An audit policy defines account limits for a set of users of one or more resources. It comprises rules that define the limits of a policy and workflows to process violations after they occur. Audit scans use the criteria defined in an audit policy to evaluate whether violations have occurred in your organization.
The following components comprise an audit policy:
Policy rules define specific violations. Policy rules can contain functions written in the XPRESS, XML Object, or JavaScript languages.
Remediation workflow (optionally) is launched when an audit scan identifies a violation of the policy rules.
Remediators are designated users who are authorized to respond to the policy violation. Remediators can be individual users or groups of users.
Rules define potential conflicts on an attribute basis within an audit policy. An audit policy can contain hundreds of rules that reference a wide range of resources. During rule evaluation, the rule has access to user account data from one or more resources. The audit policy may restrict which resources are available to the rule.
It is possible to have a rule that checks only a single attribute on a single resource, or a rule that checks multiple attributes on multiple resources.
After you create rules to define policy violations, you select the workflow that will be launched whenever a violation is detected during an audit scan. Identity Manager provides the default Standard Remediation workflow, which provides default remediation processing for audit policy scans. Among other actions, this default remediation workflow generates notification email to each designated Level 1 remediator (and subsequent levels of remediators, if necessary).
Unlike Identity Manager workflow processes, remediation workflows must be assigned the AuthType=AuditorAdminTask and the SUBTYPE_REMEDIATION_WORKFLOW subtype. If you are importing a workflow for use in audit scans, you must manually add this attribute. See (Optional) Import Separation of Duty Rules into Identity Manager for more information.
If you assign a remediation workflow, you must designate at least one remediator. You can designate up to three levels of remediators for an audit policy. For more information about remediation, see Compliance Violation Remediation and Mitigation.
You must assign a remediation workflow before you can assign remediators.
Suppose you are responsible for accounts payable and receivable and must implement procedures to prevent a potentially risky aggregation of responsibilities in employees working in the accounting department. This policy must ensure that personnel with responsibility for accounts payable do not also have responsibility for accounts receivable.
The audit policy will contain:
A set of rules. Each specifies a condition that constitutes a policy violation.
A workflow that launches remediation tasks.
A group of designated administrators, or remediators, with permission to view and respond to policy violations created by the preceding rules.
After the rules identify policy violations (in this scenario, users with too much authority), the associated workflow can launch specific remediation-related tasks, including automatically notifying select remediators.
Level 1 remediators are the first remediators contacted when an audit scan identifies a policy violation. When the escalation period identified in this area is exceeded, Identity Manager notifies the remediators at the next level (if more than one level is specified for the audit policy).
The next section, “Working with Audit Policies,” describes how to use the Audit Policy Wizard to create an audit policy.