8 Identity Audit

This chapter describes the identity audit user interface pages and includes information about how to complete an identity audit.

This chapter contains the following sections:

• Section 8.1, "Identity Audit Overview"

• Section 8.2, "Understanding the Identity Audit User Interface"

• Section 8.3, "Understanding Audit Policy Violations"

• Section 8.4, "Acting on Audit Policy Violations"

8.1 Identity Audit Overview

The Identity Audit module is designed to detect segregation of duties (SoD) violations. A segregation of duties violation is a violation whereby a user account, a user attribute, or a role has been assigned two entitlements that should not be held in combination.

While the identity certification module enables managers to certify or revoke access of users, the identity audit module has a detection mechanism that monitors users' actual access to resources and captures any violations on a continuous basis. The software can also be programmed to conform to audit policies and report exceptions. It provides a summary of all exceptions, which helps security analysts, executives, or auditors accept or mitigate the exceptions.

In Oracle Identity Analytics, audit rules define violations. Audit rules are collected together to create an audit policy. User accounts and business structures are then scanned for audit policy violations. User accounts, user attributes, and roles that violate an identity audit policy are flagged and tracked until the violation is resolved.

Use the Identity Audit module to create and track audit rules, audit policies, and audit policy violations throughout the audit lifecycle. The module maintains a history of audit scans.

8.2 Understanding the Identity Audit User Interface

This section provides help using the Identity Audit portion of the user interface.

8.2.1 The Dashboard

To open the identity audit dashboard, choose Identity Audit > Dashboard from the main menu.

The identity audit dashboard summarizes identity audit policy violation status information. It displays graphs that enumerate the number of violations, and lists violations by state, priority, and date-of-last-update. The following four graphs are displayed:

• Identity Audit Policy Violations

• Identity Audit Policy Violations By State

• Identity Audit Violation By Severity

• Identity Audit Policy Violations By Updated Date

Figure 8-1 The Identity Audit Dashboard

To change the view of the graphs, click the "three graphs" icon in the lower right corner of each panel.

To change the time period that the Dashboard reports on, click the Period drop-down menu at the bottom-right of the screen.

8.2.2 Policies

To open the identity audit Policies page, choose Identity Audit > Policies from the main menu.

Use the Identity Audit Policies page to edit and run audit policies, as well as to preview audit policies and view the results of completed audit policy scans. Click the New Policy button to create a new audit policy.

8.2.3 Rules

To open the identity audit Rules page, choose Identity Audit > Rules from the main menu.

Use the identity audit Rules page to create and edit audit rules.

8.2.4 Policy Violations

To open the identity audit Policy Violations page, choose Identity Audit > Policy Violations from the main menu.

The audit Policy Violations page has the following subtabs.

Open Violations Tab

This page displays all the violations that are not yet fixed by the remediator. You can view the open violations by clicking them.

Closed Violations Tab

Displays all violations that have been addressed by a remediator and closed.

8.3 Understanding Audit Policy Violations

An audit policy violation occurs if one or more rules associated with a policy is broken by a user account, a user attribute, or a user role. Oracle Identity Analytics tracks the violation until it is resolved.

Audit policies have designated remediators who are responsible for taking action when violations are discovered.

The following three actors can be remediators:

• Rbacxadmin

• Policy Owner

• Remediator (designated person assigned during policy creation)

A remediator can reassign violations to another user so that action can be taken to resolve the violation. The remediator is mentioned in the audit trail of every violation, thereby making the remediator accountable for the action.

Each broken rule, as well as the user, account, role, and membership details that caused the violation are recorded. Each Identity Audit Violation contains at least one cause. When more than one rule in the policy matches, then the violation will have multiple causes. Violation causes are displayed on the Violation Details page under three different categories:

• Account Causes

• Role Causes

• HR Attribute Causes

For more information about the Audit Violation Details page, see Section 8.4.3, "Audit Violation Details Help.".

8.4 Acting on Audit Policy Violations

The following procedures describe how to take action on audit policy violations.

8.4.1 To Assign an Audit Policy Violation to Another User

1. Log in to Oracle Identity Analytics.

2. Choose Identity Audit > Policy Violations.

   A list of open violations is displayed.

3. Click a violation in the Exception column.

   The Policy Violation Details page opens.

4. To reassign the violation to another user, click Reassign To in the Violation Details section.

   A page asking you to select another remediator opens.

5. Use search to choose another user. For help using search, see Section 6.3.1, "Searching for a User."

6. Click OK.

8.4.2 To View and Take Action on Audit Policy Violations

1. Log in to Oracle Identity Analytics.

2. Choose Identity Audit > Policy Violations.

   A list of open violations is displayed.

   Audit policy violations can be sorted by four different states:

   • Open - The remediator has not yet taken any action on the violation.

   • Closed - The remediator has closed the violation.

   • Closed and Fixed - The remediator has fixed the violation and therefore it should not appear in the next policy scan.

   • Closed as Risk Accepted - The remediator has acknowledged the violation and opted to allow the access for a certain time period.

3. Click a violation in the Exception column.

   The Policy Violations Details page opens.

4. To take action on the violation, review the user's access.

   To understand the Audit Violations page, see Section 8.4.3, "Audit Violation Details Help."

   • If you click Close Violation or Close as Fixed, a comment box opens.

     Enter a comment for future reference and click OK.

   • If you click Close as Risk Accepted, enter a comment and an end date, after which time the exemption will expire, then click OK.

8.4.3 Audit Violation Details Help

When taking action on an open violation (see Section 8.4.2, "To View and Take Action on Audit Policy Violations"), the Policy Violation Details page displays the following information.

Violation Details Section

Table 8-1 Violation Details Section of the Policy Violation Details Page

Field	Description
Policy	Displays the name of the policy
Assigned To	Displays the remediator's name.
Reassign To	Allows you to reassign the violation to another user.
Assigned Date	The date when the policy was assigned to the remediator.
State	Displays the state of the violation.
Detection Count	The number of scans in which the violation was detected.
Last Detected	Last time the violation was found in an identity audit scan.
Expiration Date	Displays the expiration date of a "Close as Risk Accepted" violation.
Close Date	The date a remediation action was taken and the violation was moved to one of the "Closed" states.
Comments	Displays any comments added by the remediator.

User Details Section

Table 8-2 Users Details Section of the Policy Violation Details Page

Field	Description
Name	Displays the name of the user.
Department	Displays the user's department.
E-mail	Displays the user's e-mail ID.
User Name	Displays the user name.
Manager	Displays the name of the manager.
Job Title	Displays the user's job title.

Accounts Section

The accounts section displays the user account that resulted in an identity audit violation.

Table 8-3 Accounts Section of the Policy Violation Details Page

Field	Description
Name	Displays the name of the account under violation.
Resource Type	Displays the resource type under violation.
Resource	Displays the resource under violation.
Rule	Displays the identity audit rule.
Condition	Displays the identity audit rule condition.
Status	Displays the state of the rule.

Roles Section

The Roles section displays the name of the user role that resulted in the identity audit violation.

Table 8-4 Roles Section of the Policy Violation Details Page

Field	Description
Name	Displays the role under violation.
Rule	Displays the identity audit rule.
Condition	Displays the identity audit rule condition.
Status	Displays the state of the rule.

HR Attributes Section

The HR Attributes section displays the user attributes and values that resulted in the violation. If the violation occurred due to a business structure membership, the name of the business structure is displayed.

Table 8-5 HR Attributes Section of the Policy Violation Details Page

Field	Description
Attributes	Displays the HR attribute under violation.
Rule	Displays the identity audit rule.
Condition	Displays the identity audit rule condition.
Status	Displays the state of the rule.

8.4.4 To View Audit Trails

An audit trail is a permanent history of every audit violation identified by Oracle Identity Analytics as well as all subsequent actions taken to resolve the violation.

The audit trail is updated whenever a violation is updated or modified. The audit trail tracks date information (when actions were taken), as well as any changes that affect the user, state, remediator, and comments fields.

1. Log in to Oracle Identity Analytics.

2. Choose Identity Audit > Policy Violations.

3. To view the audit trail of a violation, do the following:

   1. Click Open Violations in the submenu bar to view the audit trail of an open violation, or click Closed Violations in the submenu bar to view the audit trail of a closed violation.

   2. Select the violation.

      The Violations Details page opens.

   3. Click the Audit Trail page option.

      The audit trail for the violation is displayed.

   4. Use the Search feature to search by name in the Assigned To field.

      Note:

      You can only search the Assigned To field. The Audit Trail Search feature does not search any of the other fields on the Audit Trail page.

8.4.5 To Export A Violation

1. Log in to Oracle Identity Analytics.

2. Choose Identity Audit > Policies.

   All the identity audit polices are listed.

3. Select the desired policy whose violations you want to export.

4. Click Export Violations.

5. Select the options to generate your report:

   • Report Format - Select the report format. Formats include PDF, CSV, XML, HTML, or XLS.

   • Violations to be exported - Select from the options listed.

6. Click Ok.