Compliance violation remediation and mitigation, and access review remediation, are managed from the Remediations area of the Work Items tab. However, there are differences between the two remediation types. This section describes the unique behavior of access review remediation, and how it differs from the remediation tasks and information described in Compliance Violation Remediation and Mitigation.
When an attestor requests that a user entitlement be remediated, the Standard Attestation workflow creates a remediation request, which must be addressed by a remediator (a designated user who is allowed to evaluate and respond to remediation requests).
The problem can only be remediated; it cannot be mitigated. Attestation cannot continue until the problem is resolved.
When remediations result from an access review, then the Access Review dashboard tracks all attestors and remediators involved with the review.
Access Review remediation requests are not escalated beyond the initial remediator.
The logic of access review remediation is defined in the Standard Attestation workflow.
When an attestor requests remediation of a user entitlement, the Standard Attestation workflow:
Generates a remediation request (of type accessReviewRemediation) that contains information about the user entitlement requiring remediation.
Sends an email to the requested remediator.
The new remediator can then choose to edit the user, either by using Identity Manager or independently, and then mark the work item as remediated when satisfied. At that point, the user entitlement is rescanned and evaluated again.
By default, three response options are given to the access review remediator:
Remediate. A remediator indicates that something has been done to fix the problem.
The user entitlement is then rescanned and evaluated again. If the user entitlement is again marked as requiring attestation, then the original attestor will see the user entitlement show again in his Attestations work item list.
Details of the remediation request action appear in the History area of the individual user entitlement.
Forward. A remediator reassigns the responsibility for resolving the remediation request to another individual.
Details of the forwarding action appear in the History area of the individual user entitlement.
Edit User. A remediator chooses to directly edit the user to remediate the problem.
This button is shown only if the remediator has permission to modify users. After making changes to the user and clicking Save, the remediator is taken to the Remediation confirmation page to supply a comment describing the change made to the user.
The user entitlement is then rescanned and evaluated again. If the user entitlement is again marked as requiring attestation, then the original attestor will see the user entitlement show again in his Attestations work item list.
Details of the edit appear as a remediation request action in the History area of the individual user entitlement.
The Type column is shown as UE (user entitlement) for all remediation work items that are access review remediation work items.
The prioritization and mitigation features are not supported for access review remediations.