Periodic access review is the periodic process of attesting that a set of employees has the appropriate privileges on the appropriate resources at a specific point in time.
A periodic access review involves the following activities:
Access review scans. Scans that perform rule-based evaluations of user entitlements to determine if attestation is needed.
Attestation. Process of responding to attestation requests by approving or rejecting user entitlements.
A user entitlement is a detailed record of a user’s accounts on a specific set of resources.
To initiate a periodic access review, you must first define at least one access scan.
The access scan defines who will be scanned, which resources will be included in the scan, any optional audit policies to be evaluated during the scan, and rules to determine which entitlement records will be manually attested, and by whom.
In general, the Identity Manager access review workflow:
Constructs a list of users, gets account information for each user, and evaluates optional audit policies
Creates user entitlement records
Determines if attestation is required for each user entitlement record
Assigns work items to each attestor
Waits for all attestors to approve, or for the first rejection
Escalates to the next attestor, if no response to a request is received within a specified timeout period
Updates user entitlement records with resolutions
See Access Review Remediation for a description of the remediation capabilities.
To conduct a periodic access review and manage the review processes, a user must have the Auditor Periodic Access Review Administrator capability. A user with Auditor Access Scan Administrator capability can create and manage access scans.
To assign these capabilities, edit the user account and modify the security attributes. For more information about these and other capabilities, see Understanding and Managing Capabilities in Chapter 6, Administration.
Attestation is the certification process performed by one or more designated attestors to confirm a user entitlement as it exists on a specific date. During an access review, the attestor (or attestors) receives notice of the access review attestation requests through email notification. An attestor must be an Identity Manager user, but is not required to be an Identity Manager administrator.
Identity Manager uses an attestation workflow that is launched when an access scan identifies entitlement records requiring review. The access scan makes this determination based on the rules defined in the access scan.
A rule evaluated by the access scan determines if the user entitlement record needs to be manually attested, or if it can be automatically approved or rejected. If the user entitlement record needs to be manually attested, then the access scan uses a second rule to determine who the appropriate attestors are.
Each user entitlement record to be manually attested is assigned to a workflow, with one work item per attestor. Notification to the attestor of these work items can be sent using a ScanNotification workflow that bundles the items into one notification, per attestor, per scan. Unless the ScanNotification workflow is selected, notification will be per user entitlement. This means an attestor could receive multiple notifications per scan, and possibly a large number depending on the number of users scanned.
These authorization options are for work items of authType AttestationWorkItem:
The Work Item owner
A direct or indirect manager of the Work Item owner
An administrator who controls an organization in which the Work Item owner belongs
Users who have been validated through authentication checks
By default, the behavior for authorization checks is one of the following:
Owner is User attempting the action
Owner is in Organization controlled by user attempting the action
Owner is a subordinate of user attempting the action
The second and third checks are independently configurable by modifying these form properties:
controlOrg — Valid values are true or false
subordinate — Valid values are true or false
lastLevel — Last subordinate level to include in the result; -1 means all levels
The integer value for lastLevel defaults to -1, meaning direct and indirect subordinates.
You can add or modify these options in the following:
UserForm: AccessApprovalList.
If you set security on attestations to organization-controlled, then the Auditor Attestor capability is also required to modify another user’s attestations.
By default, the access scan workflow respects delegations, for work items of type Access Review Attestation and Access Review Remediation, created by users for attestation work items and notifications. The access scan administrator may deselect the Follow Delegation option to ignore delegation settings. If an attestor has delegated all work items to another user but the Follow Delegation option is not set for an access review scan, then the attestor, not the user to which delegations have been assigned, will receive attestation request notifications and work items.