Review Determination Rule (Sun Identity Manager Deployment Reference)

Sun Identity Manager Deployment Reference

Review Determination Rule

During an access review, every User view is passed to the Review Determination rule to determine whether the corresponding user entitlement record can be automatically approved or rejected, automatically placed into remediation state, or if the record must be manually attested. A user entitlement is a complete User view (in which some resources might be omitted) and some tracking data.

You can use the Review Determination rule to significantly increase the efficiency of an access review by

Encapsulating any institutional knowledge that would allow a user to be automatically approved or rejected. If you express that knowledge in this rule, you reduce the number of manual attestations needed and improve overall review performance.
Configuring this rule to return information that is visible to the attestors as a “hint.” For example, when the rule determines that a user has privilege access to a resource, the rule provides a hint to the attestor, as shown in the following example:

<map>
   <result>
   <i>1</i>
   <s>reason</s>
   <s><reason the attestation was auto-approved/rejected></s>
   <s>attestorHint</s>
   <s><hint to attestor></s>
</map>

Configuring the rule to access the User view (including any Compliance Violations) and compare the user’s previous user entitlements, which allows the rule to approve or reject all user entitlements that are the same as (or different from) a previously approved user entitlement.

You can add an argument that allows the rule to compare subsets of the User view. For example:

<set name=’viewCompare’>
<!-- compare the entire view (3rd argument can specify sub-path) -->
   <invoke name=’compareUserViews’ class=’com.sun.idm.auditor.ui.FormUtil’>
      <ref>userView</ref>
      <ref>lastUserView</ref>
      <s>accounts</s>
   </invoke>
</set>

This argument compares User views and allows the caller to specify a subpath of the complete User view using GenericObject path expressions. If you just want to compare particular account data, the subpath can specify that data. If you compare just the accounts subpath of the User view, you are less likely to encounter differences that are not reflected on a real resource.

Differences found in the User view comparison are returned in the reason element of the output map. The audit log captures this difference data if the rule returns 0 (reject attestation) or 2 (approve attestation), just as the predefined Reject Changed Users rule does.

You can use the Reject Changed Users rule to verify exactly what Identity Manager thinks is different and you can look at the auditable attributes in the resulting audit log records.

Inputs:

Accepts the following arguments:

context: LighthouseContext
review.scanId: Current access scan ID
review.username: Identity Manager account name of user being scanned
review.userId: Identity Manager ID of user being scanned
attestors: Attestors’ Identity Manager account names
userView: Current User view

You must specify the following for a custom Review Determination rule:

AuthType

AccessScanRule

SubType

REVIEW_REQUIRED_RULE

Called

During access scan, after evaluating all audit policies and before dispatching the user entitlement

Returns

An integer or a map

If the rule returns an integer, its value is interpreted as follows:
- -1: No attestation required
- 0: Automatically reject attestation
- 1: Manual attestation
- 2: Automatically approve attestation
- 3: Automatically remediate attestation
  
  When the attestation is set to auto-remediating mode, Identity Manager creates an AccessReviewRemediation work item and routes the work item through the Remediator rule associated with the access scan.
If the rule returns a map, the output must be similar to one of the following examples:

Example 1: Manually attests the user entitlement, and the rule provides a hint to the manual attestor.
<map> <result> <i>1</i> <s>reason</s> <s><reason that the attestation was auto-approved/rejected></s> <s>attestorHint</s> <s><hint to attestor></s> </map>
Note –
The attestorHint value in the output map must be a string or a list of strings.

Example 2: Automatically rejects the user entitlement. The rejection comment indicates that group membership is disallowed.
<map> <s>result</s> <i>0</i> <s>reason</s> <s>User belongs to group Domain Administrators</s> </map>
Note –
The value of attestorHint is shown to the attestor through the user interface. The value of reason is recorded in the attestation history.

Predefined Rules

Reject Changed Users: Automatically rejects user entitlements that have changed since the last approval state, and automatically approves user entitlements that are unchanged. The rule only compares the accounts section of the User view.

Each unknown User view is forwarded for manual attestation.
Review Changed Users: Automatically approves any users whose account data has not changed since their last approved entitlement. The rule only compares the accounts section of the User view.

Users with changed account data or no approved data must be manually attested.
Review Everyone: Forwards all user entitlement records for manual attestation.

Location

Compliance > Manage Access Scans > Access Scan > Review Determination Rule