Sun Identity Manager 8.1 Business Administrator's Guide

Understanding Identity Auditing

Identity Manager provides a feature for auditing user account privileges and access rights, and a separate feature for maintaining and certifying compliance. These features are policy-based compliance and periodic access reviews.

Policy-Based Compliance

Identity Manager employs an audit policy system that allows administrators to maintain compliance of company-established requirements for all user accounts.

You can use audit policies to ensure compliance in two different and complementary ways: continuous compliance and periodic compliance.

These two techniques are particularly complementary in an environment in which provisioning operations may be performed outside of Identity Manager. When an account can be changed by a process that does not execute or honor existing audit policies, periodic compliance is necessary.

Continuous Compliance

Continuous compliance means that an audit policy is applied to all provisioning operations, such that an account cannot be modified in a way that does not comply with current policy.

You enable continuous compliance by assigning an audit policy to an organization, a user, or both. Any provisioning operations performed on a user will cause the user-assigned policies to be evaluated. Any resulting policy failure will interrupt the provisioning operation.

An organization-based policy set is defined hierarchically. There is only one organization policy set in effect for any user. The applied policy set is the one assigned to the lowest-level organization. For example:


Directly Assigned Policy Set 

Effective Policy  


Policies A1, A2 

Policies A1, A2 



Policies A1, A2 


Policies B, C2 

Policies B, C2 



Policies B, C2 


Policies D, E5 

Policies D, E5 



Policies A1, A2 




Periodic Compliance

Periodic compliance means that Identity Manager evaluates policy on-demand. Any noncompliant conditions are captured as compliance violations.

When executing periodic compliance scans, you can select which policies to use in the scan. The scan process blends directly-assigned policies (user-assigned and organization-assigned policies) and an arbitrary set of selected policies.

Identity Manager users with Auditor Administrator capabilities can create audit policies and monitor compliance with those policies through periodic execution of policy scans and reviews of policy violations. Violations can be managed through remediation and mitigation procedures.

For more information about the Auditor Administrator capabilities, see Understanding and Managing Capabilities in Chapter 6, Administration.

Identity Manager auditing allows for regular scans of users. These scans execute audit policies to detect deviations from established account limits. When a violation is detected, remediation activities are initiated. The rules may be standard audit policy rules provided by Identity Manager, or customized, user-defined rules.

Logical Task Flow for Policy-Based Compliance

Figure 13–1 shows a logical task flow for establishing policy-based audit controls.

Periodic Access Reviews

Identity Manager provides for periodic access reviews that enable managers and other responsible parties to review and verify user access privileges on an ad-hoc or periodic basis. For more information about this feature, see Periodic Access Reviews and Attestation.

Figure 13–1 A Logical Task Flow for Establishing Policy-based Compliance

Figure illustrating a logical task flow for establishing
policy-based compliance