Sun Identity Manager 8.1 Business Administrator's Guide

Managing Access Reviews

After defining an access scan, you can use or schedule it as part of an access review. After initiating an access review, several options are available to manage the review process.

Read the following sections for more information about:

Launching an Access Review

To launch an access review from the Administrator interface, use one of these methods:

On the displayed Launch Task page, specify a name for the access review. Select the scans from the Available Access Scans list and move them to the Selected list.

If you select more than one scan, you can choose one of the following launch options:

Note –

You can initiate more than one scan during an access review session. However, consider that each scan may involve a large number of users, and therefore the scan process can take many hours to complete. Best practice dictates that you manage your scans accordingly. For example, you might launch one scan to run immediately and schedule other scans at staggered intervals.

Click Launch to start the access review process.

Note –

The name you assign to an access review is important. Access reviews that run on a periodic basis with the same name can be compared by some reports.

When you launch an access review, the workflow process diagram is displayed, showing the steps in the process.

Scheduling Access Review Tasks

An access review task can be scheduled from the Server Tasks area. For example to set up access reviews on a periodic basis, select Manage Schedule and then define the schedule. You might schedule the task to occur every month or every quarter.

To define the schedule, select the Access Review task on the Schedule Tasks page and then complete the information on the Create task schedule page.

Click Save to save the scheduled task.

Note –

Identity Manager keeps the results from access review tasks for one week, by default. If you choose to schedule a review more often than once a week, set the Results Options to delete. If Results Options are not set to delete, the new review will not run because the previous task results still exist.

Managing Access Review Progress

Use the Access Reviews tab to monitor the progress of an access review. Access this feature through the Compliance tab.

From the Access Reviews tab you can review a summary of all active and previously processed access reviews. The following information is provided for each access review listed:

To view more detailed information about the review, select it to open a summary report.

Figure 15–5 shows a sample Access Review Summary report.

Figure 15–5 Access Review Summary Report Page

Figure showing an example Access Review Summary report

Click the Organization or Attestors form tab to view scan information categorized by those objects.

You can also review and download this information in a report by running the Access Review Summary Report.

Modifying Scan Attributes

After setting up an access scan, you can edit the scan to specify new options, such as specifying target resources to scan or specifying audit policies to scan for violations while the access scan is running.

To edit a scan definition, select it from the list of Access Scans, and then modify the attributes on the Edit Access Review Scan page.

You must click Save to save any changes to the scan definition.

Note –

Changing the scope of an access scan might change the information in newly-acquired user entitlement records, as it can affect the Review Determination Rule if that rule compares user entitlements to older user entitlement records.

Canceling an Access Review

From the Access Reviews page, click Terminate to stop a selected review in progress.

Terminating a review causes these actions to occur:

Deleting an Access Review

From the Access Reviews page, click Delete to delete a selected review.

You can delete an access review if the status of the task is terminated or completed. An access review task in progress cannot be deleted unless it is first terminated.

Deleting an access review deletes all user entitlement records that were generated by the review. The delete action is recorded in the audit log.

To delete an access review, click Delete from the Access Reviews page.

Note –

Canceling and deleting an access review may result in updates to a large number of Identity Manager objects and tasks, and can take several minutes to complete. You can check the progress of the operation by viewing the task results in Sever Tasks -> All Tasks.