When Identity Manager detects an unresolved (not mitigated) audit policy compliance violation, it creates a remediation request, which must be addressed by a remediator A remediator is a designated user who is allowed to evaluate and respond to audit policy violations.
Identity Manager allows you to define three levels of remediator escalation. Remediation requests are initially sent to Level 1 remediators. If a Level 1 remediator does not act on a remediation request before the timeout period expires, Identity Manager escalates the violation to the Level 2 remediators and begins a new timeout period. If a Level 2 remediator does not respond before the timeout period expires, then the request is escalated once again to the Level 3 remediator.
To perform remediation, you must designate at least one remediator for your enterprise. Specifying more than one remediator for each level is optional, but recommended. Multiple remediators help ensure workflow is not delayed or halted.
These authorization options are for work items of authType RemediationWorkItem.
The remediation work item owner
A direct or indirect manager of the remediation work item owner
An administrator who controls an organization in which the remediation work item owner belongs
By default, the behavior for authorization checks is one of the following:
Owner is the user attempting the action
Owner is in an organization controlled by the user attempting the action
Owner is a subordinate of the user attempting the action
The second and third checks are independently configurable by modifying these options:
controlOrg. Valid values are true or false.
subordinate. Valid values are true or false.
lastLevel. The last subordinate level to include in the result; -1 means all levels. The integer value for lastLevel defaults to -1, meaning direct and indirect subordinates.
These options can be added or modified in the following:
UserForm: Remediation List
Identity Manager provides the Standard Remediation Workflow to provide remediation processing for Audit Policy scans.
The Standard Remediation Workflow generates a remediation request (a review-type work item) containing information about the compliance violation and sends an email notification to each Level 1 remediator named in the audit policy. When a remediator mitigates the violation, the workflow changes the state of, and assigns an expiration to, the existing compliance violation object.
A compliance violation is uniquely identified by the combination of the user, policy name, and rulename. When an audit policy evaluates to true, a new compliance violation is created for each user/policy/rule combination, if an existing violation for this combination does not already exist. If a violation does exist for the combination, and the violation is in a mitigated state, then the workflow process takes no action. If the existing violation is not mitigated, then its recurrent count is incremented.
For more information about remediation workflows, see About Audit Policies.
By default, three response options are given to each remediator:
Remediate. A remediator indicates that something has been done to fix the problem on the resource.
When a compliance violation is modified, Identity Manager creates an audit event to log the remediation. In addition, Identity Manager stores the name of the remediator and any comments provided.
After remediation, a violation is not deleted until the next audit scan. If an audit policy is configured to allow re-scans, then the user will be re-scanned as soon as the violation is remediated.
Mitigate. A remediator allows the violation and gives the user an exemption from the violation for a certain amount of time.
If the violation is deliberate (for example, there is a business case for belonging to two groups), you can mitigate the violation for an extended period of time. You can also mitigate the violation for a short period of time (for example, in cases where the resource’s system administrator is on vacation and you do not know how to fix the problem).
Identity Manager stores the name of the remediator that mitigated the violation along with the expiration date assigned to the exemption and any comments provided.
When Identity Manager detects an expired exemption, it returns the violation from the mitigated state to a pending state.
Forward. A remediator reassigns the responsibility for resolving the violation to another individual.
Your enterprise establishes a rule in which a user cannot be responsible for both Accounts Payable and Accounts Receivable, and you receive notice that a user is violating this rule.
If the user is a supervisor who has responsibility for both roles until the company hires a second person for that position, you might mitigate the violation and issue an exemption for up to six months.
If the user is violating the rule, you might ask your Oracle ERP Administrator to correct the conflict, and then remediate the violation when the problem is fixed for that resource. Alternatively, you might forward the remediation request to the Oracle ERP Administrator.