who have all the roles, that you specify.

    • Members of Organizations. Choose this option to scan all members of one or more selected organizations.

    • Reports to managers. Scan all users reporting to selected managers. Manager hierarchy is determined by the Identity Manager attribute of the user’s Lighthouse account.

      If the user scope is organization or manager, then the Recursive Scope option is available. This option allows for user selection to occur recursively through the chain of controlled members.

  7. If you choose also to scan audit policies to detect violations during the access review scan, select the audit policies to apply to this scan by moving your selections from Available Audit Policies to the Current Audit Policies list.

    Adding audit policies to an access scan results in the same behavior as performing an audit scan over the same set of users. However, in addition, any violations detected by the audit policies are stored in the user entitlement record. This information can make automatic approval or rejection easier, because the rule can use the presence or absence of violations in the user entitlement record as part of its logic.

  8. If you scanned audit policies in the preceding step, you can use the Policy mode option to specify how the access scan determines which audit policies to execute for a given user. A user can have policies assigned both at the user level and/or at the organization level. The default access scan behavior is to apply the policies specified for the access scan only if the user does not already have any assigned policies.

    1. Apply select policies and ignore other assignments

    2. Apply selected policies only if user does not already have assignments

    3. Apply selected policies in addition to user assignments

  9. (Optional) Specify the Review Process Owner. Use this option to specify an owner of the access review task being defined. If a Review Process Owner is specified, then an attestor who encounters a potential conflict in responding to an attestation request can abstain in lieu of approving or rejecting a user entitlement and the attestation request is forwarded to the Review Process Owner. Click the selection (ellipsis) box to search the user accounts and make your selection.

  10. Follow delegation. Select this option to enable delegation for the access scan. The access scan will only honor delegation settings if this option is checked. Follow Delegation is enabled by default.

  11. Restrict target resources. Select this option to restrict scanning to targeted resources.

    This setting has a direct bearing on the efficiency of the access scan. If target resources are not restricted, each user entitlement record will include account information for every resource the user is linked to. This means that during the scan every assigned resource is queried for each user. By using this option to specify a subset of the resources, you can greatly reduce the processing time required for Identity Manager to create user entitlement records.

  12. Execute Violation Remediation. Select this option to enable the audit policy’s remediation workflow when a violation is detected.

    If this option is selected, then a violation detected for any of the assigned audit policies will result in the respective audit policy’s remediation workflow being executed.

    Typically, this option should not be selected except for advanced cases.

  13. Access Approval Workflow. Select the default Standard Attestation workflow or select a customized workflow if available.

    This workflow is used to present the user entitlement record for review to the appropriate attestors (as determined by the attestor rule). The default Standard Attestation Workflow creates one work item for each attestor. If the access scan specifies escalation, this workflow is responsible for escalating work items that have been dormant too long. If no workflow is specified, the user attestation will remain in the pending state indefinitely.


    Note –

    For more information about the Identity Auditor rules mentioned in this step and the following steps, see Chapter 5, Working with Rules, in Sun Identity Manager Deployment Reference.

  14. Attestor Rule. Select the Default Attestor rule, or select a customized attestor rule if available.

    The attestor rule is given the user entitlement record as input, and returns a list of attestor names. If Follow Delegation is selected, the access scan transforms the list of names to the appropriate users following the delegation information configured by each user in the original list of names. If an Identity Manager user’s delegation results in a routing cycle, then the delegation information is discarded, and the work item is delivered to the initial attestor. The Default Attestor rule indicates that the attestor should be the manager (idmManager) of the user that the entitlement record represents, or the Configurator account if that user’s idmManager is null. If attestation needs to involve resource owners as well as managers, you must use a custom rule. .

  15. Attestor Escalation Rule. Use this option to specify the Default Escalation Attestor rule, or select a customized rule if available. You can also specify the Escalation Timeout value for the rule. The default escalation timeout value is 0 days.

    This rule specifies the escalation chain for a work item that has passed the Escalation Timeout period. The Default Escalation Attestor rule escalates to the assigned attestor’s manager (idmManager), or to Configurator if the attestor’s idmManager value is null.

    You can specify the Escalation Timeout value in minutes, hours, or days.

    The book contains additional information about the Attestor Escalation Rule.

  16. Review Determination Rule. (required)

    Select one of the following rules to specify how the scan process will determine the disposition of an entitlement record:

    • Reject Changed Users. Automatically rejects a user entitlement record if it is different than the last user entitlement from the same access scan definition and the last user entitlement was approved. Otherwise, forces manual attestation and approves all user entitlements that are unchanged from the previously approved user entitlement. By default, only the “accounts” portion of the user view is compared for this rule.

    • Review Changed Users. Forces manual attestation for any user entitlement record if it is different than the last user entitlement from the same access scan definition and the last user entitlement was approved. Approves all user entitlements that are unchanged from the previously approved user entitlement. By default, only the “accounts” portion of the user view is compared for this rule.

    • Review Everyone. Forces manual attestation for all user entitlement records.

    The Reject Changed Users and Review Changed Users rules compare the user entitlement to the last instance of the same access scan in which the entitlement record was approved.

    You can change this behavior by copying and modifying the rules to restrict comparison to any selected part of the user view.

    This rule can return the following values:

    • -1. No attestation required

    • 0. Automatically rejects the attestation

    • 1. Manual attestation required

    • 2. Automatically approves the attestation

    • 3. Automatically remediates the attestation (auto-remediation)

      The book contains additional information about the Review Determination Rule.

  17. Remediator Rule. Select the rule to be used to determine who should remediate a specific user’s entitlement in the event of Auto-Remediation. The rule can examine the user’s current user entitlement and violations, and must return a list of users that should remediate. If no rule is specified, then no remediation will take place. A common use for this rule would be if the entitlement has compliance violations.

  18. Remediation User Form Rule. Select a rule to be used to select an appropriate form for attestation remediators when editing users. Remediators can set their own form, which overrides this one. This form rule would be set if the scan collects very specific data that matches a custom form.

  19. Notification Workflow.

    Select one of the following options to specify the notification behavior for each work item:

    • None. This is the default selection. This selection results in an attestor getting an email notification for each individual user entitlement that he must attest.

    • ScanNotification. This selection bundles attestation requests into a single notification. The notification indicates how many attestation requests were assigned to the recipient.

      If there is a Review Process Owner specified in the access scan, the ScanNotification Workflow will also send a notification to the review process owner when the scan begins, and when it ends. See Creating an Access Scan.

      The ScanNotification workflow uses the following email templates:

      • Access Scan Begin Notice

      • Access Scan End Notice

      • Bulk Attestation Notice

        You can customize the ScanNotification Workflow.

  20. Violation limit. Use this option to specify the maximum number of compliance violations that can be emitted by this scan before the scan aborts. The default limit is 1000. An empty value field is equal to no limit.

    Although typically during an audit scan or access scan the number of policy violations is small compared to the number of users, setting this value could provide protection from the impact of a defective policy that increases the number of violations significantly. For example, consider the following scenario:

    If an access scan involves 50,000 users and generates two to three violations per user, the cost of remediation for each compliance violation can have a detrimental effect on the Identity Manager system.

  21. Organizations. Select the organizations to which this access scan object is available. This is a required field.

    Click Save to save the scan definition.

Deleting an Access Scan

You can delete one or more access scans. To delete an access scan, from the Compliance tab select Manage Access Scans, select the name of the scan, and then click Delete.

Managing Access Reviews

After defining an access scan, you can use or schedule it as part of an access review. After initiating an access review, several options are available to manage the review process.

Read the following sections for more information about:

Launching an Access Review

To launch an access review from the Administrator interface, use one of these methods:

On the displayed Launch Task page, specify a name for the access review. Select the scans from the Available Access Scans list and move them to the Selected list.

If you select more than one scan, you can choose one of the following launch options:

Note –

You can initiate more than one scan during an access review session. However, consider that each scan may involve a large number of users, and therefore the scan process can take many hours to complete. Best practice dictates that you manage your scans accordingly. For example, you might launch one scan to run immediately and schedule other scans at staggered intervals.

Click Launch to start the access review process.

Note –

The name you assign to an access review is important. Access reviews that run on a periodic basis with the same name can be compared by some reports.

When you launch an access review, the workflow process diagram is displayed, showing the steps in the process.

Scheduling Access Review Tasks

An access review task can be scheduled from the Server Tasks area. For example to set up access reviews on a periodic basis, select Manage Schedule and then define the schedule. You might schedule the task to occur every month or every quarter.

To define the schedule, select the Access Review task on the Schedule Tasks page and then complete the information on the Create task schedule page.

Click Save to save the scheduled task.

Note –

Identity Manager keeps the results from access review tasks for one week, by default. If you choose to schedule a review more often than once a week, set the Results Options to delete. If Results Options are not set to delete, the new review will not run because the previous task results still exist.

Managing Access Review Progress

Use the Access Reviews tab to monitor the progress of an access review. Access this feature through the Compliance tab.

From the Access Reviews tab you can review a summary of all active and previously processed access reviews. The following information is provided for each access review listed:

To view more detailed information about the review, select it to open a summary report.

Figure 15–5 shows a sample Access Review Summary report.

Figure 15–5 Access Review Summary Report Page

Figure showing an example Access Review Summary report

Click the Organization or Attestors form tab to view scan information categorized by those objects.

You can also review and download this information in a report by running the Access Review Summary Report.

Modifying Scan Attributes

After setting up an access scan, you can edit the scan to specify new options, such as specifying target resources to scan or specifying audit policies to scan for violations while the access scan is running.

To edit a scan definition, select it from the list of Access Scans, and then modify the attributes on the Edit Access Review Scan page.

You must click Save to save any changes to the scan definition.

Note –

Changing the scope of an access scan might change the information in newly-acquired user entitlement records, as it can affect the Review Determination Rule if that rule compares user entitlements to older user entitlement records.

Canceling an Access Review

From the Access Reviews page, click Terminate to stop a selected review in progress.

Terminating a review causes these actions to occur:

Deleting an Access Review

From the Access Reviews page, click Delete to delete a selected review.

You can delete an access review if the status of the task is terminated or completed. An access review task in progress cannot be deleted unless it is first terminated.

Deleting an access review deletes all user entitlement records that were generated by the review. The delete action is recorded in the audit log.

To delete an access review, click Delete from the Access Reviews page.

Note –

Canceling and deleting an access review may result in updates to a large number of Identity Manager objects and tasks, and can take several minutes to complete. You can check the progress of the operation by viewing the task results in Sever Tasks -> All Tasks.

Managing Attestation Duties

You can manage attestation requests from the Identity Manager Administrator or User interface. This section provides information about responding to attestation requests and the duties involved in attestation.

Access Review Notification

During a scan, Identity Manager sends notification to Attestors when attestation requests require their approval. If attestor responsibilities have been delegated, the requests are sent to the delegate. If multiple attestors are defined, each attestor receives an email notification.

Requests appear as Attestation work items in the Identity Manager interface. Pending attestation work items are displayed when the assigned attestor logs in to Identity Manager.

Viewing Pending Attestation Requests

View attestation work items from the Work Items area of the interface. Selecting the Attestation tab in the Work Items area lists all the entitlement records requiring approval. From the Attestations page, you can also list entitlement records for all of your direct reports and for specified users for which you have direct or indirect control.

Acting on Entitlement Records

Attestation work items contain the user entitlement records requiring review. Entitlement records provide information about user access privileges, assigned resources, and policy violations.

The following are possible responses to an attestation request:

If an attestor does not respond to a request by taking one of these actions before the specified escalation timeout period, notice is sent to the next attestor in the escalation chain. The notification process continues until a response is logged.

Attestation status can be monitored from the Compliance -> Access Reviews tab.

Closed-Loop Remediation

You can avoid rejecting user entitlements by:

Requesting Remediation

If defined by the access scan, you can route a pending attestation to another user for remediation.

Note –

The Dynamic Entitlements option on the Create or Edit Access Scan pages enables this feature.

ProcedureTo Request Remediation From Another User

  1. Select one or more entitlements from the list of attestations, and then click Request Remediation.

    The Select and Confirm to Request Remediation page appears.

  2. Enter a user name, and then click Add to add the user to the Forward to field. Alternatively, click ... (More) to search for a user. Select the user in the search list, and then click Add to add the user to the Forward to list. Click Dismiss to close the Search area.

  3. Enter comments in the Comments field, and then click Proceed.

    Identity Manager returns to the list of attestations.

    Note –

    Details of the remediation request appear in the History area of the individual user entitlement.

Rescanning Attestations

If defined by the access scan, you can rescan and reevaluate a pending attestation.

Note –

The Dynamic Entitlements option on the Create or Edit Access Scan pages enables this feature.

ProcedureTo Rescan A Pending Attestation

  1. Select one or more entitlements from the list of attestations, and then click Rescan.

    The Rescan User Entitlements page appears.

  2. Enter comments about the rescan action in the Comments area, and then click Proceed.

Forwarding Attestation Work Items

You can forward one or more attestation work items to another user.

ProcedureTo Forward Attestations

  1. Select one or more work items in the attestation list, and then click Forward.

    The Select and Confirm Forwarding page appears.

  2. Enter a user name in the Forward to field. Alternatively, click ... (More) to search for a user name.

  3. Enter comments about the forwarding action in the Comments field.

  4. Click Proceed.

    Identity Manager returns to the list of attestations.

    Note –

    Details of the forwarding action appear in the History area of the individual user entitlement.

Digitally Signing Access Review Actions

You can set up digital signing to handle access review actions. For information about configuring digital signatures, see Signing Approvals. The topics discussed there explain the server-side and client-side configuration required to add the certificate and CRL to Identity Manager for signed approvals.

Access Review Reports

Identity Manager provides the following reports that you can use to evaluate the results of an access review:

Access Review Remediation

Compliance violation remediation and mitigation, and access review remediation, are managed from the Remediations area of the Work Items tab. However, there are differences between the two remediation types. This section describes the unique behavior of access review remediation, and how it differs from the remediation tasks and information described in Compliance Violation Remediation and Mitigation.

About Access Review Remediation

When an attestor requests that a user entitlement be remediated, the Standard Attestation workflow creates a remediation request, which must be addressed by a remediator (a designated user who is allowed to evaluate and respond to remediation requests).

The problem can only be remediated; it cannot be mitigated. Attestation cannot continue until the problem is resolved.

When remediations result from an access review, then the Access Review dashboard tracks all attestors and remediators involved with the review.

Access Review Remediation Request Escalation

Access Review remediation requests are not escalated beyond the initial remediator.

The Remediation Workflow Process

The logic of access review remediation is defined in the Standard Attestation workflow.

When an attestor requests remediation of a user entitlement, the Standard Attestation workflow:

The new remediator can then choose to edit the user, either by using Identity Manager or independently, and then mark the work item as remediated when satisfied. At that point, the user entitlement is rescanned and evaluated again.

Access Review Remediation Responses

By default, three response options are given to the access review remediator:

The Remediations Page

The Type column is shown as UE (user entitlement) for all remediation work items that are access review remediation work items.

Unsupported Access Review Remediation Actions

The prioritization and mitigation features are not supported for access review remediations.