Creating an Audit Policy

To create an Audit Policy, use the Audit Policy Wizard.

To Open the Audit Policy Wizard

The Audit Policy Wizard guides you through the process of creating an audit policy. Use the following steps to access the wizard:

1. Log in to the Administrator interface (Logging in to the Identity Manager End-User Interface).

2. Click the Compliance tab.

   The Manage Policies subtab or menu opens.

3. To create a new audit policy, click New.

Creating an Audit Policy: Overview

Using the wizard, you will perform the following tasks to create an audit policy:

• Select or create the rules you want to use to define policy limits

• Assign approvers and establish escalation limitations

• Assign a remediation workflow

After completing the task presented in each wizard screen, click Next to move to the next step.

Before You Begin

Plan carefully before creating an audit policy! Before you begin, verify that you have completed these tasks:

• Identify the rules you will use to create the policy in the Audit Policy Wizard. The rules you choose are determined by the type of policy you are creating and the specific limitations you want to define. See To Identify the Rules You Need in the next section for more information.

• Import any remediation workflow or rule that you want to include in the new policy. See (Optional) Import Separation of Duty Rules into Identity Managerfor more information.

• Ensure that you have the required capabilities to create audit policies. See the required capabilities in Understanding and Managing Capabilities in Chapter 6, Administration.

To Identify the Rules You Need

The constraints you specify in the policy are implemented in a set of rules that you create or import. When using the Audit Policy Wizard to create a rule, perform the following steps:

1. Identify the specific resource you are working with.

2. Select an account attribute from the list of attributes that are valid for the resource.

3. Select a condition to impose on the attribute.

4. Enter a value for comparison.

   For information on creating audit policy rules outside of the Audit Policy Wizard, see Chapter 5, Working with Rules, in Sun Identity Manager Deployment Reference.

(Optional) Import Separation of Duty Rules into Identity Manager

The Audit Policy Wizard cannot create Separation of Duty rules. You must construct these rules outside of Identity Manager and import the rules by using the Import Exchange File option on the Configure tab.

(Optional) Import a Workflow into Identity Manager

To Import an External Workflow

To use a remediation workflow that is not currently available from Identity Manager, import the external workflow. You can create custom workflows using an XML editor or the Identity Manager IDE.

1. Set authType=’AuditorAdminTask’ and add subtype=’SUBTYPE_REMEDIATION_WORKFLOW’. You can use the Identity Manager IDE or your XML editor of choice to set these configuration objects.

2. Import the workflow by using the Import Exchange File option.

   1. Log in to the Administrator interface ( Logging in to the Identity Manager End-User Interface ).

   2. Click the Configure tab, then click the Import Exchange File subtab or menu.

      The Import Exchange File page opens.

   3. Browse to the workflow file to upload, then click Import.

      After you have successfully imported the workflow, it appears in the Audit Policy Wizard (Creating an Audit Policy) Remediation Workflow list of options.

Name and Describe the Audit Policy

Enter the name of the new policy and a brief description in the Audit Policy Wizard (shown in Figure 14–1).

Figure 14–1 Audit Policy Wizard: Enter Name and Description Screen

---

Note –

Audit policy names cannot contain these characters: ’ (apostrophe), . (period), | (pipe), [ (left bracket), ] (right bracket), , (comma), : (colon), $ (dollar sign), “ (double quote), \ (backslash), or = (equals sign).

You should also avoid using the following characters: _ (underscore), % (percent-sign), ^ (caret), and * (asterisk).

---

If you want only selected resources to be accessed when executing the scan, select the Restrict target resources option.

If you want a remediation of a violation to result in an immediate rescan of the user, then select the Allow violation re-scans option.

---

Note –

If the audit policy does not restrict resources, then all resources for which a user has accounts will be accessed during the scan. If the rules only use a few resources, then it is more efficient to restrict the policy to those resources.

---

Click Next to proceed to the next page.

To Select a Rule Type

Use this page to start the process of defining or including rules in your policy. (The bulk of your work while creating a policy is defining and creating rules.)

As shown in the following figure, you can choose to create your own rule by using the Identity Manager Rule wizard, or you can incorporate an existing rule. The Rule Wizard only allows one resource to be used in a rule. Imported rules can reference as many resources as needed.

1. Decide whether you want to create a new rule or use an existing rule.

   Choose one of the following options:

   • To create a new rule, choose the Rule Wizard option (default setting).

   • To incorporate an existing rule you created using the Identity Manager IDE, choose the Existing Rule option.

2. Click Next.

3. Based on your selection in step 1, continue to one of the following sections:

   • If you selected Rule Wizard, go to the To Use the Rule Wizard to Create a New Rulesection and follow the instructions provided.

   • If you selected Existing Rule, go to the To Select an Existing Rulesection and follow the instructions provided.

To Select an Existing Rule

To include an existing rule in the new policy, select Existing Rule on the Select Rule Type Screen and click Next. Then, select an existing audit policy rule from the Select Existing Rule drop-down menu.

---

Note –

If you cannot see the name of a rule that you have previously imported into Identity Manager, confirm that you have added to the rule the additional attributes that are described in Creating a Policy with Audit Policy Rules.

Click Next.

Skip to the section Adding Rules.

---

To Use the Rule Wizard to Create a New Rule

If you choose to create a rule by using the Rule Wizard selection in the Audit Policy Wizard, proceed by entering information on the pages discussed in the following sections.

To Name and Describe the New Rule

Optionally name and describe the new rule. Use this page to enter descriptive text that appears next to the rule name whenever Identity Manager displays the rule. Enter a concise and clear description that is meaningful in describing the rule. This description is displayed within Identity Manager in the Review Policy Violations page.

Figure 14–2 Audit Policy Wizard: Enter the Rule Description Screen

For example, if you are creating a rule that will identify users who have both an Oracle ERP responsibilityKey attribute value of Payable User and a Receivable User attribute value, you could enter the following text in the Description field: Identifies users with both Payable User and Receivable User responsibilities.

Use the Comments field to provide any additional information about the rule.

Select the Resource Referenced by the Rule

Use this page to select the resource that the rule will reference. Each rule variable must correspond to an attribute on this resource. All resources that you have view access to will appear in this options list. In this example, Oracle ERP is selected.

Figure 14–3 Audit Policy Wizard: Select Resource Screen

---

Note –

Most, but not all, attributes of each available resource adapter are supported. For information on the specific attributes that are available, see Sun Identity Manager 8.1 Resources Reference.

---

Click Next to move to the next page.

Create the Rule Expression

Use this screen to enter the rule expression for your new rule. This example creates a rule in which a user with an Oracle ERP responsibilityKey attribute value of Payable User cannot also have a Receivable User attribute value.

To Create a Rule Expression

1. Select a user attribute from the list of available attributes. This attribute will directly correspond to a rule variable.

2. Select a logical condition from the list. Valid conditions include = (equal to), != (not equal to), < (less than), <= (less than or equal to), > (greater than), >= (greater than or equal to), is true, is null, is not null, is empty, and contains. For the purpose of this example, you could select contains from the list of possible attribute conditions.

3. Enter a value for the expression. For example, if you enter Payable user, you are specifying an Oracle ERP user with the value of Payable user in the responsibilityKeys attribute.

4. (Optional) Click the AND or OR operators to add another line and create another expression.

   Figure 14–4 Audit Policy Wizard: Select Rule Expression Screen

   
   

   This rule returns a Boolean value. If both statements are true, then the policy rule returns a value of TRUE, which causes a policy violation.

   ---

   Note –

   Identity Manager does not support the control of rule nesting. In addition, using the Audit Policy Wizard to create policies with different Boolean operators between the rules can produce unpredictable results because the order of evaluation is unspecified.

   For complex Rule expressions, create the rules using an XML editor instead of using the Audit Policy Wizard. Using an XML editor allows you to negate where necessary to only use a single Boolean operator between rules.

   ---

   The following code example shows the XML for the rule you have created in this screen:

   <Description>Payable User/Receivable User</Description> <RuleArgument name=’resource’ value=’Oracle ERP’> <Comments>Resource specified when audit policy was created.</Comments> <String>Oracle ERP</String> </RuleArgument> <and> <contains> <ref>accounts[Oracle ERP].responsibilityKeys</ref> <s>Receivable User</s> </contains> <contains> <ref>accounts[Oracle ERP].responsibilityKeys</ref> <s>Payables User</s> </contains> </and> <MemberObjectGroups> <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/> </MemberObjectGroups> </Rule>

   To remove an expression from the rule, select the attribute condition and then click Remove.

   Click Next to continue in the Audit Policy Wizard. You will have the opportunity to add more rules, either by adding existing rules, or by again using the wizard.

Adding Rules

You can create additional rules by importing existing rules or by using the wizard. (See To Select a Rule Typefor more information.)

Click the AND or OR operators to continue adding rules as necessary. To remove a rule, select it and then click Remove.

Policy violations occur only if the Boolean expression of all rules evaluates to true. By grouping rules with AND/OR operators, it is possible for the policy to evaluate to true, even though all rules do not. Identity Manager creates violations only for rules that evaluate to true, and only if the policy expression evaluates to true.

---

Note –

Identity Manager does not support the control of rule nesting. In addition, using the Audit Policy Wizard to create policies with different Boolean operators between the rules can produce unpredictable results because the order of evaluation is unspecified.

For complex Rule expressions, create the rules using an XML editor instead of using the Audit Policy Wizard. Using an XML editor allows you to negate where necessary to only use a single Boolean operator between rules.

---

Select a Remediation Workflow

Use this screen to select a Remediation workflow to associate with this policy. The workflow assigned here determines the actions taken within Identity Manager when an audit policy violation is detected.

---

Note –

One workflow is started for each failed audit policy. Each workflow will contain one or more work items for each compliance violation created by the policy scan for the specific policy.

---

Figure 14–5 Audit Policy Wizard: Select Remediation Workflow Screen

---

Note –

For information about importing a workflow that you have created by using an XML editor or the Identity Manager IDE, see (Optional) Import Separation of Duty Rules into Identity Manager.

---

Use the Remediation User Form Rule drop-down menu to select a rule that will calculate the user form that should be applied when editing a user through a remediation. By default, a remediator that edits a user in response to a remediation work item will use the user form assigned to the remediator. If an audit policy specifies a remediation user form, then this form is used instead. This allows a very specific form to be used when an audit policy indicates a corresponding, specific problem.

To specify remediators to be associated with this remediation workflow, select the Specify Remediators? check box. If you select this option, then clicking Next will display the “Assign Remediators” page. If you do not select this option, then the wizard will next display the “Audit Policy Wizard Assign Organizations” screen.

Select Remediators and Timeouts for Remediations

If you specify remediators, the remediators assigned to this audit policy will be notified when a violation of this policy is detected. Also, the default workflow assigns a remediation work item to them. Any Identity Manager user can be a remediator.

You might choose to assign at least one Level 1 remediator, or designated user. Level 1 remediators are contacted first through email launched by the remediation workflow when a policy violation is detected. If the designated escalation timeout period is reached before a Level 1 remediator responds, Identity Manager next contacts the Level 2 remediators that you specify here. Identity Manager contacts Level 3 remediators only if neither Level 1 nor Level 2 remediators respond before the escalation time period lapses.

---

Note –

If you specify an escalation timeout value for the highest-level remediator selected, then the work item is removed from the list when the escalation times out. By default, an escalation timeout is set to a value of 0. In this case, the work item does not expire and remains in the remediator’s list.

---

Assigning Remediators is optional. If you select this option, then click Next to proceed to the next screen after specifying the settings.

To add users to the available list of remediators, enter a user ID and then click Add. Alternatively, click ... (More) to search for a user ID. Enter one or more characters in the Starts With field, and then click Find. After selecting a user from the search list, click Add to add it to the list of remediators. Click Dismiss to close the search area.

To remove a user ID from the list of remediators, select it in the list, and then click Remove.

Figure 14–6 Audit Policy Wizard: Select Level 1 Remediator Area

Select Organizations that Can Access this Policy

Use this screen, illustrated in Figure 14–7, to select the organizations that can view and edit this policy.

Figure 14–7 Audit Policy Wizard: Assign Organizations Visibility Screen

After making organization selections, click Finish to create the audit policy and return to the Manage Policies page. The newly created policy is now visible in this list.