Sun Identity Manager 8.1 Business Administrator's Guide

Chapter 13 Identity Auditing: Basic Concepts

This chapter introduces you to the concepts behind identity auditing and audit controls. Audit controls can be used to monitor and manage auditing and compliance across enterprise information systems and applications.

In this chapter, you will learn about the following concepts and tasks:

About Identity Auditing

Identity Manager defines auditing as the systematic capture, analysis, and response to identity data across an enterprise to ensure compliance with internal and external policies and regulations.

Compliance with accounting and data privacy legislation is not a simple task. Identity Manager’s auditing features offer a flexible approach, allowing you to implement a compliance solution that works for your enterprise.

In most environments, different groups are involved with compliance: internal and external auditing teams (for whom auditing is the primary focus); and non-auditing staff (who may see auditing as a distraction). IT often is involved with compliance as well, helping transition internal auditing team requirements to a chosen solution’s implementation. The key to successfully implementing an auditing solution is in accurately capturing the knowledge, controls, and processes of non-auditing staff, and then automating the application of that information.

Goals of Identity Auditing

Identity auditing improves audit performance as follows:

Understanding Identity Auditing

Identity Manager provides a feature for auditing user account privileges and access rights, and a separate feature for maintaining and certifying compliance. These features are policy-based compliance and periodic access reviews.

Policy-Based Compliance

Identity Manager employs an audit policy system that allows administrators to maintain compliance of company-established requirements for all user accounts.

You can use audit policies to ensure compliance in two different and complementary ways: continuous compliance and periodic compliance.

These two techniques are particularly complementary in an environment in which provisioning operations may be performed outside of Identity Manager. When an account can be changed by a process that does not execute or honor existing audit policies, periodic compliance is necessary.

Continuous Compliance

Continuous compliance means that an audit policy is applied to all provisioning operations, such that an account cannot be modified in a way that does not comply with current policy.

You enable continuous compliance by assigning an audit policy to an organization, a user, or both. Any provisioning operations performed on a user will cause the user-assigned policies to be evaluated. Any resulting policy failure will interrupt the provisioning operation.

An organization-based policy set is defined hierarchically. There is only one organization policy set in effect for any user. The applied policy set is the one assigned to the lowest-level organization. For example:


Directly Assigned Policy Set 

Effective Policy  


Policies A1, A2 

Policies A1, A2 



Policies A1, A2 


Policies B, C2 

Policies B, C2 



Policies B, C2 


Policies D, E5 

Policies D, E5 



Policies A1, A2 




Periodic Compliance

Periodic compliance means that Identity Manager evaluates policy on-demand. Any noncompliant conditions are captured as compliance violations.

When executing periodic compliance scans, you can select which policies to use in the scan. The scan process blends directly-assigned policies (user-assigned and organization-assigned policies) and an arbitrary set of selected policies.

Identity Manager users with Auditor Administrator capabilities can create audit policies and monitor compliance with those policies through periodic execution of policy scans and reviews of policy violations. Violations can be managed through remediation and mitigation procedures.

For more information about the Auditor Administrator capabilities, see Understanding and Managing Capabilities in Chapter 6, Administration.

Identity Manager auditing allows for regular scans of users. These scans execute audit policies to detect deviations from established account limits. When a violation is detected, remediation activities are initiated. The rules may be standard audit policy rules provided by Identity Manager, or customized, user-defined rules.

Logical Task Flow for Policy-Based Compliance

Figure 13–1 shows a logical task flow for establishing policy-based audit controls.

Periodic Access Reviews

Identity Manager provides for periodic access reviews that enable managers and other responsible parties to review and verify user access privileges on an ad-hoc or periodic basis. For more information about this feature, see Periodic Access Reviews and Attestation.

Figure 13–1 A Logical Task Flow for Establishing Policy-based Compliance

Figure illustrating a logical task flow for establishing
policy-based compliance

Working with Identity Auditing in the Administrator Interface

This section describes how to access Identity Auditing features in the Administrator Interface. Email notification templates used in identity auditing are also discussed.

Using the Compliance Section of the Interface

To create and manage audit policies, use the Compliance section of the Identity Manager Administrator interface.

ProcedureTo Use the Compliance section to Create and Manage Audit Policies

  1. Log in to the Administrator interface (Logging in to the Identity Manager End-User Interface).

  2. Click Compliance in the menu bar.

    The following subtabs (or menu items) are available in the Compliance section:

    • Manage Policies

    • Manage Access Scans

    • Access Reviews

Manage Policies

The Manage Policies page lists the policies that you have permission to view and edit. You can also manage access scans from this area.

From the Manage Policies page, you can work with audit policies to accomplish these tasks:

Detailed information about these tasks follows in the section A Sample Audit Policy Scenario.

Manage Access Scans

Use the Manage Access Scans tab to create, modify, and delete access scans. Here you can define scans that you want to run or schedule for periodic access reviews. For more information about this feature, see Periodic Access Reviews and Attestation.

Access Reviews

The Access Reviews tab enables you to launch, terminate, delete, and monitor the progress of your access reviews. It displays a summary report of the scan results with information links that enable you to access more detailed information about the review status and pending activities.

For more information about this feature, see Managing Access Reviews.

Identity Auditing Tasks Interface Reference

To look up how to perform other identity auditing tasks in the Administrator interface, see Table B–8. This quick reference tells you where to go to start a variety of auditing tasks.

Email Templates

Identity Auditing uses email-based notification for a number of operations. For each of these notifications, an email template object is used. The email template allows the headers and body of email messages to be customized.

Table 13–1 Identity Auditing Email Templates

Template Name  


Access Review Remediation Notice 

Sent to remediators by an access review when user entitlements are initially created in a remediating state. 

Bulk Attestation Notice 

Sent to attestors by an access review when they have pending attestations. 

Policy Violation Notice 

Sent to remediators by an audit policy scan when violations occur. 

Access Scan Begin Notice 

Sent to an access scan owner when an access review starts a scan. 

Access Scan End Notice 

Sent to an access scan owner when an access scan completes. 

Enabling Audit Logging

Before you can begin managing compliance and access reviews, the Identity Manager audit logging system must be enabled and configured to collect audit events. By default, the auditing system is enabled. An Identity Manager administrator with the Configure Audit capability can configure auditing.

Identity Manager provides the Compliance Management audit configuration group.

Use the following steps to view or modify events stored by the Compliance Management group:

  1. Log in to the Administrator interface (Logging in to the Identity Manager End-User Interface).

  2. Select Configure from the menu bar, and then click Audit.

  3. On the Audit Configuration page, select the Compliance Management audit group name.

Note –

About Audit Policies

An audit policy defines account limits for a set of users of one or more resources. It comprises rules that define the limits of a policy and workflows to process violations after they occur. Audit scans use the criteria defined in an audit policy to evaluate whether violations have occurred in your organization.

The following components comprise an audit policy:

Creating a Policy with Audit Policy Rules

Rules define potential conflicts on an attribute basis within an audit policy. An audit policy can contain hundreds of rules that reference a wide range of resources. During rule evaluation, the rule has access to user account data from one or more resources. The audit policy may restrict which resources are available to the rule.

It is possible to have a rule that checks only a single attribute on a single resource, or a rule that checks multiple attributes on multiple resources.

Addressing Policy Violations with Remediation Workflows

After you create rules to define policy violations, you select the workflow that will be launched whenever a violation is detected during an audit scan. Identity Manager provides the default Standard Remediation workflow, which provides default remediation processing for audit policy scans. Among other actions, this default remediation workflow generates notification email to each designated Level 1 remediator (and subsequent levels of remediators, if necessary).

Note –

Unlike Identity Manager workflow processes, remediation workflows must be assigned the AuthType=AuditorAdminTask and the SUBTYPE_REMEDIATION_WORKFLOW subtype. If you are importing a workflow for use in audit scans, you must manually add this attribute. See (Optional) Import Separation of Duty Rules into Identity Manager for more information.

Designating Remediators

If you assign a remediation workflow, you must designate at least one remediator. You can designate up to three levels of remediators for an audit policy. For more information about remediation, see Compliance Violation Remediation and Mitigation.

You must assign a remediation workflow before you can assign remediators.

A Sample Audit Policy Scenario

Suppose you are responsible for accounts payable and receivable and must implement procedures to prevent a potentially risky aggregation of responsibilities in employees working in the accounting department. This policy must ensure that personnel with responsibility for accounts payable do not also have responsibility for accounts receivable.

The audit policy will contain:

After the rules identify policy violations (in this scenario, users with too much authority), the associated workflow can launch specific remediation-related tasks, including automatically notifying select remediators.

Level 1 remediators are the first remediators contacted when an audit scan identifies a policy violation. When the escalation period identified in this area is exceeded, Identity Manager notifies the remediators at the next level (if more than one level is specified for the audit policy).

The next section, “Working with Audit Policies,” describes how to use the Audit Policy Wizard to create an audit policy.