Sun Identity Manager 8.1 Business Administrator's Guide

Planning for a Periodic Access Review

An access review can be a labor- and time-intensive process for any business enterprise. The Identity Manager periodic access review process helps minimize the cost and time involved by automating many parts of the process. However, some of the processes still are time-consuming. For example, the process of fetching user account data from a number of locations for thousands of users can take a considerable amount of time. The act of manually attesting records can be time-consuming as well. Proper planning improves the efficiency of the process and greatly reduces the effort involved.

Planning for a periodic access review involves the following considerations:

Tuning Scan Tasks

During the scan process, multiple threads access the user’s view, potentially accessing resources on which the user has accounts. After the view is accessed, multiple audit policies and rules are evaluated, which may result in the creation of compliance violations.

To prevent two threads from updating the same user view at the same time, the process establishes an in-memory lock on the user name. If this lock cannot be established in (by default) 5 seconds, then an error is written to the scan task and the user is skipped, thus providing protection for concurrent scans that are processing the same set of users.

You can edit the values of several “tunable parameters” that are provided as task arguments to the scan task:

To change the values of these parameters, edit the corresponding Task Definition form. For more information, see Chapter 3, Identity Manager Forms, in Sun Identity Manager Deployment Reference.