To initiate a periodic access review, you must first define at least one access scan.
The access scan defines who will be scanned, which resources will be included in the scan, any optional audit policies to be evaluated during the scan, and rules to determine which entitlement records will be manually attested, and by whom.
In general, the Identity Manager access review workflow:
Constructs a list of users, gets account information for each user, and evaluates optional audit policies
Creates user entitlement records
Determines if attestation is required for each user entitlement record
Assigns work items to each attestor
Waits for all attestors to approve, or for the first rejection
Escalates to the next attestor, if no response to a request is received within a specified timeout period
Updates user entitlement records with resolutions
See Access Review Remediation for a description of the remediation capabilities.
To conduct a periodic access review and manage the review processes, a user must have the Auditor Periodic Access Review Administrator capability. A user with Auditor Access Scan Administrator capability can create and manage access scans.
To assign these capabilities, edit the user account and modify the security attributes. For more information about these and other capabilities, see Understanding and Managing Capabilities in Chapter 6, Administration.