Chapter 13 Identity Auditing: Basic Concepts

This chapter introduces you to the concepts behind identity auditing and audit controls. Audit controls can be used to monitor and manage auditing and compliance across enterprise information systems and applications.

About Identity Auditing

Identity Manager defines auditing as the systematic capture, analysis, and response to identity data across an enterprise to ensure compliance with internal and external policies and regulations.

Compliance with accounting and data privacy legislation is not a simple task. Identity Manager’s auditing features offer a flexible approach, allowing you to implement a compliance solution that works for your enterprise.

In most environments, different groups are involved with compliance: internal and external auditing teams (for whom auditing is the primary focus); and non-auditing staff (who may see auditing as a distraction). IT often is involved with compliance as well, helping transition internal auditing team requirements to a chosen solution’s implementation. The key to successfully implementing an auditing solution is in accurately capturing the knowledge, controls, and processes of non-auditing staff, and then automating the application of that information.

Goals of Identity Auditing

Identity Manager audit policy features let you define rules (that is, criteria) for violations. Once defined, the system scans for conditions that violate established policies, such as unauthorized access changes or erroneous access privileges. Upon detection, the system notifies the appropriate persons according to a defined escalation chain. User-invoked tasks, or workflows that are automatically invoked by policy violations, can then remediate (correct) the violation.

The Auditor Reports provide summary status information about violations and exceptions for quick analysis of risk status. The Reports tab also provides graphical reports of violations. You can view violations by resource, organization, or policy, customizing each chart according to the report characteristics you define.

The Reports area lets you define detailed reports and charts that provide information on access history and privileges, and other policy violations. The system keeps a secure and comprehensive identity audit trail that can be mined, through reporting capabilities, for access data and user profile updates.

Periodic access reviews can be conducted to collect user entitlement records and determine which entitlements require review. The process then notifies designated attestors of pending requests for review and updates the status or pending requests when attestor actions on the requests are completed.

Understanding Identity Auditing

Identity Manager provides a feature for auditing user account privileges and access rights, and a separate feature for maintaining and certifying compliance. These features are policy-based compliance and periodic access reviews.

Policy-Based Compliance

Identity Manager employs an audit policy system that allows administrators to maintain compliance of company-established requirements for all user accounts.

You can use audit policies to ensure compliance in two different and complementary ways: continuous compliance and periodic compliance.

These two techniques are particularly complementary in an environment in which provisioning operations may be performed outside of Identity Manager. When an account can be changed by a process that does not execute or honor existing audit policies, periodic compliance is necessary.

Continuous Compliance

Continuous compliance means that an audit policy is applied to all provisioning operations, such that an account cannot be modified in a way that does not comply with current policy.

You enable continuous compliance by assigning an audit policy to an organization, a user, or both. Any provisioning operations performed on a user will cause the user-assigned policies to be evaluated. Any resulting policy failure will interrupt the provisioning operation.

An organization-based policy set is defined hierarchically. There is only one organization policy set in effect for any user. The applied policy set is the one assigned to the lowest-level organization. For example:


Organization	Directly Assigned Policy Set	Effective Policy
Austin	Policies A1, A2	Policies A1, A2
Marketing		Policies A1, A2
Development	Policies B, C2	Policies B, C2
Support		Policies B, C2
Test	Policies D, E5	Policies D, E5
Finance		Policies A1, A2
Houston		<none>

Periodic Compliance

Periodic compliance means that Identity Manager evaluates policy on-demand. Any non-compliant conditions are captured as compliance violations.

When executing periodic compliance scans, you can select which policies to use in the scan. The scan process blends directly-assigned policies (user-assigned and organization-assigned policies) and an arbitrary set of selected policies.

Identity Manager users with Auditor Administrator capabilities can create audit policies and monitor compliance with those policies through periodic execution of policy scans and reviews of policy violations. Violations can be managed through remediation and mitigation procedures.

Identity Manager auditing allows for regular scans of users. These scans execute audit policies to detect deviations from established account limits. When a violation is detected, remediation activities are initiated. The rules may be standard audit policy rules provided by Identity Manager, or customized, user-defined rules.

Logical Task Flow for Policy-Based Compliance

Figure 13-1 shows a logical task flow for establishing policy-based audit controls.

Periodic Access Reviews

Identity Manager provides for periodic access reviews that enable managers and other responsible parties to review and verify user access privileges on an ad-hoc or periodic basis. For more information about this feature, see Periodic Access Reviews and Attestation.

Working with Identity Auditing in the Administrator Interface

This section describes how to access Identity Auditing features in the Administrator Interface. Email notification templates used in identity auditing are also discussed.

The Compliance Section of the Interface

To create and manage audit policies, use the Compliance section of the Identity Manager Administrator interface.

To go to the Compliance section where you create and manage audit policies, follow these steps:

Manage Policies

The Manage Policies page lists the policies that you have permission to view and edit. You can also manage access scans from this area.

From the Manage Policies page, you can work with audit policies to accomplish these tasks:

Manage Access Scans

Use the Manage Access Scans tab to create, modify, and delete access scans. Here you can define scans that you want to run or schedule for periodic access reviews. For more information about this feature, see Periodic Access Reviews and Attestation.

Access Reviews

The Access Reviews tab enables you to launch, terminate, delete, and monitor the progress of your access reviews. It displays a summary report of the scan results with information links that enable you to access more detailed information about the review status and pending activities.

Identity Auditing Tasks Interface Reference

To look up how to perform other identity auditing tasks in the Administrator interface, see Appendix C. This quick reference tells you where to go to start a variety of auditing tasks.

Email Templates

Identity Auditing uses email-based notification for a number of operations. For each of these notifications, an email template object is used. The email template allows the headers and body of email messages to be customized.

Table 13-1 Identity Auditing Email Templates
Template Name	Purpose
Access Review Remediation Notice	Sent to remediators by an access review when user entitlements are initially created in a remediating state.
Bulk Attestation Notice	Sent to attestors by an access review when they have pending attestations.
Policy Violation Notice	Sent to remediators by an audit policy scan when violations occur.
Access Scan Begin Notice	Sent to an access scan owner when an access review starts a scan.
Access Scan End Notice	Sent to an access scan owner when an access scan completes.

Enabling Audit Logging

Before you can begin managing compliance and access reviews, the Identity Manager audit logging system must be enabled and configured to collect audit events. By default, the auditing system is enabled. An Identity Manager administrator with the “Configure Audit” capability can configure auditing.

To view or modify the events stored by the Compliance Management group, do the following:

About Audit Policies

An audit policy defines account limits for a set of users of one or more resources. It comprises rules that define the limits of a policy and workflows to process violations after they occur. Audit scans use the criteria defined in an audit policy to evaluate whether violations have occurred in your organization.

Policy rules define specific violations. Policy rules can contain functions written in the XPRESS, XML Object, or JavaScript languages.

Remediation workflow (optionally) is launched when an audit scan identifies a violation of the policy rules.

Remediators are designated users who are authorized to respond to the policy violation. Remediators can be individual users or groups of users.

Creating a Policy with Audit Policy Rules

Rules define potential conflicts on an attribute basis within an audit policy. An audit policy can contain hundreds of rules that reference a wide range of resources. During rule evaluation, the rule has access to user account data from one or more resources. The audit policy may restrict which resources are available to the rule.

It is possible to have a rule that checks only a single attribute on a single resource, or a rule that checks multiple attributes on multiple resources.

Addressing Policy Violations with Remediation Workflows

After you create rules to define policy violations, you select the workflow that will be launched whenever a violation is detected during an audit scan. Identity Manager provides the default Standard Remediation workflow, which provides default remediation processing for audit policy scans. Among other actions, this default remediation workflow generates notification email to each designated Level 1 remediator (and subsequent levels of remediators, if necessary).



Note	Unlike Identity Manager workflow processes, remediation workflows must be assigned the AuthType=AuditorAdminTask and the SUBTYPE_REMEDIATION_WORKFLOW subtype. If you are importing a workflow for use in audit scans, you must manually add this attribute. See (Optional) Import a Workflow into Identity Manager for more information.

Designating Remediators

If you assign a remediation workflow, you must designate at least one remediator. You can designate up to three levels of remediators for an audit policy. For more information about remediation, see Compliance Violation Remediation and Mitigation.

A Sample Audit Policy Scenario

Suppose you are responsible for accounts payable and receivable and must implement procedures to prevent a potentially risky aggregation of responsibilities in employees working in the accounting department. This policy must ensure that personnel with responsibility for accounts payable do not also have responsibility for accounts receivable.

After the rules identify policy violations (in this scenario, users with too much authority), the associated workflow can launch specific remediation-related tasks, including automatically notifying select remediators.

Level 1 remediators are the first remediators contacted when an audit scan identifies a policy violation. When the escalation period identified in this area is exceeded, Identity Manager notifies the remediators at the next level (if more than one level is specified for the audit policy).

The next section, “Working with Audit Policies,” describes how to use the Audit Policy Wizard to create an audit policy.

Previous Contents Index Next
Sun[TM] Identity Manager 8.0 Administration