test

Oracle Waveset 8.1.1 Business Administrator's Guide

Creating an Access Scan

    To define an access review scan, perform the following steps:

  1. Select Compliance -> Manage Access Scans.

  2. Click New to display the Create New Access Scan page.

  3. Assign a name to the access scan and add a description that is meaningful in identifying the scan (optional).

    Note –

    Access scan names must not contain these characters:

    apostrophe (), period (.), pipe (|), left bracket ([), right bracket (]), comma (,), colon (:), dollar sign ($), double quote (), backslash (\), or equals sign (=)

    Also, avoid using these characters: underscore (_), percent-sign (%), caret (^), and asterisk (*).

  4. Enable the Dynamic entitlements option to give attestors additional options.

    These options include:

    • A pending attestation can be immediately re-scanned to refresh the entitlement data and reevaluate the need for attestation.

    • A pending attestation can be routed to another user for remediation. Following remediation, the entitlement data is refreshed and reevaluated to determine the need for attestation.

  5. Specify the User Scope Type (Required).

    Choose from the following options:

    • According to attribute condition rule. Scan users according to a selected User Scope Rule.

      Waveset provides these default rules:

      • All Administrators

        Note –

        You can add user scoping rules by using the Identity Manager IDE. For information about the Identity Manager IDE, go to https://identitymanageride.dev.java.net/.

      • All My Reports

      • All Non-Administrators

      • My Direct Reports

      • Users without a Manager

    • Assigned to resources. Scan all users that have an account on one or more selected resources. When you choose this option, the page displays the User Scope Resources, which lets you specify resources.

    • According to a specific role. Scan all members who have at least one role, or who have all the roles, that you specify.

    • Members of Organizations. Choose this option to scan all members of one or more selected organizations.

    • Reports to managers. Scan all users reporting to selected managers. Manager hierarchy is determined by the Waveset attribute of the user’s Lighthouse account.

      If the user scope is organization or manager, then the Recursive Scope option is available. This option allows for user selection to occur recursively through the chain of controlled members.

  6. If you also want to scan audit policies to detect violations during the access review scan, select the audit policies to apply to this scan by moving your selections from Available Audit Policies to the Current Audit Policies list.

    Adding audit policies to an access scan results in the same behavior as performing an audit scan over the same set of users. However, in addition, any violations detected by the audit policies are stored in the user entitlement record. This information can make automatic approval or rejection easier, because the rule can use the presence or absence of violations in the user entitlement record as part of its logic.

  7. If you scanned audit policies in the preceding step, you can use the Policy mode option to specify how the access scan determines which audit policies to execute for a given user. A user can have policies assigned both at the user level and/or at the organization level. The default access scan behavior is to apply the policies specified for the access scan only if the user does not already have any assigned policies.

    1. Apply select policies and ignore other assignments

    2. Apply selected policies only if user does not already have assignments

    3. Apply selected policies in addition to user assignments

  8. (Optional) Use the Specify the Review Process Owner option to specify an owner of the access review task being defined. If a Review Process Owner is specified, then an attestor who encounters a potential conflict in responding to an attestation request can abstain in lieu of approving or rejecting a user entitlement and the attestation request is forwarded to the Review Process Owner. Click the selection (ellipsis) box to search the user accounts and make your selection.

  9. Select the Follow delegation option to enable delegation for the access scan. The access scan will only honor delegation settings if this option is checked. Follow Delegation is enabled by default.

  10. Select the Restrict target resources option to restrict scanning to targeted resources.

    This setting has a direct bearing on the efficiency of the access scan. If target resources are not restricted, each user entitlement record will include account information for every resource the user is linked to. This means that during the scan every assigned resource is queried for each user. By using this option to specify a subset of the resources, you can greatly reduce the processing time required for Waveset to create user entitlement records.

  11. Generally, do not enable the Execute Violation Remediation option except for advanced cases.

    When enabled and a violation is detected for any of the assigned audit policies, Waveset executes the respective audit policy’s remediation workflow.

  12. Select the Access Approval Workflow and specify the default Standard Attestation workflow or select a customized workflow if available.

    This workflow is used to present the user entitlement record for review to the appropriate attestors (as determined by the attestor rule). The default Standard Attestation Workflow creates one work item for each attestor. If the access scan specifies escalation, this workflow is responsible for escalating work items that have been dormant too long. If no workflow is specified, the user attestation will remain in the pending state indefinitely.

    Note –

    For more information about the Identity Auditor rules mentioned in this step and the following steps, see Chapter 4, Working with Rules, in Oracle Waveset 8.1.1 Deployment Reference.

  13. Use the Attestor Rule option to specify the Default Attestor rule or to select a customized attestor rule if available.

    The attestor rule is given the user entitlement record as input, and returns a list of attestor names. If Follow Delegation is selected, the access scan transforms the list of names to the appropriate users following the delegation information configured by each user in the original list of names. If an Waveset user’s delegation results in a routing cycle, then the delegation information is discarded, and the work item is delivered to the initial attestor. The Default Attestor rule indicates that the attestor should be the manager (idmManager) of the user that the entitlement record represents, or the Configurator account if that user’s idmManager is null. If attestation needs to involve resource owners as well as managers, you must use a custom rule.

  14. Use the Attestor Escalation Rule option to specify the Default Escalation Attestor rule, or select a customized rule if available. You can also specify the Escalation Timeout value for the rule. The default escalation timeout value is 0 days.

    This rule specifies the escalation chain for a work item that has passed the Escalation Timeout period. The Default Escalation Attestor rule escalates to the assigned attestor’s manager (idmManager), or to Configurator if the attestor’s idmManager value is null.

    You can specify the Escalation Timeout value in minutes, hours, or days.

    The book contains additional information about the Attestor Escalation Rule.

  15. Specify a Review Determination Rule. (Required)

    Select one of the following rules to specify how the scan process will determine the disposition of an entitlement record:

    • Reject Changed Users. Automatically rejects a user entitlement record if it is different than the last user entitlement from the same access scan definition and the last user entitlement was approved. Otherwise, forces manual attestation and approves all user entitlements that are unchanged from the previously approved user entitlement. By default, only the “accounts” portion of the user view is compared for this rule.

    • Review Changed Users. Forces manual attestation for any user entitlement record if it is different than the last user entitlement from the same access scan definition and the last user entitlement was approved. Approves all user entitlements that are unchanged from the previously approved user entitlement. By default, only the “accounts” portion of the user view is compared for this rule.

    • Review Everyone. Forces manual attestation for all user entitlement records.

    The Reject Changed Users and Review Changed Users rules compare the user entitlement to the last instance of the same access scan in which the entitlement record was approved.

    You can change this behavior by copying and modifying the rules to restrict comparison to any selected part of the user view.

    This rule can return the following values:

    • -1. No attestation required

    • 0. Automatically rejects the attestation

    • 1. Manual attestation required

    • 2. Automatically approves the attestation

    • 3. Automatically remediates the attestation (auto-remediation)

      The book contains additional information about the Review Determination Rule.

  16. Select a Remediator Rule to determine who should remediate a specific user’s entitlement in the event of Auto-Remediation. The rule can examine the user’s current user entitlement and violations, and must return a list of users that should remediate. If no rule is specified, then no remediation will take place. A common use for this rule would be if the entitlement has compliance violations.

  17. Select a Remediation User Form Rule that determines an appropriate form for attestation remediators when editing users. Remediators can set their own form, which overrides this one. This form rule would be set if the scan collects very specific data that matches a custom form.

  18. Select one of the following Notification Workflow options to specify the notification behavior for each work item.

    • None (Default). This selection results in an attestor getting an email notification for each individual user entitlement that he must attest.

    • ScanNotification. This selection bundles attestation requests into a single notification. The notification indicates how many attestation requests were assigned to the recipient.

      If there is a Review Process Owner specified in the access scan, the ScanNotification Workflow will also send a notification to the review process owner when the scan begins, and when it ends. See Creating an Access Scan.

      The ScanNotification workflow uses the following email templates:

      • Access Scan Begin Notice

      • Access Scan End Notice

      • Bulk Attestation Notice

        You can customize the ScanNotification Workflow.

  19. Use the Violation limit option to specify the maximum number of compliance violations that can be emitted by this scan before the scan aborts. The default limit is 1000. An empty value field is equal to no limit.

    Although typically during an audit scan or access scan the number of policy violations is small compared to the number of users, setting this value could provide protection from the impact of a defective policy that increases the number of violations significantly. For example, consider the following scenario:

    If an access scan involves 50,000 users and generates two to three violations per user, the cost of remediation for each compliance violation can have a detrimental effect on the Waveset system.

  20. Select the Organizations to which this access scan object is available. (Required).

  21. Click Save to save the scan definition.