After defining an access scan, you can use or schedule it as part of an access review. After initiating an access review, several options are available to manage the review process.
Read the following sections for more information about:
To launch an access review from the Administrator interface, use one of these methods:
Click Launch Review from the Compliance -> Access Reviews page.
Select the Access Review task in the Server Tasks -> Run Tasks page.
On the displayed Launch Task page, specify a name for the access review. Select the scans from the Available Access Scans list and move them to the Selected list.
If you select more than one scan, you can choose one of the following launch options:
immediately. This option starts running the scan immediately upon clicking the Launch button. If you select this option for multiple scans in the launch task, then the scans will run in parallel.
after waiting. This option allows you to specify a period of time to wait before launching the scan, relative to the launch of the access review task.
You can initiate more than one scan during an access review session. However, consider that each scan may involve a large number of users, and therefore the scan process can take many hours to complete. Best practice dictates that you manage your scans accordingly. For example, you might launch one scan to run immediately and schedule other scans at staggered intervals.
Click Launch to start the access review process.
The name you assign to an access review is important. Access reviews that run on a periodic basis with the same name can be compared by some reports.
When you launch an access review, the workflow process diagram is displayed, showing the steps in the process.
An access review task can be scheduled from the Server Tasks area. For example to set up access reviews on a periodic basis, select Manage Schedule and then define the schedule. You might schedule the task to occur every month or every quarter.
To define the schedule, select the Access Review task on the Schedule Tasks page and then complete the information on the Create task schedule page.
Click Save to save the scheduled task.
Identity Manager keeps the results from access review tasks for one week, by default. If you choose to schedule a review more often than once a week, set the Results Options to delete. If Results Options are not set to delete, the new review will not run because the previous task results still exist.
Use the Access Reviews tab to monitor the progress of an access review. Access this feature through the Compliance tab.
From the Access Reviews tab you can review a summary of all active and previously processed access reviews. The following information is provided for each access review listed:
Status. Current status of the review process: initializing, terminating, terminated, number of scans in progress, number of scans scheduled, awaiting attestations, or completed.
Launch Date. The date (timestamp) the access review task started.
Total Users. Total number of users to be scanned.
Entitlements details. Additional columns in the table provide entitlement totals by status. These include details for pending, approved, rejected, terminated, and remediated entitlements, as well as total entitlements.
The Remediated column indicates the number of entitlements currently in the REMEDIATING state. After an entitlement is remediated, it goes to the PENDING state; therefore, at the conclusion of an access review, the value of this column is zero.
To view more detailed information about the review, select it to open a summary report.
Figure 15–5 shows a sample Access Review Summary report.
Click the Organization or Attestors form tab to view scan information categorized by those objects.
You can also review and download this information in a report by running the Access Review Summary Report.
After setting up an access scan, you can edit the scan to specify new options, such as specifying target resources to scan or specifying audit policies to scan for violations while the access scan is running.
To edit a scan definition, select it from the list of Access Scans, and then modify the attributes on the Edit Access Review Scan page.
You must click Save to save any changes to the scan definition.
Changing the scope of an access scan might change the information in newly-acquired user entitlement records, as it can affect the Review Determination Rule if that rule compares user entitlements to older user entitlement records.
From the Access Reviews page, click Terminate to stop a selected review in progress.
Terminating a review causes these actions to occur:
Any scheduled scans are unscheduled
Any active scans are halted
All pending workflows and work items are deleted
All pending attestations are marked canceled
Any attestations that users completed are left unchanged
From the Access Reviews page, click Delete to delete a selected review.
You can delete an access review if the status of the task is terminated or completed. An access review task in progress cannot be deleted unless it is first terminated.
Deleting an access review deletes all user entitlement records that were generated by the review. The delete action is recorded in the audit log.
To delete an access review, click Delete from the Access Reviews page.
Canceling and deleting an access review may result in updates to a large number of Identity Manager objects and tasks, and can take several minutes to complete. You can check the progress of the operation by viewing the task results in Sever Tasks -> All Tasks.