Chapter 11 Identity Auditing

This chapter describes the features in Identity Manager that enable you to set up audit controls to monitor and manage auditing and compliance across enterprise information systems and applications.

About Identity Auditing

Identity Manager defines auditing as the systematic capture, analysis, and response to Identity data across an enterprise to ensure compliance with internal and external policies and regulations.

Compliance with accounting and data privacy legislation is not a simple task. Identity Manager’s auditing features offer a flexible approach, allowing you to implement a compliance solution that works for your enterprise.

In most environments, different groups are involved with compliance: internal and external auditing teams (for whom auditing is the primary focus); and non-auditing staff (who may see auditing as a distraction). IT often is involved with compliance as well, helping transition internal auditing team requirements to a chosen solution’s implementation. The key to successfully implementing an auditing solution is in accurately capturing the knowledge, controls, and processes of non-auditing staff, and then automating the application of that information.

The features described in this chapter focus on how to conduct audit reviews and implement practices that help you maintain security controls and manage compliance with federally mandated regulations.

Goals of Identity Auditing

Automatically detecting compliance violations, facilitating swift remediation through immediate notification

Providing key information, on demand, about the effectiveness of internal audit controls

Automating certification reviews of identity controls to reduce operational risk

Preparing comprehensive reports that detail user activity and meet regulatory requirements

Streamlining the process of periodic reviews to maintain security and regulatory compliance

Identifying potential conflict-of-interest capabilities for user accounts

Understanding Identity Auditing

Identity Manager provides two distinct features for auditing user account privileges and access rights, and maintaining and certifying compliance. These features are policy-based compliance and periodic access reviews.

Policy-Based Compliance

Identity Manager employs an audit policy system that allows administrators to maintain compliance of company-established requirements for all user accounts.

You can use audit policies to ensure compliance in two different and complementary ways: continuous compliance and periodic compliance.

These two techniques are particularly complementary in an environment in which provisioning operations may be performed outside of Identity Manager. When an account can be changed by a process that does not execute or honor existing audit policies, periodic compliance is necessary.

Continuous Compliance

Continuous compliance means that policy is applied to all provisioning operations, such that an account cannot modified in a way that does not comply with current policy.

You enable continuous compliance by assigning an audit policy to an organization, user, or both. Any provisioning operations performed on a user will cause user- and organization-assigned policies to be evaluated. Any resulting policy failure will interrupt the provisioning operation.

An organization-based policy set is defined hierarchically. There is only one organization policy set in effect for any user. The applied policy set is the one assigned to the lowest-level organization. For example:

Periodic Compliance

Organization	Directly Assigned Policy Set	Effective Policy
Austin	Policies A1, A2	Policies A1, A2
Marketing		Policies A1, A2
Development	Policies B, C2	Policies B, C2
Support		Policies B, C2
Test	Policies D, E5	Policies D, E5
Finance		Policies A1, A2
Houston		<none>

Periodic compliance means that Identity Manager evaluates policy on demand. Any non-compliant conditions are captured as compliance violations.

When executing periodic compliance scans, you can select which policies to use in the scan. The scan process blends directly-assigned policies (user-assigned and organization-assigned policies) and an arbitrary set of selected policies.

Identity Manager users with Auditor Administrator capabilities can create audit policies and monitor compliance with those policies through periodic execution of policy scans and reviews of policy violations. Violations can be managed through remediation and mitigation procedures.

Identity Manager auditing allows for regular scans of users, executing audit policies to detect deviations from established account limits. When a violation is detected, remediation activities are initiated. The rules may be standard audit policy rules provided by Identity Manager, or customized, user-defined rules.

Logical Task Flow for Policy-Based Compliance

The following diagram shows a logical task flow for completing the auditing tasks discussed in this section:

Periodic Access Reviews

Identity Manager provides for periodic access reviews that enable managers and other responsible parties to review and verify user access privileges on an ad-hoc or periodic basis. For more information about this feature, see Periodic Access Reviews and Attestation.

Enabling Audit Logging

Before you can begin managing compliance and access reviews, the Identity Manager audit logging system must be enabled and configured to collect audit events. By default, the auditing system is enabled. An Identity Manager administrator with the Configure Audit capability can configure auditing.

Identity Manager provides the Compliance Management audit configuration group. To view or modify the events stored by the Compliance Management group, select Configure from the menu bar, and then click Audit. On the Audit Configuration page, select the Compliance Management audit group name.

Email Templates

Identity Auditing uses email-based notification for a number of operations. For each of these notifications, an email template object is used. The email template allows the headers and body of email messages to be customized.

Table 11-1 Identity Auditing Email Templates
Template Name	Purpose
Access Review Remediation Notice	Sent to remediators by an access review when user entitlements are initially created in a remediating state.
Bulk Attestation Notice	Sent to attestors by an access review when they have pending attestations.
Policy Violation Notice	Sent to remediators by an audit policy scan when violations occur.
Access Scan Begin Notice	Sent to an access scan owner when an access review starts a scan.
Access Scan End Notice	Sent to an access scan owner when an access scan completes.

Administrator Interface Compliance Area

You create and manage audit policies from the Compliance area in the Identity Manager Administrator interface. Select Compliance from the menu bar to access the Manage Policies page, which lists the policies that you have permission to view and edit. You can also manage access scans from this area.

Manage Policies

From the Manage Policies page, you can work with audit policies to accomplish these tasks:

Create an audit policy

Select a policy to view or edit

Delete a policy

Manage Access Scans

Use the Manage Access Scans tab in the Compliance area to create, modify, and delete access scans. Here you can define scans that you want to run or schedule for periodic access reviews. For more information about this feature, see Periodic Access Reviews and Attestation.

Access Review

This tab in the Compliance area enables you to launch, terminate, delete, and monitor the progress of your access reviews. It displays a summary report of the scan results with information links that enable you to access more detailed information about the review status and pending activities.

About Audit Policies

An audit policy defines account limits for a set of users of one or more resources. It comprises rules that define the limits of a policy and workflows to process violations after they occur. Audit scans use the criteria defined in an audit policy to evaluate whether violations have occurred in your organization.

Policy rules, which can contain functions written in the XPRESS, XML Object, or JavaScript languages, that define specific violations.

Remediation workflow, which optionally is launched when an audit scan identifies a violation of the policy rules.

Remediators, or designated users who are authorized to respond to the policy violation. Remediators can be individual users or groups of users.

Audit Policy Rules

Within an audit policy, rules define potential conflicts on an attribute basis. An audit policy can contain hundreds of rules that reference a wide range of resources. During rule evaluation, the rule has access to user account data from one or more resources. The audit policy may restrict which resources are available to the rule.

It is possible to have a rule that checks only a single attribute on a single resource, or a rule that checks multiple attributes on multiple resources.

Rules must be of subType SUBTYPE_AUDIT_POLICY_RULE or SUBTYPE_AUDIT_POLICY_SOD_RULE. Rules generated by the Audit Policy Wizard or referenced by it are automatically assigned this subType.

Rules must be of authType AuditPolicyRule. Rules generated by the Audit Policy Wizard are automatically assigned this authType.

See Working with Rules in Identity Manager Deployment Tools for a discussion of rule logic.

Remediation Workflows

After you create rules to define policy violations, you select the workflow that will be launched whenever a violation is detected during an audit scan. Identity Manager provides the default Standard Remediation workflow, which provides default remediation processing for audit policy scans. Among other actions, this default remediation workflow generates notification email to each designated Level 1 remediator (and subsequent levels of remediators, if necessary).

Remediators


Note	Unlike Identity Manager workflow processes, remediation workflows must be assigned the AuthType=AuditorAdminTask and the SUBTYPE_REMEDIATION_WORKFLOW subtype. If you are importing a workflow for use in audit scans, you must manually add this attribute. See (Optional) Import a Workflow into Identity Manager for more information.

If you assign a remediation workflow, you must designate at least one remediator. You can designate up to three levels of remediators for an audit policy. For more information about remediation, see Compliance Violation Remediation and Mitigation in this chapter.

Sample Audit Policy Scenario

You are responsible for accounts payable and receivable and must implement procedures to prevent a potentially risky aggregation of responsibilities in employees working in the accounting department. This policy must ensure that personnel with responsibility for accounts payable do not also have responsibility for accounts receivable.

Set of four rules. Each specifies a condition that constitutes a policy violation.

Workflow that launches remediation tasks

Group of designated administrators, or remediators, with permission to view and respond to policy violations created by the preceding rules

After the rules identify policy violations (in this scenario, users with too much authority), the associated workflow can launch specific remediation-related tasks, including automatically notifying select remediators.

Level 1 remediators are the first remediators contacted when an audit scan identifies a policy violation. When the escalation period identified in this area is exceeded, Identity Manager notifies the remediators at the next level (if more than one level is specified for the audit policy).

Working with Audit Policies

Identity Manager features the Audit Policy Wizard to help you set up audit policies. After defining an audit policy you can perform various actions on the policy, such as modifying or deleting it. The topics in this section describe how to create and manage audit policies and audit policy rules.

The Audit Policy Wizard additionally can create rules, but is limited in the type of rules it can create. Use the Identity Manager IDE to create more powerful rules to be used by the wizard.

By default, any rules created with the wizard are of authType AuditPolicyRule. Any audit policy rules you create (by using the wizard or the Identity Manager IDE) should specify this authType.

Rules must be subType SUBTYPE_AUDIT_POLICY_RULE. Rules generated by the Audit Policy Wizard are automatically assigned this subType.

Creating an Audit Policy

The Audit Policy Wizard guides you through the process of creating an audit policy. To access the Audit Policy Wizard, in the Compliance area of the interface, click Manage Policies and create a new audit policy.

Using the wizard, you will perform the following tasks to create an audit policy:

Select or create the rules you want to use to define policy limits

Assign approvers and establish escalation limitations

Assign a remediation workflow

After completing the task presented in each wizard screen, click Next to move to the next step.

Before You Begin

Considerable planning precedes the creation of an audit policy, including these tasks:

Identify the rules you will use to create the policy in the Audit Policy Wizard. The rules you choose are determined by the type of policy you are creating and the specific limitations you want to define.

Import any remediation workflow or rule that you want to include in the new policy.

Ensure that you have the required capabilities to create audit policies. See the required capabilities in Understanding and Managing Capabilities.

Identify the Rules You Need

The constraints you specify in the policy are implemented in a set of rules that you create or import. When using the Audit Policy Wizard to create a rule, you:

Identify the specific resource you are working with.

Select an account attribute from the list of attributes that are valid for the resource.

Select a condition to impose on the attribute.

Enter a value for comparison.

(Optional) Import Separation of Duty Rules into Identity Manager

The Audit Policy Wizard cannot create Separation of Duty rules. These rules must be constructed outside of Identity Manager and imported by using the Import Exchange File option on the Configure tab.

(Optional) Import a Workflow into Identity Manager

To use a remediation workflow that is not currently available from Identity Manager, complete the following tasks to import the external workflow:

Set authType=’AuditorAdminTask’ and add subtype=’SUBTYPE_REMEDIATION_WORKFLOW’. You can use the Identity Manager IDE or your XML editor of choice to set these configuration objects.

Import the workflow by using the Import Exchange File option. (You can access this feature from the Configure tab.)

After you have successfully imported the workflow, it appears in the Audit Policy Wizard Remediation Workflow list of options.

Name and Describe the Audit Policy

Enter the name of the new policy and a brief description in the Audit Policy Wizard (shown in Figure 11-1).


Note	Audit policy names cannot contain these characters: ' (apostrophe), . (period), \| (pipe), [ (left bracket), ] (right bracket), , (comma), : (colon), $ (dollar sign), " (double quote), or = (equals sign).

If you want only selected resources to be accessed when executing the scan, enable the Restrict target resources option.

If you want a remediation of a violation to result in an immediate re-scan of the user, then enable the Allow violation re-scans option.

Select a Rule Type

Use this page to start the process of defining or including rules in your policy. (The bulk of your work while creating a policy is defining and creating rules.)


Note	If the audit policy does not restrict resources, then all resources for which a user has accounts will be accessed during the scan. If the rules only use a few resources, then it is more efficient to restrict the policy to those resources.

As shown in Figure 11-2, you can choose to create your own rule by using the Identity Manager rule wizard, or you can incorporate an existing rule. By default, the Rule Wizard option is selected. Click Next to launch the Rule Wizard and go to Creating a New Rule by Using the Rule Wizard for instructions on creating a rule.

Select an Existing Rule

When selecting a rule option, click Existing Rule to include an existing rule in the new policy. Then, click Next to view and select the existing audit policy rules to which you have access.

Select additional rules from the Rules list of options, and then click Next.

Adding Rules

You can create additional rules with the wizard, or import rules. The Rule Wizard only allows one resource to be used in a rule. Imported rules can reference as many resources as needed.


Note	If you cannot see the name of a rule that you have previously imported into Identity Manager, confirm that you have added to the rule the additional attributes that are described in Audit Policy Rules.

Click AND or OR to continue adding rules as necessary. To remove a rule, select it and then click Remove.

Policy violations occur only if the Boolean expression of all rules evaluates to true. By grouping rules with AND/OR operators, it is possible for the policy to evaluate to true, even though all rules do not. Identity Manager creates violations only for rules that evaluate to true, and only if the policy expression evaluates to true. The Audit Policy Wizard does not provide explicit control over the Boolean expression nesting, so it is best not to build deep expressions.

Select a Remediation Workflow

Use this screen to select a Remediation workflow to associate with this policy. The workflow assigned here determines the actions taken within Identity Manager when an audit policy violation is detected.


Note	One workflow is started for each failed audit policy. Each workflow will contain one or more work items for each compliance violation created by the policy scan for the specific policy.


Note	For information about importing a workflow that you have created by using an XML editor or the Identity Manager Integrated Development Environment (IDE), see (Optional) Import a Workflow into Identity Manager.

Select Remediation User Form Rule to select a rule used to calculate the user form applied when editing a user through a remediation. By default, a remediator that edits a user in response to a remediation work item will use the user form assigned to the remediator. If an audit policy specifies a remediation user form, then this form is used instead. This allows a very specific form to be used when an audit policy indicates a corresponding, specific problem.

To specify remediators to be associated with this remediation workflow, select Specify Remediators? If you enable this option, then clicking Next will display the Assign Remediators page. If you do not enable this option, then the wizard will next display the Audit Policy Wizard Assign Organizations screen.

Select Remediators and Timeouts for Remediations

If you select to specify remediators, the remediators assigned to this audit policy will be notified when a violation of this policy is detected. Also, the default workflow assigns a remediation work item to them. Any Identity Manager user can be a remediator.

You might choose to assign at least one Level 1 remediator, or designated user. Level 1 remediators are contacted first through email launched by the remediation workflow when a policy violation is detected. If the designated escalation timeout period is reached before a Level 1 remediator responds, Identity Manager next contacts the Level 2 remediators that you specify here. Identity Manager contacts Level 3 remediators only if neither Level 1 nor Level 2 remediators respond before the escalation time period lapses.


Note	If you specify an escalation timeout value for the highest-level remediator selected, then the work item is removed from the list when the escalation times out. By default, an escalation timeout is set to a value of 0; in this case, the work item does not expire and remains in the remediator’s list.

Assigning Remediators is optional. If you select this option, then click Next to proceed to the next screen after specifying the settings.

To add users to the available list of remediators, enter a user ID and then click Add. Alternatively, click ... (More) to search for a user ID. Enter one or more characters in the Starts With field, and then click Find. After selecting a user from the search list, click Add to add it to the list of remediators. Click Dismiss to close the search area.

To remove a user ID from the list of remediators, select it in the list, and then click Remove.

Select Organizations that Can Access this Policy

Use this screen, illustrated in Figure 11-5, to select the organizations that can view and edit this policy.

After making organization selections, click Finish to create the audit policy and return to the Manage Policies page. The newly created policy is now visible in this list.

Creating a New Rule by Using the Rule Wizard

If you choose to create a rule by using the Rule Wizard selection in the Audit Policy Wizard, proceed by entering information on the pages discussed in the following sections.

Name and Describe the New Rule

Optionally name and describe the new rule. Use this page to enter descriptive text that appears next to the rule name whenever Identity Manager displays the rule. Enter a concise and clear description that is meaningful in describing the rule. This description is displayed within Identity Manager in the Review Policy Violations page.

For example, if you are creating a rule that will identify users who have both an Oracle ERP responsibilityKey attribute value of Payable User and a Receivable User attribute value, you could enter the following text in the Description field: Identifies users with both Payable User and Receivable User responsibilities.

Select the Resource Referenced by the Rule

Use this page to select the resource that the rule will reference. Each rule variable must correspond to an attribute on this resource. All resources that you have view access to will appear in this options list. In this example, Oracle ERP is selected.

Create the Rule Expression


Note	Most, but not all, attributes of each available resource adapter are supported. For information on the specific attributes that are available, see Identity Manager Resources Reference.

Use this screen to enter the rule expression for your new rule. This example creates a rule in which a user with an Oracle ERP responsibilityKey attribute value of Payable User cannot also have a Receivable User attribute value.

Select a user attribute from the list of available attributes. This attribute will directly correspond to a rule variable.

Select a logical condition from the list. Valid conditions include = (equal to), != (not equal to), < (less than), <= (less than or equal to), > (greater than), >= (greater than or equal to), is true, is null, is not null, is empty, and contains. For the purpose of this example, you could select contains from the list of possible attribute conditions.

Enter a value for the expression. For example, if you enter Payable user, you are specifying an Oracle ERP user with the value of Payable user in the responsibilityKeys attribute.

(Optional) Click AND or OR operators to add another line and create another expression.

Figure 11-8 Audit Policy Wizard: Select Rule Expression Screen
Use the Select Rule Syntax Screen to specify the rule syntax for a new rule.

This rule returns a Boolean value. If both statements are true, then the policy rule returns a value of TRUE, which causes a policy violation.

The following code example shows the XML for the rule you have created in this screen:


Note	Identity Manager provides no support for control of rule nesting. If multiple rules are specified, the policy evaluator always follows AND operations first, and then OR. For example, R1 AND R2 AND R3 or R4 AND R5 (R1 + R2 + R3) \| (R4 + R5).

To remove an expression from the rule, select the attribute condition and then click Remove.

Click Next to continue in the Audit Policy Wizard. You will then have the opportunity to add more rules, either by creating new rules with the wizard or by adding existing rules.

Editing an Audit Policy

Adding or deleting rules

Changing the targeted resources

Adjusting the list of organizations that have access to the policy

Changing the escalation timeout associated with each level of remediation

Changing the remediation workflow associated with the policy

The Edit Policy Page

Click a policy name in the Audit Policy name column to open the Edit Audit Policy page. This page categorizes audit policy information in these areas:

Identification and Rules area

Remediators and Escalation timeout area

Workflow and Organizations Area

Figure 11-9 Edit Audit Policy Page: Identification and Rules Area
The Edit Policy Page lets you edit policy names and descriptions, add rules, and delete rules.

Edit the policy description

Add or delete a rule



Note	You cannot use this product to directly edit an existing rule. Use the Identity Manager IDE or an XML editor to edit the rule, and then import it into Identity Manager. You can then remove the previous version, and add the newly revised version.

Edit Audit Policy Description

Edit the audit policy description by selecting the text in the Description field and then entering new text.

Edit Options

Optionally select or de-select the Restrict target resources or Allow violation re-scans options.

Delete a Rule from the Policy

To delete a rule from the policy, click the Select button that precedes the rule name, and then click Remove.

Add a Rule to the Policy

Change a Rule used by the Policy

Remediators Area

Figure 11-10 shows a portion of the Remediators area, where you assign Level 1, Level 2, and Level 3 remediators for a policy.

Remove or assign remediators to a policy

Adjust escalation timeouts

Remove or Assign Remediators

Select a remediator for one or more remediation levels by entering a user ID and then clicking Add. To search for a user ID, click ... (More). You must select at least one remediator.

To remove a remediator, select a user ID in the list, and then click Remove.

Adjust Escalation Timeouts

Select the timeout value, then enter the new value. By default, no timeout value is set

Remediation Workflow and Organizations Area


Note	If you specify an escalation timeout value for the highest-level remediator selected, then the work item is removed from the list when the escalation times out.

Figure 11-11 shows the area in which you specify the remediation workflow and organizations for an audit policy.

Change the remediation workflow that is launched when a policy violation occurs

Select a remediation user form rule

Adjust the organizations that have access to this policy

Change the Remediation Workflow

To change the workflow assigned to a policy, you can select an alternative workflow from the list of options. By default, no workflow is assigned to an audit policy.

Select Remediation User Form Rule

Optionally select a rule to calculate the user form applied when editing a user through a remediation.

Assign or Remove Visibility to Organizations


Note	If no workflow is assigned to the Audit Policy, the violations will not be assigned to any remediators.

Adjust the organizations to which this audit policy will be available, and then click Save.

Sample Policies

Identity Manager provides these sample policies, accessible from the Audit Policies list:

IDM Role Comparison Policy

IDM Account Accumulation Policy

IDM Role Comparison Policy

This sample policy allows you to compare a user’s current access to the access specified by Identity Manager roles. The policy ensures that all resource attributes specified by roles are set for the user.

The user is missing any resource attributes specified by roles

The user’s resource attributes differ from those specified by roles

IDM Account Accumulation Policy

This sample policy verifies that all accounts held by the user are referenced by at least one role also held by that user.

This policy fails if the user has accounts on any resources that are not explicitly referenced by a role assigned to the user.

Deleting an Audit Policy

When an audit policy is deleted from Identity Manager, all violations that reference the policy are also deleted.

Policies can be deleted from the Compliance area of the interface, when you click Manage Policies to view policies. To delete an audit policy, select the policy name in the policy view, and then click Delete.

Troubleshooting Audit Policies

Problems with your audit policy typically are best addressed through policy rule debugging.

Debugging Rules

<block trace='true'>
<and>
  <contains>
    <ref>accounts[AD].firstname</ref>
    <s>Sam</s>
  </contains>
  <contains>
    <ref>accounts[AD].lastname</ref>
    <s>Smith</s>
  </contains>
</and>
</block>

Problem

Resolution

You have added the subtype='SUBTYPE_REMEDIATION_WORKFLOW' attribute to your workflow. Workflows without this subtype will not be visible in the Identity Manager Administrator interface.

You have the capability for authType AuditorAdminTask.

You control the organization that the workflow is in.

Problem

Resolution

Each rule is of subtype=‘SUBTYPE_AUDIT_POLICY_RULE’ or subtype=‘SUBTYPE_AUDIT_POLICY_SOD_RULE’.

You have the capability for authType AuditPolicyRule.

You control the organization that the workflow is in.

Assigning Audit Policies

To assign an audit policy to an organization, the user must have (at least) the Assign Organization Audit Policies capability. To assign an audit policy to a user, the user must have the Assign User Audit Policies capability. A user with the Assign Audit Policies capability has both of these capabilities.

To assign organization-level policy, select the Organization on the Accounts tab, and then select the policies in the Assigned audit policies list.

Click the user in the Accounts area.

Select Compliance in the user form.

Select policies in the Assigned audit policies list.



Note	Audit policies that are directly assigned to a user—that is, assigned through user account or organization assignment—are always re-evaluated when a violation for that user is remediated.

Audit Policy Scans and Reports

This section provides information about audit policy scans, and provides procedures for running and managing audit scans.

Scanning Users and Organizations

A scan runs selected audit policies on individual users or organizations. You might want to scan a user or organization for a specific violation or execute policies not assigned to the user or organization. Launch scans from the Accounts area of the interface.


Note	You can also launch or schedule an audit policy scan from the Server Tasks tab.

Select Accounts.

In the Accounts list, perform one of these actions:

Select one or more users, and then select Scan from the User Actions options list.

Select one or more organizations and then select Scan from the Organization Actions options list.

Specify a title for the scan in the Report Title field. This field is required. You can optionally specify a description for the scan in the Report Summary field.

Select one or more audit policies to run. You must specify at least one policy.

Select a Policy Mode. This determines how the selected policies should interact with users who already have policy assignments. Assignments can come directly from the user or from the organization to which the user is assigned.

Optionally select the Do not create violations option. When you enable this option, audit policies will be evaluated and violations reported, but no compliance violations will be created or updated, and no remediation workflow will be executed. However, task results from the scan will show which violations would have been created, making this option useful when testing audit policies.

Check Execute Remediation Workflow? to run the remediation workflow assigned in the audit policy. If the audit policy does not define a remediation workflow, no remediation workflow will run.

Edit the Violation Limit value to set the maximum number of compliance violations that can be emitted by the scan before it aborts. This value is a safeguard to limit risk when running an audit policy that may be overly aggressive in its checks. An empty value means no limit is set.

Check Email Report to specify recipients for the report. You may also have Identity Manager attach a file containing a report in CSV (comma-separated values) format.

If you prefer to override the default PDF options, enable the Override default PDF options option.

Click Launch to begin the scan.

To view the reports resulting from an audit scan, view the Auditor Reports.

Working with Auditor Reports

Identity Manager provides a number of Auditor Reports. The following table describes these reports.

Table 11-2 Auditor Reports Descriptions
Auditor Report Type	Description
Access Review Coverage	Shows the overlap or differences among the users that are implied by the selected access reviews. Since most access reviews have a user scope that is specified by a query or some membership operation, the exact set of users is expected to change over time. This report can show the overlap, differences, or both, between users specified by two different access reviews (to see if the reviews are going to be efficient in operation); between entitlements generated by two different access reviews (so you can see if the coverage changes over time); or between users and entitlements (so you can see if the entitlements were generated for all users scoped by the review.
Access Review Detail	Shows the current status of all user entitlement records. This report can be filtered by a user’s organization, Access Review and Access Review Instance, state of an entitlement record, and attestor.
Access Review Summary	Provides summary information about all access reviews. It summarizes the status of users scanned, policies scanned, and attestation activities for each access review scan listed.
Access Scan User Scope Coverage	Compares selected scans to determine which users are included in the scan scope. It shows the overlap (users included in all scans) or difference (users not included in all scans, but included in more than one). This report is useful when trying to organize multiple access scans to cover the same or different users, depending on the needs of the scan.
Audit Policy Summary	Summarizes the key elements of all audit policies, including the rules, remediators, and workflow for each policy.
Audited Attribute	Shows all audit records indicating a change of a specified resource account attribute. This report mines the audit data for any auditable attributes that have been stored. It will mine the data based on any extended attributes, which can be specified from WorkflowServices or resource attributes marked as auditable.
AuditPolicy Violation History	Graphical view of all compliance violations per policy that were created during a specified period of time. This report can be filtered by policy, and grouped by day, week, month, or quarter.
User Access	Shows the audit record and user attributes for a specified user.
Organization Violation History	Graphical view of all compliance violations per resource, that were created during a specific period of time. Can be filtered by organization, and grouped by day, week, month, or Quarter.
Resource Violation History	Graphical view of all compliance violations per resource that were created during the specified time range.
Separation of Duties	Shows separation of duties violations arranged in a conflicts table. Using a Web-based interface, you can access additional information by clicking the links. This report can be filtered by organization, and grouped by day, week, month, or quarter.
Violation Summary	Shows all current compliance violations. This report can be filtered by remediator, resource, rule, user, or policy

The reports are available from the Reports tab in the Identity Manager interface.

Creating an Auditor Report

To run a report, you must first create the report template. You can specify various criteria for the report, including specifying email recipients to receive the report results. After a report template has been created and saved, it is available from the Run Reports page.

Figure 11-13 shows an example of the Run Reports page with a list of defined Auditor Reports.

Select Reports from the menu bar.

Select Auditor Reports for the report type.

In the New list of reports, select a report.

The Define a Report page appears. The fields and layout of the report dialog varies for each type of report. Refer to Identity Manager Help for information about specifying the report criteria.

Run the report without saving — Click Run to start running the report. Identity Manager does not save the report (if you defined a new report) or the changed report criteria (if you edited an existing report).

Save the report — Click Save to save the report. After it is saved, you can run the report from the Run Reports page (the list of reports).

After running a report from the Run Reports page, you can view the output immediately or at a later time from the View Reports tab.

For information about scheduling a report, see Scheduling Reports.

Compliance Violation Remediation and Mitigation

This section describes how to use Identity Manager Remediation to protect your critical assets. The following topics discuss elements of the Identity Manager Remediation process:

About Remediation

Remediation Email Template

Working with the Remediations Page

Viewing Policy Violations

Mitigating Policy Violations

Remediating Policy Violations

Forwarding Remediation Requests

About Remediation

When Identity Manager detects an unresolved (not mitigated) audit policy compliance violation, it creates a remediation request, which must be addressed by a remediator — designated users who are allowed to evaluate and respond to audit policy violations.

Remediator Escalation

Identity Manager allows you to define three levels of remediator escalation. Remediation requests are initially sent to Level 1 remediators. If a Level 1 remediator does not act on a remediation request before the time-out period expires, Identity Manager escalates the violation to the Level 2 remediators and begins a new time-out period. If a Level 2 remediator does not respond before the time-out period expires, then the request is escalated once again to the Level 3 remediator.

To perform remediation, you must designate at least one remediator for your enterprise. Specifying more than one remediator for each level is optional, but recommended. Multiple remediators help ensure workflow is not delayed or halted.

Remediation Security Access

The remediation work item owner

A direct or indirect manager of the remediation work item owner

An administrator who controls an organization in which the remediation work item owner belongs

Owner is the user attempting the action, OR

Owner is in an organization controlled by the user attempting the action, OR

Owner is a subordinate of the user attempting the action

The second and third checks are independently configurable by modifying these options:

controlOrg — Valid values are true or false.

subordinate — Valid values are true or false.

lastLevel — The last subordinate level to include in the result; -1 means all levels. The integer value for lastLevel defaults to -1, meaning direct and indirect subordinates.

Remediation Workflow Process

Identity Manager provides the Standard Remediation Workflow to provide remediation processing for Audit Policy scans.

The Standard Remediation Workflow generates a remediation request (a review-type work item) containing information about the compliance violation and sends an email notification to each Level 1 remediator named in the audit policy. When a remediator mitigates the violation, the workflow changes the state of, and assigns an expiration to, the existing compliance violation object.

A compliance violation is uniquely identified by the combination of the user, policy name, and rulename. When an audit policy evaluates to true, a new compliance violation is created for each user/policy/rule combination, if an existing violation for this combination does not already exist. If a violation does exist for the combination, and the violation is in a mitigated state, then the workflow process takes no action. If the existing violation is not mitigated, then its recurrent count is incremented.

Remediation Responses

Remediate — A remediator indicates that something has been done to fix the problem on the resource.


Note	After remediation, a violation is not deleted until the next audit scan. If an audit policy is configured to allow re-scans, then the user will be re-scanned as soon as the violation is remediated.

Mitigate — A remediator allows the violation and gives the user an exemption from the violation for a certain amount of time.


Note	When Identity Manager detects an expired exemption, it returns the violation from the mitigated state to a pending state.

Forward — A remediator reassigns the responsibility for resolving the violation to another individual.

Remediation Example

Your enterprise establishes a rule in which a user cannot be responsible for both Accounts Payable and Accounts Receivable, and you receive notice that a user is violating this rule.

If the user is a supervisor who has responsibility for both roles until the company hires a second person for that position, you might mitigate the violation and issue an exemption for up to six months.

If the user is violating the rule, you might ask your Oracle ERP Administrator to correct the conflict, and then remediate the violation when the problem is fixed for that resource. Alternatively, you might forward the remediation request to the Oracle ERP Administrator.

Remediation Email Template

Identity Manager provides a Policy Violation Notice email template (available by selecting the Configuration tab, then the Email Templates subtab. You can configure this template to notify remediators of pending violations. For more information, see Customizing Email Templates.

Working with the Remediations Page

Select Work Items, and then Remediations to access the Remediations page.

View pending violations

Prioritize policy violations

Mitigate one or more policy violations

Remediate one or more policy violations

Forward one or more violations

Edit users from a remediation work item

Viewing Policy Violations

You can use the Remediations page to view details about violations before taking action on them.

Depending on your capabilities or place in the Identity Manager capabilities hierarchy, you may be able to view and take action on violations for other remediators.

Viewing Pending Requests

Viewing Completed Requests

Updating the Table

Viewing Pending Requests

Pending requests assigned to you are, by default, displayed in the Remediation table. You can use the List Remediations for option to view pending remediation requests for a different remediator:

Select My Direct Reports to view pending requests for users in your organization who report directly to you.

Select Search Users to enter or locate one or more users whose pending requests you want to view. Enter a user ID, and then click Apply to view pending requests for that user. Alternatively, click ... (More) to search for a user. After locating and selecting a user, click Dismiss to close the Search area.

Remediator — Name of the assigned remediator. This column displays only when you view remediation requests for other remediators.

User — User for whom the request is made.

Audit Policy/Request — Action requested of the remediator.

Audit Rule/Description — Remediation comments for the request.

Violation State — Current state of the violation.

Severity — Severity assigned to the request (None, Low, Medium, High, or Critical)

Priority — Priority assigned to the request (None, Low, Medium, High, or Urgent)

Date of Request: Date and time the remediation request was issued.



Note	Each user can choose a custom form that displays remediation data relevant to that particular remediator. To assign a custom form, select the Compliance tab on the user form.

Viewing Completed Requests

To view your completed remediation requests, click the My Work Items tab, and then click the History tab. A list of previously remediated work items displays.

The resulting table (which is generated by an AuditLog report) provides the following information about each remediation request:

Timestamp — Date and time the request was remediated

Subject — Name of the remediator who processed the request

Action — Whether the remediator mitigated or remediated the request

Type — ComplianceViolation or User Entitlement

Object Name — Name of the audit policy that was violated

Resource — Provides the remediator’s account ID (or may indicate N/A)

ID — Always indicates N/A

Result — Always indicates Success

The Audit Events Details page provides information about the completed request, including information about the remediation or mitigation, event parameters (if applicable), and auditable attributes.

Updating the Table

To update the information provided in the Remediations table, click Refresh. The Remediation page updates the table with any new remediation requests.

Prioritizing Policy Violations

You can prioritize policy violations by assigning them a priority, severity, or both. Prioritize violations from the Remediations page.

Select one or more violations in the list.

Click Prioritize.

The Prioritize Policy Violations page appears.

Optionally set a severity for the violation. Selections are None, Low, Medium, High, or Critical.

Optionally set a priority for the violation. Selections are None, Low, Medium, High, or Urgent.

Click OK when you have finished making selections. Identity Manager returns to the list of remediations.



Note	Severity and priority values can be set only on remediations of type CV (Compliance Violation).

Mitigating Policy Violations

You can mitigate policy violations from the Remediations and Review Policy Violations pages.

From the Remediations Page

Select rows in the table to specify which requests to mitigate.

Enable one or more individual options to specify requests to be mitigated.

Enable the option in the table header to mitigate all requests listed in the table.



Note	Identity Manager allows you to enter only one set of comments to describe a mitigation action. You may not want to perform a bulk mitigation unless the violations are related and a single comment will suffice. You can mitigate only those requests that include compliance violations. Other remediation requests cannot be mitigated.

Click Mitigate.

The Mitigate Policy Violation page (or Mitigate Multiple Policy Violations page) appears:

Figure 11-14 Mitigate Policy Violation Page
Accessing the Mitigate Policy Violation page.

Enter comments about the mitigation into the Explanation field. (This field is required.)

Your comments provide an audit trail for this action, so be sure to enter complete and meaningful information. For example, explain why you are mitigating the policy violation, the date, and why you chose the exemption period.

Provide an expiration date for the exemption by typing the date (in the format YYYY-MM-DD) directly into the Expiration Date field, or by clicking the date

button and selecting a date from the calendar.



Note	If you do not provide a date, the exemption is valid indefinitely.

Click OK to save your changes and return to the Remediations page.

Remediating Policy Violations

Use the check boxes in the table to specify which requests to remediate.

Enable one or more individual check boxes in the table to specify requests to remediate.

Enable the check box in the table header to remediate all requests listed in the table.

If selecting more than one request, keep in mind that Identity Manager allows you to enter only one set of comments to describe a remediation action. You may not want to perform a bulk remediation unless the violations are related and a single comment will suffice.

Click Remediate.

The Remediate Policy Violation page (or Remediate Multiple Policy Violations page) displays.

Enter your comments about the remediation into the Comments field.

Click OK to save your changes and return to the Remediations page.



Note	Audit policies that are directly assigned to a user—that is, assigned through user account or organization assignment—are always re-evaluated when a violation for that user is remediated.

Forwarding Remediation Requests

You can forward one or more remediation requests to another remediator, as follows:

Use the check boxes in the table to specify which requests to forward.

Enable the check box in the table header to forward all requests listed in the table.

Enable individual check boxes in the table to forward one or more requests.

Click Forward.

The Select and Confirm Forwarding page appears.

Figure 11-15 Select and Confirm Forwarding Page
Request forwarded to Administrator and table is updated.

Enter a remediator name in the Forward to field, and then click OK. Alternatively, you can click ... (More) to search for a remediator name. Select a name from the search list, and then click Set to enter that name in the Forward to field. Click Dismiss to close the search area.

When the Remediations page redisplays, the new remediator’s name displays in the Remediator column of the table.

Editing a User from a Remediation Work Item

From a remediation work item, you can (with appropriate user editing capabilities) edit a user to remediate problems (as described in the associated entitlement history).

To edit a user, click Edit User from the Review Remediation Request page. The displayed Edit User page shows:

Entitlement history associated with the user, for this work item

Attributes for the user. The options that appear here are the same as on the Edit User form available from the Accounts area.


Note	Saving user edits causes the Update User workflow to run. Since this workflow may have approvals, it is possible that the changes to the user accounts are not in effect for a period of time after the save. If the audit policy allows rescans, and the Update User workflow has not completed, then the subsequent policy scan may detect the same violation.

Periodic Access Reviews and Attestation

Identity Manager provides a process for conducting access reviews that enable managers or other responsible parties to review and verify user access privileges. This process helps to identify and manage user privilege accumulation over time, and helps to maintain compliance with Sarbanes-Oxley, GLBA, and other federally regulated mandates.

Access reviews can be performed as needed or scheduled to occur periodically—for example, every calendar quarter—enabling you to conduct periodic access reviews to maintain the correct level of user privileges. An access review can optionally include audit policy scans.

About Periodic Access Reviews

Periodic access review is the periodic process of attesting that a set of employees has the appropriate privileges on the appropriate resources at a specific point in time.

Access review scans — Scans that you define and run or schedule to run, that evaluate user entitlements for a specified set of users and perform rule-based evaluations to determine if attestation is needed.

Attestation — Process of responding to attestation requests by approving or rejecting user entitlements.

A user entitlement is a record of details of a user’s accounts on a specific set of resources.

Access Review Scans

To initiate a periodic access review, you must first define at least one access scan.

The access scan defines who will be scanned, which resources will be included in the scan, any optional audit policies to be evaluated during the scan, and rules to determine which entitlement records will be manually attested, and by whom.

Access Review Workflow Process

Constructs a list of users, gets account information for each user, and evaluates optional audit policies

Creates user entitlement records

Determines if attestation is required for each user entitlement record

Assigns work items to each attestor

Waits for all attestors to approve, or for the first rejection

Escalates to the next attestor, if no response to a request is received within a specified timeout period

Updates user entitlement records with resolutions

Required Administrator Capabilities

To conduct a periodic access review and manage the review processes, a user must have the Auditor Periodic Access Review Administrator capabilities. A user with Auditor Access Scan Administrator capability can create and manage access scans.

To assign these capabilities, edit the user account and modify the security attributes. For more information about these and other capabilities, see Understanding and Managing Capabilities.

Attestation

Attestation is the certification process performed by one or more designated attestors to confirm a user entitlement as it exists on a specific date. During an access review, the attestor (or attestors) receives notice of the access review attestation requests through email notification. An attestor must be an Identity Manager user, but is not required to be an Identity Manager administrator.

Attestation Workflow

Identity Manager uses an attestation workflow that is launched when an access scan identifies entitlement records requiring review. The access scan makes this determination based on the rules defined in the access scan.

A rule evaluated by the access scan determines if the user entitlement record needs to be manually attested, or if it can be automatically approved or rejected. If the user entitlement record needs to be manually attested, then the access scan uses a second rule to determine who the appropriate attestors are.

Each user entitlement record to be manually attested is assigned to a workflow, with one work item per attestor. Notification to the attestor of these work items can be sent using a ScanNotification workflow that bundles the items into one notification, per attestor, per scan. Unless the ScanNotification workflow is selected, notification will be per user entitlement. This means an attestor could receive multiple notifications per scan, and possibly a large number depending on the number of users scanned.

Attestation Security Access

The Work Item owner

A direct or indirect manager of the Work Item owner

An administrator who controls an organization in which the Work Item owner belongs

Users who have been validated through authentication checks

Owner is User attempting the action, OR

Owner is in Organization controlled by user attempting the action, OR

Owner is a subordinate of user attempting the action.

The second and third checks are independently configurable by modifying these form properties:

controlOrg — Valid values are “true” or “false”

subordinate — Valid values are “true” or “false”

lastLevel — the last subordinate level to include in the result; -1 means all levels

The integer value for lastLevel defaults to -1, meaning direct and indirect subordinates.

Delegated Attestation


Note	If security on attestations is set to organization-controlled, then the Auditor Attestor capability also is required to modify another user's attestations.

By default, the access scan workflow respects delegations, for work items of type Access Review Attestation and Access Review Remediation, created by users for attestation work items and notifications. The access scan administrator may deselect the Follow Delegation option to ignore delegation settings. If an attestor has delegated all work items to another user but the Follow Delegation option is not set for an access review scan, then the attestor—not the user to which delegations have been assigned—will receive attestation request notifications and work items.

Planning for a Periodic Access Review

An access review can be a labor- and time-intensive process for any business enterprise. The Identity Manager periodic access review process helps minimize the cost and time involved by automating many parts of the process. However, some of the processes still are time-consuming. For example, the process of fetching user account data from a number of locations for thousands of users can take a considerable amount of time. The act of manually attesting records can be time-consuming as well. Proper planning improves the efficiency of the process and greatly reduces the effort involved.

Scan times can vary greatly depending on the number of users and the resources involved.

Using multiple Identity Manager servers for parallel processing can speed up the access review process.

Customizing the Attestation workflow and rules gives you greater control and can provide greater efficiency:

Using Attestor Escalation Rules helps improve response time for attestation requests.

Understand how to use the Review Determination Rules to save time by automatically determining which entitlement records need to be manually reviewed.

Bundle notification of attestation requests for a scan by specifying a scan-level Notification Workflow.

Tuning Scan Tasks

During the scan process, multiple threads access the user’s view, potentially accessing resources on which the user has accounts. After the view is accessed, multiple audit policies and rules are evaluated, which may result in the creation of compliance violations.

To prevent two threads from updating the same user view at the same time, the process establishes an in-memory lock on the user name. If this lock cannot be established in (by default) 5 seconds, then an error is written to the scan task and the user is skipped, thus providing protection for concurrent scans that are processing the same set of users.

You can edit the values of several “tunable parameters” that are provided as task arguments to the scan task:

clearUserLocks (Boolean) — If true, then all current user locks are freed before the scan starts.

userLock (integer) — Time (in milleseconds) to wait when trying to lock a user. The default value is 5 seconds. A negative value disables locking for that scan.

scanDelay (integer) — Time (in milleseconds) to sleep between dispatching scan threads. The default value is 0 (no delay). If you provide a value for this argument, then the scan is slower, but the system is more responsive to other operations.

maxThreads (integer) — Number of concurrent threads used to process a scan. The default value is 5. If resources are very slow to respond, increasing this number may increase scan throughput.

To change the values of these parameters, edit the corresponding Task Definition form. For more information about this task, see Identity Manager Workflows, Forms, and Views.

Creating an Access Scan

Select Compliance, and then select Manage Access Scans.

Click New to display the Create New Access Scan page.

Assign a name to the access scan.



Note	Access scan names cannot contain these characters: ' (apostrophe), . (period), \| (pipe), [ (left bracket), ] (right bracket), , (comma), : (colon), $ (dollar sign), " (double quote), or = (equals sign).

Optionally add a description that is meaningful in identifying the scan.

Optionally enable the Dynamic entitlements option. If enabled, attestors are given these additional options:

A pending attestation can be immediately re-scanned to refresh the entitlement data and re-evaluate the need for attestation.

A pending attestation can be routed to another user for remediation. Following remediation, the entitlement data is refreshed and re-evaluated to determine the need for attestation.

Select the User Scope Type from the following options: (This field is required.)

According to attribute condition rule — Choose this option to scan users according to a selected User Scope Rule. Identity Manager provides these rules:

All Administrators

All Non-Administrators

Users without a Manager



Note	You can add user scoping rules by using the Identity Manager Integrated Development Environment (IDE). See Identity Manager Deployment Tools for more information.

Assigned to resources — Choose this option to scan all users that have an account on one or more selected resources. When you choose this option, the page displays the User Scope Resources are, which lets you specify resources.

Members of Organizations— Choose this option to scan all members of one or more selected organizations.

Reports to managers — Choose this option to scan all users reporting to selected managers. Manager hierarchy is determined by the Identity Manager attribute of the user’s Lighthouse account.

If the user scope is organization or manager, then the Recursive Scope option is available. This option allows for user selection to occur recursively through the chain of controlled members.

If you choose also to scan audit policies to detect violations during the access review scan, select the audit policies to apply to this scan by moving your selections from Available Audit Policies to the Current Audit Policies list.

Adding audit policies to an access scan results in the same behavior as performing an audit scan over the same set of users. However, in addition, any violations detected by the audit policies are stored in the user entitlement record. This information can make automatic approval or rejection easier, because the rule can use the presence or absence of violations in the user entitlement record as part of its logic.

If you scanned audit policies in the preceding step, you can use the Policy mode option to specify how the access scan determines which audit policies to execute for a given user. A user can have policies assigned both at the user level and/or at the organization level. The default access scan behavior is to apply the policies specified for the access scan only if the user does not already have any assigned policies.

Apply select policies and ignore other assignments

Apply selected policies only if user does not already have assignments

Apply selected policies in addition to user assignments

(Optional) Specify the Review Process Owner. Use this option to specify an owner of the access review task being defined. If a Review Process Owner is specified, then an attestor who encounters a potential conflict in responding to an attestation request can abstain in lieu of approving or rejecting a user entitlement and the attestation request is forwarded to the Review Process Owner. Click the selection (ellipsis) box to search the user accounts and make your selection.

Follow delegation — Select this option to enable delegation for the access scan. The access scan will only honor delegation settings if this option is checked. Follow Delegation is enabled by default.

Restrict target resources — Select this option to restrict scanning to targeted resources.

This setting has a direct bearing on the efficiency of the access scan. If target resources are not restricted, each user entitlement record will include account information for every resource the user is linked to. This means that during the scan every assigned resource is queried for each user. By using this option to specify a subset of the resources, you can greatly reduce the processing time required for Identity Manager to create user entitlement records.

Execute Violation Remediation — Select this option to enable the audit policy’s remediation workflow when a violation is detected.

If this option is selected, then a violation detected for any of the assigned audit policies will result in the respective audit policy’s remediation workflow being executed.

Typically, this option should not be selected except for advanced cases.

Access Approval Workflow — Select the default Standard Attestation workflow or select a customized workflow if available.

This workflow is used to present the user entitlement record for review to the appropriate attestors (as determined by the attestor rule). The default Standard Attestation Workflow creates one work item for each attestor. If the access scan specifies escalation, this workflow is responsible for escalating work items that have been dormant too long. If no workflow is specified, the user attestation will remain in the pending state indefinitely.

Attestor Rule — Select the Default Attestor rule, or select a customized attestor rule if available.

The attestor rule is given the user entitlement record as input, and returns a list of attestor names. If Follow Delegation is selected, the access scan transforms the list of names to the appropriate users following the delegation information configured by each user in the original list of names. If an Identity Manager user’s delegation results in a routing cycle, then the delegation information is discarded, and the work item is delivered to the initial attestor. The Default Attestor rule indicates that the attestor should be the manager (idmManager) of the user that the entitlement record represents, or the Configurator account if that user’s idmManager is null. If attestation needs to involve resource owners as well as managers, you must use a custom rule. For information about customizing rules, see the Identity Manager Deployment Tools guide.

Attestor Escalation Rule — Use this option to specify the Default Escalation Attestor rule, or select a customized rule if available. You can also specify the Escalation Timeout value for the rule. The default escalation timeout value is 0 days.

This rule specifies the escalation chain for a work item that has passed the Escalation Timeout period. The Default Escalation Attestor rule escalates to the assigned attestor’s manager (idmManager), or to Configurator if the attestor’s idmManager value is null.

You can specify the Escalation Timeout value in minutes, hours, or days.

Review Determination Rule — Select one of the following rules to specify how the scan process will determine the disposition of an entitlement record: (This field is required.)

Reject Changed Users — Automatically rejects a user entitlement record if it is different than the last user entitlement from the same access scan definition and the last user entitlement was approved. Otherwise, forces manual attestation and approves all user entitlements that are unchanged from the previously approved user entitlement. By default, only the “accounts” portion of the user view is compared for this rule.

Review Changed Users — Forces manual attestation for any user entitlement record if it is different than the last user entitlement from the same access scan definition and the last user entitlement was approved. Approves all user entitlements that are unchanged from the previously approved user entitlement. By default, only the “accounts” portion of the user view is compared for this rule.

Review Everyone — Forces manual attestation for all user entitlement records.



Note	The Reject Changed Users and Review Changed Users rules compare the user entitlement to the last instance of the same access scan in which the entitlement record was approved. You can change this behavior by copying and modifying the rules to restrict comparison to any selected part of the user view. See Identity Manager Deployment Tools for information about customizing rules.

This rule can return values of:

-1 — no attestation required

0 — automatically rejects the attestation

1 — manual attestation required

2 — automatically approves the attestation

3 — automatically remediates the attestation (auto-remediation)

Remediator Rule — Select the rule to be used to determine who should remediate a specific user’s entitlement in the event of Auto-Remediation. The rule can examine the user’s current user entitlement and violations, and must return a list of users that should remediate. If no rule is specified, then no remediation will take place. A common use for this rule would be if the entitlement has compliance violations.

Remediation User Form Rule — Select a rule to be used to select an appropriate form for attestation remediators when editing users. Remediators can set their own form, which overrides this one. This form rule would be set if the scan collects very specific data that matches a custom form.

Notification Workflow — Select one of the following options to specify the notification behavior for each work item.

None — This is the default selection. This selection results in an attestor getting an email notification for each individual user entitlement that he must attest.

ScanNotification —This selection bundles attestation requests into a single notification. The notification indicates how many attestation requests were assigned to the recipient.

If there is a Review Process Owner specified in the access scan, the ScanNotification Workflow will also send a notification to the review process owner when the scan begins, and when it ends. See Step 9.

The ScanNotification workflow uses the following email templates

Access Scan Begin Notice

Access Scan End Notice

Bulk Attestation Notice

You can customize the ScanNotification Workflow.

Violation limit — Use this option to specify the maximum number of compliance violations that can be emitted by this scan before the scan aborts. The default limit is 1000. An empty value field is equal to no limit.

Although typically during an audit scan or access scan the number of policy violations is small compared to the number of users, setting this value could provide protection from the impact of a defective policy that increases the number of violations significantly. For example, consider the following scenario:

If an access scan involves 50,000 users and generates two to three violations per user, the cost of remediation for each compliance violation can have a detrimental effect on the Identity Manager system.

Organizations — Select the organizations to which this access scan object is available. This is a required field.

Deleting an Access Scan

You can delete one or more access scans. To delete an access scan, from the Compliance tab select Manage Access Scans, select the name of the scan, and then click Delete.

Managing Access Reviews

After defining an access scan, you can use or schedule it as part of an access review. After initiating an access review, several options are available to manage the review process. Read the following sections for more information about:

Launching an Access Review

Scheduling Access Review Tasks

Managing Access Review Progress

Modifying Scan Attributes

Canceling an Access Review

Launching an Access Review

To launch an access review from the Administrator interface, use one of these methods:

Click Launch Review from the Compliance > Access Reviews page.

Select the Access Review task in the Server Tasks > Run Tasks page.

On the displayed Launch Task page, specify a name for the access review. Select the scans from the Available Access Scans list and move them to the Selected list. If you select more than one scan, you can choose one of the following launch options:

immediately — This option starts running the scan immediately upon clicking the Launch button. If you select this option for multiple scans in the launch task, then the scans will run in parallel.

after waiting — This option allows you to specify a period of time to wait before launching the scan, relative to the launch of the access review task.



Note	You can initiate more than one scan during an access review session. However, consider that each scan may involve a large number of users, and therefore the scan process can take many hours to complete. Best practice dictates that you manage your scans accordingly. For example, you might launch one scan to run immediately and schedule other scans at staggered intervals.

When you launch an access review, the workflow process diagram is displayed, showing the steps in the process.

Scheduling Access Review Tasks


Note	The name you assign to an access review is important. Access reviews that run on a periodic basis with the same name can be compared by some reports.

An access review task can be scheduled from the Server Tasks area. For example to set up access reviews on a periodic basis, select Manage Schedule and then define the schedule. You might schedule the task to occur every month or every quarter.

To define the schedule, select the Access Review task on the Schedule Tasks page and then complete the information on the Create task schedule page.

Managing Access Review Progress


Note	Identity Manager keeps the results from access review tasks for one week, by default. If you choose to schedule a review more often than once a week, set the Results Options to delete. If Results Options are not set to delete, the new review will not run because the previous task results still exist.

Use the Access Reviews tab to monitor the progress of an access review. Access this feature through the Compliance tab.

From the Access Reviews tab you can review a summary of all active and previously processed access reviews. The following information is provided for each access review listed:

Status — Current status of the review process: initializing, terminating, terminated, number of scans in progress, number of scans scheduled, awaiting attestations, or completed.

Launch Date — The date (timestamp) the access review task started.

Total Users — Total number of users to be scanned.

Entitlements details — Additional columns in the table provide entitlement totals by status. These include details for pending, approved, rejected, terminated, and remediated entitlements, as well as total entitlements.

To view more detailed information about the review, select it to open a summary report.

Click the Organization or Attestors form tab to view scan information categorized by those objects.

You can also review and download this information in a report by running the Access Review Summary Report.

Modifying Scan Attributes

After setting up an access scan, you can edit the scan to specify new options, such as specifying target resources to scan or specifying audit policies to scan for violations while the access scan is running.

To edit a scan definition, select it from the list of Access Scans, and then modify the attributes on the Edit Access Review Scan page.

Canceling an Access Review


Note	Changing the scope of an access scan might change the information in newly-acquired user entitlement records, as it can affect the Review Determination Rule if that rule compares user entitlements to older user entitlement records.

From the Access Reviews page, click Terminate to stop a selected review in progress. Terminating a review causes these actions to occur:

Any scheduled scans are unscheduled

Any active scans are halted

All pending workflows and work items are deleted

All pending attestations are marked canceled

Any attestations that users completed are left unchanged

Deleting an Access Review

You can delete an access review if the status of the task is terminated or completed. An access review task in progress cannot be deleted unless it is first terminated.

Deleting an access review deletes all user entitlement records that were generated by the review. The delete action is recorded in the audit log.

Managing Attestation Duties

You can manage attestation requests from the Identity Manager Administrator or User interface. This section provides information about responding to attestation requests and the duties involved in attestation.

Access Review Notification

During a scan, Identity Manager sends notification to Attestors when attestation requests require their approval. If attestor responsibilities have been delegated, the requests are sent to the delegate. If multiple attestors are defined, each attestor receives an email notification.


Note	Canceling and deleting an access review may result in updates to a large number of Identity Manager objects and tasks, and can take several minutes to complete. You can check the progress of the operation by viewing the task results in Sever Tasks > All Tasks.

Requests appear as Attestation work items in the Identity Manager interface. Pending attestation work items are displayed when the assigned attestor logs in to Identity Manager.

Viewing Pending Requests

View attestation work items from the Work Items area of the interface. Selecting the Attestation tab in the Work Items area lists all the entitlement records requiring approval. From the Attestations page, you can also list entitlement records for all of your direct reports and for specified users for which you have direct or indirect control.

Acting on Entitlement Records

Attestation work items contain the user entitlement records requiring review. Entitlement records provide information about user access privileges, assigned resources, and policy violations.

Approve — Attests that the entitlement is appropriate as of the date recorded in the entitlement record.

Reject — The entitlement record indicates possible discrepancies that cannot be currently validated or remediated.

Rescan — Requests a rescan to re-evaluate the user entitlement.

Forward — Enables you to specify another recipient for review.

Abstain — Attestation for this record is not appropriate, and a more appropriate attestor is not known. The attestation work item is forwarded to the Review Process Owner. This option is available only if a Review Process Owner has been defined in the Access Review task.

If an attestor does not respond to a request by taking one of these actions before the specified escalation timeout period, notice is sent to the next attestor in the escalation chain. The notification process continues until a response is logged.

Attestation status can be monitored from the Compliance > Access Reviews tab.

Closed-Loop Remediation

Marking an entitlement as needing to be fixed by requesting a fix from another user (Request Remediation). In this case, a new remediation work item is created and assigned to one or more specified remediators.

Requesting a re-evaluation of the entitlement (Rescan). In this case, the user entitlement is rescanned and evaluated again. The original attestation work item is closed. A new attestation work item is created if the entitlement still requires attestation according to the rules defined in the access scan.

Requesting Remediation

If defined by the access scan, you can route a pending attestation to another user for remediation.


Note	The Dynamic Entitlements option on the Create or Edit Access Scan pages enables this feature.

Select one or more entitlements from the list of attestations, and then click Request Remediation.

The Select and Confirm to Request Remediation page appears.

Enter a user name, and then click Add to add the user to the Forward to field. Alternatively, click ... (More) to search for a user. Select the user in the search list, and then click Add to add the user to the Forward to list. Click Dismiss to close the Search area.

Enter comments in the Comments field, and then click Proceed.

Identity Manager returns to the list of attestations.



Note	Details of the remediation request appear in the History area of the individual user entitlement.

Rescanning Attestations

If defined by the access scan, you can rescan and re-evaluate a pending attestation.


Note	The Dynamic Entitlements option on the Create or Edit Access Scan pages enables this feature.

Select one or more entitlements from the list of attestations, and then click Rescan.

The Rescan User Entitlements page appears.

Enter comments about the rescan action in the Comments area, and then click Proceed.

Forwarding Attestation Work Items

You can forward one or more attestation work items to another user. To forward attestations:

Select one or more work items in the attestation list, and then click Forward.

The Select and Confirm Forwarding page appears.

Enter a user name in the Forward to field. Alternatively, click ... (More) to search for a user name.

Enter comments about the forwarding action in the Comments field.

Click Proceed.

Identity Manager returns to the list of attestations.



Note	Details of the forwarding action appear in the History area of the individual user entitlement.

Digitally Signing Access Review Actions

You can set up digital signing to handle access review actions. For information about configuring digital signatures, see Signing Approvals. The topics discussed there explain the server-side and client-side configuration required to add the certificate and CRL to Identity Manager for signed approvals.

Access Review Reports

Identity Manager provides the following reports to enable you to evaluate the results of an access review:

Access Review Coverage Report — This report provides the following information, in table format:

Access Review Detail Report — This report provides the following information, in table format:

Name — Name of user entitlement record

Status — Current status of the review process: initializing, terminating, terminated, number of scans in progress, number of scans scheduled, awaiting attestation, or completed

Attestor — Identity Manager users assigned as the attestor for the record

Scan Date — Timestamp recorded for when the scan occurred

Disposition Date — Date (timestamp) when entitlement record was attested

Organization — Organization of user in the entitlement records

Manager — Manager of a scanned user

Resources — Resources the user has accounts on that were captured in this user entitlement

Violations — Number of violations detected during the review

Click a name in the report to open the user entitlement record. Figure 11-17 shows a sample of the information provided in the user entitlement record view.

Access Review Summary Report — This report, also discussed in Managing Access Review Progress and illustrated in Figure 11-16, shows the following summary information about the access scans you select for the report:

Review Name — Name of the access scan

Status — Timestamp for when the review was launched

User Count — Number of users scanned for the review

Entitlement Count — Number of entitlement records generated

Approved — Number of entitlement records approved

Rejected — Number of entitlement records rejected

Pending — Number of entitlement records still pending

Canceled — Number of entitlement records canceled

These reports are available for download, in Portable Document Format (PDF) or comma-separated value (CSV) format, from the Run Reports page.

Access Review Remediation

Compliance violation remediation and mitigation, and access review remediation, are managed from the Remediations area of the Work Items tab. However, there are differences between the two remediation types. This section describes the unique behavior of access review remediation, and how it differs from the remediation tasks and information described in Compliance Violation Remediation and Mitigation.

About Access Review Remediation

When an attestor requests that a user entitlement be remediated, the Standard Attestation workflow creates a remediation request, which must be addressed by a remediator (a designated user who is allowed to evaluate and respond to remediation requests).

The problem can only be remediated; it cannot be mitigated. Attestation cannot continue until the problem is resolved.

When remediations result from an access review, then the Access Review dashboard tracks all attestors and remediators involved with the review.

Remediator Escalation

Access Review remediation requests are not escalated beyond the initial remediator.

Remediation Workflow Process

The logic of access review remediation is defined in the Standard Attestation workflow.

When an attestor requests remediation of a user entitlement, the Standard Attestation workflow:

Generates a remediation request (of type accessReviewRemediation) that contains information about the user entitlement requiring remediation.

Sends an email to the requested remediator.

The new remediator can then choose to edit the user, either by using Identity Manager or independently, and then mark the work item as remediated when satisfied. At that point, the user entitlement is rescanned and evaluated again.

Remediation Responses

Remediate — A remediator indicates that something has been done to fix the problem.

Forward — A remediator reassigns the responsibility for resolving the remediation request to another individual.

Edit User — A remediator chooses to directly edit the user to remediate the problem.

Working with the Remediations page

The Type column is shown as UE (user entitlement) for all remediation work items that are access review remediation work items.

Unsupported Access Review Remediation Actions

The prioritization and mitigation features are not supported for access review remediations.

Identity Auditing Tasks Reference

Table 11-3 provides a quick reference to commonly performed identity auditing tasks. The table shows the primary Identity Manager interface location where you will go to begin each task, as well as alternate locations or methods (if available) that you can use to perform the task.

Table 11-3 Identity Auditing Task Reference
To Do This:	Go To:
Create, edit, or delete an audit policy	Compliance tab, Manage Policies subtab
Define remediators and assign remediation workflows for an audit policy	Compliance tab, Manage Policies subtab
Perform an audit scan on one or more users or organizations	Accounts tab, select Scan from the User Actions or Organization Actions list
Respond to policy violation remediation requests	Work Items tab, Remediations subtab
Mitigate policy violations	Work Items tab, Remediations subtab
Review remediated policy violations	Work Items tab, Remediations subtab
Generate audit policy reports	Reports tab, Run Report subtab
Disable or enable auditing	Configure tab, Audit subtab
Set up audit events to capture	Configure tab, Audit subtab
Edit administrator audit capabilities	Security tab, Capabilities subtab
Set up email templates for audit notification	Configure tab, Email Templates subtab
Import data files/rules (such as XML-format forms)	Configure tab, Import Exchange File subtab
Define an access review scan	Compliance tab, Manage Scans subtab
Run an access review	Compliance tab, Access Reviews subtab
Terminate an access review	Compliance tab, Access Reviews subtab
Schedule an access review	Server Tasks tab, Manage Schedule subtab
Set up periodic access reviews	Compliance tab, Manage Access Scans subtab
Monitor access review status	Compliance tab, Access Reviews subtab
Configure attestors	Compliance tab, Manage Access Scans subtab
Perform Attestor duties (review and certify user entitlements)	Work Items tab, My Work Items tab, Attestation subtab
Review separation-of-duties report	Reports tab, Run Report subtab

Previous Contents Index Next
Sun Java[TM] System Identity Manager 7.1 Admininstration