Sun Identity Manager 8.1 Business Administrator's Guide

Assigning Audit Policies

To assign an audit policy to an organization, the user must have (at least) the Assign Organization Audit Policies capability. To assign an audit policy to a user, the user must have the Assign User Audit Policies capability. A user with the Assign Audit Policies capability has both of these capabilities.

To assign organization-level policy, select the Organization on the Accounts tab, and then select the policies in the Assigned audit policies list.

ProcedureTo Assign a User-Level Policy

  1. Click the user in the Accounts area.

  2. Select Compliance in the user form.

  3. Select policies in the Assigned audit policies list.

    Note –

    Audit policies that are directly assigned to a user (assigned through a user account or an organization assignment) are always reevaluated when a violation for that user is remediated.

Resolving Auditor Capabilities Limitations

By default, capabilities needed to perform auditing tasks are contained in the Top organization (object group). As a result, only those administrators who control Top can assign these capabilities to other administrators.

You can resolve this limitation by adding the capabilities to another organization. Identity Manager provides two utilities, located in the sample/scripts directory, to assist with this task.

ProcedureTo Add Capabilities

To add the capabilities needed to perform auditing tasks to an organization other than Top, follow these steps:

  1. Run the following command to list all capabilities (AdminGroups) and their associated organizations (object groups):

    beanshell objectGroupUpdate.bsh -type AdminGroup -action list -csv

    This command captures the output to a comma-separated value (CSV) file.

  2. Edit the CSV file to adjust the capabilities organizational locations as desired.

  3. Run this command to update Identity Manager.

    beanshell objectGroupUpdate.bsh -data CSVFileName -action add -groups NewObjectGroup