Sun Identity Manager 8.1 Business Administrator's Guide

Compliance Violation Remediation and Mitigation

This section describes how to use Identity Manager Remediation to protect your critical assets.

The following topics discuss elements of the Identity Manager Remediation process:

About Remediation

When Identity Manager detects an unresolved (not mitigated) audit policy compliance violation, it creates a remediation request, which must be addressed by a remediator A remediator is a designated user who is allowed to evaluate and respond to audit policy violations.

Remediator Escalation

Identity Manager allows you to define three levels of remediator escalation. Remediation requests are initially sent to Level 1 remediators. If a Level 1 remediator does not act on a remediation request before the timeout period expires, Identity Manager escalates the violation to the Level 2 remediators and begins a new timeout period. If a Level 2 remediator does not respond before the timeout period expires, then the request is escalated once again to the Level 3 remediator.

To perform remediation, you must designate at least one remediator for your enterprise. Specifying more than one remediator for each level is optional, but recommended. Multiple remediators help ensure workflow is not delayed or halted.

Remediation Security Access

These authorization options are for work items of authType RemediationWorkItem.

By default, the behavior for authorization checks is one of the following:

The second and third checks are independently configurable by modifying these options:

These options can be added or modified in the following:

UserForm: Remediation List

Remediation Workflow Process

Identity Manager provides the Standard Remediation Workflow to provide remediation processing for Audit Policy scans.

The Standard Remediation Workflow generates a remediation request (a review-type work item) containing information about the compliance violation and sends an email notification to each Level 1 remediator named in the audit policy. When a remediator mitigates the violation, the workflow changes the state of, and assigns an expiration to, the existing compliance violation object.

A compliance violation is uniquely identified by the combination of the user, policy name, and rulename. When an audit policy evaluates to true, a new compliance violation is created for each user/policy/rule combination, if an existing violation for this combination does not already exist. If a violation does exist for the combination, and the violation is in a mitigated state, then the workflow process takes no action. If the existing violation is not mitigated, then its recurrent count is incremented.

For more information about remediation workflows, see About Audit Policies.

Remediation Responses

By default, three response options are given to each remediator:

Remediation Example

Your enterprise establishes a rule in which a user cannot be responsible for both Accounts Payable and Accounts Receivable, and you receive notice that a user is violating this rule.

Remediation Email Template

Identity Manager provides a Policy Violation Notice email template (available by selecting the Configuration tab, then the Email Templates subtab. You can configure this template to notify remediators of pending violations. For more information, see Customizing Email Templates in Chapter 4, Configuring Business Administration Objects.

Working with the Remediations Page

Select Work Items -> Remediations to access the Remediations page.

You can use this page to:

Viewing Policy Violations

You can use the Remediations page to view details about violations before taking action on them.

Depending on your capabilities or place in the Identity Manager capabilities hierarchy, you may be able to view and take action on violations for other remediators.

The following topics are related to viewing violations:

Viewing Pending Requests

Pending requests assigned to you are, by default, displayed in the Remediation table.

You can use the List Remediations for option to view pending remediation requests for a different remediator:

The resulting table provides the following information about each request:

Note –

Each user can choose a custom form that displays remediation data relevant to that particular remediator. To assign a custom form, select the Compliance tab on the user form.

Viewing Completed Requests

To view your completed remediation requests, click the My Work Items tab, and then click the History tab. A list of previously remediated work items displays.

The resulting table (which is generated by an AuditLog report) provides the following information about each remediation request:

Clicking a timestamp in the table opens an Audit Events Details page.

The Audit Events Details page provides information about the completed request, including information about the remediation or mitigation, event parameters (if applicable), and auditable attributes.

Updating the Table

To update the information provided in the Remediations table, click Refresh. The Remediation page updates the table with any new remediation requests.

Prioritizing Policy Violations

You can prioritize policy violations by assigning them a priority, severity, or both. Prioritize violations from the Remediations page.

ProcedureTo Edit the Priority or Severity for Violations

  1. Select one or more violations in the list.

  2. Click Prioritize.

    The Prioritize Policy Violations page appears.

  3. Optionally set a severity for the violation. Selections are None, Low, Medium, High, or Critical.

  4. Optionally set a priority for the violation. Selections are None, Low, Medium, High, or Urgent.

  5. Click OK when you have finished making selections. Identity Manager returns to the list of remediations.

    Note –

    Severity and priority values can be set only on remediations of type CV (Compliance Violation).

Mitigating Policy Violations

You can mitigate policy violations from the Remediations and Review Policy Violations pages.

From the Remediations Page

ProcedureTo Mitigate Pending Policy Violations From the Remediations Page

  1. Select rows in the table to specify which requests to mitigate.

    • Enable one or more individual options to specify requests to be mitigated.

    • Enable the option in the table header to mitigate all requests listed in the table.

    Identity Manager allows you to enter only one set of comments to describe a mitigation action. You may not want to perform a bulk mitigation unless the violations are related and a single comment will suffice.

    You can mitigate only those requests that include compliance violations. Other remediation requests cannot be mitigated.

  2. Click Mitigate.

    The Mitigate Policy Violation page (or Mitigate Multiple Policy Violations page) appears.

    Figure 15–3 Mitigate Policy Violation Page

    Figure showing the Mitigate Multiples Policy Violations

  3. Enter comments about the mitigation into the Explanation field. (required)

    Your comments provide an audit trail for this action, so be sure to enter complete and meaningful information. For example, explain why you are mitigating the policy violation, the date, and why you chose the exemption period.

  4. Provide an expiration date for the exemption by typing the date (in the format YYYY-MM-DD) directly into the Expiration Date field, or by clicking the date button and selecting a date from the calendar.

    Note –

    If you do not provide a date, the exemption is valid indefinitely.

  5. Click OK to save your changes and return to the Remediations page.

Remediating Policy Violations

ProcedureTo Remediate One or More Policy Violations

  1. Use the check boxes in the table to specify which requests to remediate.

    • Enable one or more individual check boxes in the table to specify requests to remediate.

    • Enable the check box in the table header to remediate all requests listed in the table.

      If selecting more than one request, keep in mind that Identity Manager allows you to enter only one set of comments to describe a remediation action. You may not want to perform a bulk remediation unless the violations are related and a single comment will suffice.

  2. Click Remediate.

  3. The Remediate Policy Violation page (or Remediate Multiple Policy Violations page) displays.

  4. Enter your comments about the remediation into the Comments field.

  5. Click OK to save your changes and return to the Remediations page.

    Note –

    Audit policies that are directly assigned to a user (who is assigned through a user account or an organization assignment) are always re-evaluated when a violation for that user is remediated.

Forwarding Remediation Requests

You can forward one or more remediation requests to another remediator.

ProcedureTo Forward Remediation Requests

  1. Use the check boxes in the table to specify which requests to forward.

    • Enable the check box in the table header to forward all requests listed in the table.

    • Enable individual check boxes in the table to forward one or more requests.

  2. Click Forward.

    The Select and Confirm Forwarding page appears.

    Figure 15–4 Select and Confirm Forwarding Page

    Figure showing the Select and Confirm Forwarding page

  3. Enter a remediator name in the Forward to field, and then click OK. Alternatively, you can click ... (More) to search for a remediator name. Select a name from the search list, and then click Set to enter that name in the Forward to field. Click Dismiss to close the search area.

    When the Remediations page reappears, the new remediator’s name displays in the Remediator column of the table.

Editing a User from a Remediation Work Item

From a remediation work item, you can (with appropriate user editing capabilities) edit a user to remediate problems (as described in the associated entitlement history).

To edit a user, click Edit User from the Review Remediation Request page. The displayed Edit User page shows:

After making changes to the user, click Save.

Note –

Saving user edits causes the Update User workflow to run. Because this workflow may have approvals, it is possible that the changes to the user accounts are not in effect for a period of time after the save. If the audit policy allows re-scans, and the Update User workflow has not completed, then the subsequent policy scan may detect the same violation.