This chapter has two parts: The first section documents the configuration pages that are available from the menu bar under Administration > Configuration, and the second section documents the pages that are available under Administration > Settings.
Configuration Pages Help Topics
This section documents the configuration pages that are available when you choose Administration > Configuration from the menu bar.
This section describes how to configure settings for the Proxy Assignment Notifications, Mail Server Settings, and OIA Server Settings options.
This option enables e-mail notifications to be sent to the users who have been set as proxies using the My Settings > New Proxy Assignment tab. An e-mail template can be selected for the proxy user.
This option helps in setting up the mail server.
|
Email Encoding |
|
|---|---|
|
SMTP Server Name |
|
|
SMTP Port |
|
|
SMTP Authentication |
Select if required |
For a discussion of Risk Mapping, see Section 1.4, "Understanding How Risk Summaries are Calculated."
Use this screen to assign risk levels to roles and entitlements that are assigned to users outside of Oracle Identity Analytics.
Note - To use this feature, Oracle Identity Analytics must be configured to capture "provisioned-by" information for entitlements. This information needs to originate from an authoritative source, such as Oracle Identity Manager. "Provisioned-by" information cannot currently be captured in file-based imports.
Enable Provisioning Method Risks
Select to assign a high, medium, or low default risk level for each provisioning scenario listed on the page.
Reconciliation from target system - Applies to user access that was created outside of OIA when an identity and access management (IAM) system reconciled its identities with those of the target system.
Direct provisioning by administrator - Applies to user access that was manually assigned to the user outside of OIA by an administrator in an identity and access management system.
Access request - Applies to access that was assigned as the result of an access request.
Provisioned by access policy - Applies to user access that was assigned by an access policy that is defined outside of OIA.
Rule-based role-assignment - Applies to user access that was assigned due to a rule assigning a role to a user based on one or more properties that triggered the rule.
Use this screen to assign risk levels to roles and entitlements that are assigned to users from within Oracle Identity Analytics.
WARNING:
Do not make frequent changes to risk level mappings.
Changing risk level mappings can cause a huge ripple effect in the Identity Warehouse. Each change to a risk-level mapping affects every account or account-attribute value, every user-role assignment, and every user in the system.
For more information, see Section 1.4.3, "Understanding How Changing Risk Configuration Values Impacts the System."
Assign high, medium, or low risk levels to the following provisioning actions applied from within OIA:
Rule-based role assignment - Applies to user access that was assigned because of a rule in OIA.
Role mining role assignment - Applies to user access that was assigned during the OIA role mining process. The role mining process discovers relationships between users based on similar access permissions that can logically be grouped to form a role.
Approval request - Applies to an access request that was assigned after an OIA approval process was completed.
Import process - Applies to user access that was created during the role import process, during which roles from one or more external systems are imported into OIA.
Unknown action - Applies to user access that was assigned, but details about the assignment are not available in OIA.
Assign high, medium, or low Item-Risk levels to OIA data warehouse items. If you do not directly assign an Item-Risk level to a metadata object in the Identity Warehouse, the system references the following settings to assign a default Item-Risk level for you.
Roles - Select the risk level that should be applied to Roles that otherwise do not have an assigned Item-Risk level.
Roles represent unique job functions performed by users. Roles contain Policies that describe the access that individuals have on a directory.
Resources - Select the risk level that should be applied to Resources that otherwise do not have an assigned Item-Risk level.
Resources are the applications and enterprise information assets that users need to do their jobs.
Entitlements - Select the risk level that should be applied to Entitlements that otherwise do not have an assigned Item-Risk level.
Note:
If you change the Entitlements setting, the system assigns the new risk level to all Resource-Attribute Values that (1) were imported into the Identity Warehouse by way of an Account import, and (2) do not have a directly-assigned Item-Risk level. Resource-Attribute Values that were imported by way of a Glossary import, however, are not assigned a new risk level when the Entitlements risk-mapping setting is changed
Each Entitlement is a specific value of a specific resource-attribute. A particular resource-attribute may have many values, each of which could be defined as an entitlement that confers a specific access-privilege.
Assign high, medium, or low risk levels to the last action performed against a certification entry, as follows:
Certified - Applies to a certification item that was approved during the previous certification.
Revoked - Applies to a certification item that was revoked during the previous certification.
Abstain - Applies to a certification item whereby during the previous certification the certifier indicated that they are not responsible for reviewing or certifying the item.
Certify Conditionally - Applies to a certification item that was temporarily certified during the previous certification, even though the certification may not be valid. Certifiers who select this action are required to enter an end date. The system does not revoke the access or send out notices regarding expired end dates
Unknown Action - Applies to a certification item that has not been acted on yet. This occurs in systems when a certification is run for the first time so there is not a base value to refer to.
Assign high, medium, or low risk levels to items associated with an audit trail, as follows:
Open audit violations - Applies to items that are associated with an unresolved audit violation.
No audit violations - Applies to items that are not associated with an audit violation.
Closed as risk-accepted - Applies to items that were flagged during an Identity Audit, but were closed as risk-accepted.
In Oracle Identity Analytics, a resource is an application or some other enterprise information asset that users need to do their jobs, whereas a resource type is a grouping of like resources. A resource type defines meta-data common to all resources of that type. For example, a resource type of "Oracle DBMS" might define entitlements (that is, attribute-values of Oracle database accounts) that are common to all database instances. Each resource of that type represents a specific database instance to which a user might have access.
Systems such as UNIX®, Windows, Oracle DBMS, and so on are commonly defined as resource types, whereas individual servers or databases are examples of resources.
Administrators need to create and define resource types in Oracle Identity Analytics. Oracle Identity Analytics makes it possible to create detailed descriptions of the hierarchy levels and user entitlements associated with resource types. The Oracle Identity Analytics metadata module enables the user to define resource types, list the entitlements for each resource type, and define the various levels of hierarchy associated with each entitlement.
To define metadata in Oracle Identity Analytics, choose Administration > Configuration > Resource Types in the user interface.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Resource Types.
To create, rename, or delete a resource type, do one of the following:
To create a new resource type, do this:
Click New Resource Type.
Complete the form and click Save.
For Short Name, type a three-letter abbreviation.
To delete a resource type, do this:
Click the resource type to be deleted.
Click Delete.
A dialog box confirming the action appears.
Resource type metadata is defined in Oracle Identity Analytics using the following hierarchy:
Resource Type > Attribute Categories > Attributes
Attributes are entitlements that map to different objects in a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on. A collection of similar types of attributes makes up an attribute category. Attributes and attribute categories are uniquely defined for each resource type.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Resource Types.
To create, rename, or delete an attribute category, do one of the following:
To create an attribute category for a given resource type, do this:
Click the resource type and click New Attribute Category.
Complete the form as follows:
Attribute Category Name - Type the name of the attribute category.
Category Order - Type a number to specify where the tab for this attribute category should appear relative to the other tabs in the tab sequence on the Accounts and Policies pages. For example, type 1 to have the tab appear in the first position.
Link Attributes option and Parent menu - The Link Attributes option should only be selected when Oracle Identity Analytics is integrated with Oracle Identity Manager. In the Parent menu select the field that is defined as the OIAParentAttribute in Oracle Identity Manager. This property is needed so that OIA can exchange data with OIM.
For more information, see "Integrating With Oracle Identity Manager, Preferred Method" in the System Integrator's Guide for Oracle Identity Analytics.
Oracle Identity Analytics creates the new attribute category.
To rename an attribute category, do this:
Click the attribute category and click Rename.
Type the new name and click Save.
To delete an attribute category, do this:
Click the attribute category.
Click Delete.
A dialog box confirms the deletion.
Oracle Identity Analytics provides a detailed properties page to define an attribute. The following parameters are used to define an attribute.
Table 11-1 Attribute Parameters
| Name | Attribute Description |
|---|---|
|
Description |
Description of the attribute |
|
Min Length |
The minimum length that can be specified for an attribute |
|
Max Length |
The maximum length that can be specified for an attribute |
|
Case |
Specifies whether the attribute value can be uppercase or lowercase |
|
Edit Type |
Specifies the data type of the attribute |
|
Order |
Specifies the order in which the attribute is listed or imported |
|
Min Value |
The minimum value that the attribute can have |
|
Default Value |
The default value an attribute should have when it is imported |
|
Values |
A predefined list of values that the attribute can have |
|
Excluded Value |
A value that an attribute cannot have when it is imported |
|
Label |
The display label for the attribute |
|
Classifications |
Free-form labels or tags that should be associated with the attribute. For example, Invoicing, Purchasing, Accounting. |
In addition, the following flags further define an attribute:
Table 11-2 Additional Attribute Flags
| Flag | Flag Description |
|---|---|
|
Space Allowed |
Allows the attribute values to have a space in them |
|
Hidden |
The attribute value can be hidden (for password fields) |
|
Managed |
To display an attribute or import it, the managed flag needs to be set for the attribute |
|
Importable |
Allows the attribute to be imported from a CSV / Text File |
|
Certifiable |
Specifies that the attribute can be certified, for example in a Data Owner certification. |
|
Multiple Value |
Allows an attribute to have comma-separated multiple values |
|
Mandatory |
This flag, when selected, specifies all the privileges for the attribute such as managed, importable, and so on. |
|
Auditable |
Allows the attribute to be checked for audit exceptions |
|
Minable |
Allows Oracle Identity Analytics to perform role engineering operations |
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Resource Type.
To create an attribute, do this:
Highlight the Attribute Category under which you want to create an Attribute and click the New Attribute tab.
A dialog box appears.
Enter the New Attribute values.
To rename an attribute, do this:
Click Rename for the appropriate attribute.
A dialog box appears.
Enter the new name and save it.
To edit an attribute, do this:
Click Modify for the appropriate attribute.
Modify the required values.
To delete an attribute, do this:
Click Delete for the appropriate attribute.
A dialog box confirming the action appears.
A Provisioning Server is a server or system that administers user accounts on target resources. Oracle Identity Analytics supports four provisioning platforms. In addition, Oracle Identity Analytics can import provisioning information from a file, as well as export to a file.
Supported provisioning platforms include:
Oracle Identity Manager (OIM)
Oracle Waveset (previously Sun Identity Manager)
File
Note:
By default, the Administration > Configuration > Provisioning Servers tab displays file and sun as the available options. To display other supported provisioning servers, edit iam-context.xml in the RBACX_Home/WEB-INF folder.
For more information, refer to the following chapters in the System Integrator's Guide for Oracle Identity Analytics.
For Oracle Identity Manager, see the "Integrating With Oracle Identity Manager, Preferred Method" chapter.
For Oracle Waveset, see the "Integrating With Oracle Waveset (Sun Identity Manager)" chapter.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Provisioning Servers.
Click New Provisioning Server Connection.
The New Provisioning Server Connection wizard asks you to choose the type of provisioning server connection to create.
Choose the correct provisioning server type for your environment and click Next.
Complete the form:
If you selected Oracle Identity Manager- refer to Table 11-3 for information about how to complete the form.
If you selected Oracle Waveset (Sun Identity Manager) - refer to Table 11-4 for information about how to complete the form.
If you selected File - refer to Table 11-5 for information about how to complete the form.
Table 11-3 Help on Completing the Oracle Identity Manager New Provisioning Server Connection Form
|
Server Name |
Type the Oracle Identity Manager server name. |
|---|---|
|
Xellerate Home |
Type the path to the (Example: If Oracle Identity Manager is on a separate machine, create a local |
|
Login Config |
Type the path to the authentication configuration ( (Example: |
|
User Name |
Enter the OIM user name (for example, |
|
Password |
Enter the OIM password. |
Table 11-4 Help on Completing the Oracle Waveset (Sun Identity Manager) New Provisioning Server Connection Form
|
Connection Name |
Type a new connection name for Oracle Waveset (Sun Identity Manager). This connection name is used during the import process instead of the host name and port. |
|---|---|
|
SPML URL |
Format the SPML URL as follows: For example:
|
|
User Name |
Type a user name that Oracle Identity Analytics will use to connect to Oracle Waveset. You should create a special Oracle Waveset user account for this purpose. For details, see the "System Integrator's Guide" portion of the Administrator's Guide for Oracle Identity Analytics, "Integrating With Oracle Waveset (Sun Identity Manager)" chapter, "To Create an Oracle Waveset User That Oracle Identity Analytics Will use to Connect." Do not use the configurator account |
|
Password |
Type the password that Oracle Identity Analytics will use to connect to Oracle Waveset. |
|
Role Consumer |
Select this box to export roles and role content from Oracle Identity Analytics to Oracle Waveset on a real-time basis. Oracle recommends that you select this option. |
|
Role Update Schedule |
Choose to schedule when to send updates back to Identity Manager.
|
Table 11-5 Help on Completing the New Provisioning Server Connection Form - File Option
|
Connection Name |
Type a name for the new connection being created. This connection name is used to denote the file import process. |
|---|---|
|
Import Drop Location |
Specify the complete path to the drop folder where the input file to be imported is located. |
|
Import Complete Location |
Specify the complete path to the folder used in the import process. |
|
Import Schema Location |
Specify the complete path to the schema folder where the schema file for the import process is located. |
|
Export Drop Location |
Specify the path to the location where the output file will be dropped after a successful export. |
|
Export Schema Location |
Specify the path to the schema folder where the schema file for the export process is located. |
Oracle Identity Analytics enables you to create notifications, reminders, and escalation e-mails based on the organization's need. The e-mail templates are HTML-supported.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click E-mail Templates.
Click New E-mail Template.
Complete the form using variable entries wherever required and click the Show Parameter hyperlink to select from the list of pre-configured parameters.
See Section 11.1.5.2, "E-mail Parameter Definitions"for more information.
Click Save.
Oracle Identity Analytics has 36 e-mail parameters (or variables) that can be selected when you create e-mail templates. Not every e-mail variable can be used with every template. If a variable is used in an unsupported scenario, the variable may appear as plain text in the e-mail, or, if the variable is used in the To or CC fields in an unsupported scenario, the e-mail may not be sent. Test your template before putting it into production.
| Name | Parameter | Definition | Applicable Modules |
|---|---|---|---|
|
System Email |
|
Used for specifying system e-mail. Example: This variable can be used in the From and Body fields in all e-mails. |
All |
|
User Email |
|
Used to specify the user's e-mail address and the user's manager's e-mail address in cases where escalations occur within certifications. May also be used in workflow e-mail reminders, but not for escalations of workflow reminder e-mails. This variable can be used in the To field. |
Certification (IDC) and Workflows |
|
User Secondary Email |
|
Used to specify the user's secondary e-mail address and the user's manager's secondary e-mail address in cases where escalations occur within certifications. This variable can be used in the To field. |
Certification (IDC) |
|
User Full Name |
|
Used to specify the user's full name. Example: Baker, Angela. This variable can be used in the Subject and Body fields. |
Certification (IDC) |
|
User Last Name |
|
Used to specify the user's last name. This variable can be used only in certain templates. Use User Full Name, otherwise. This variable can be used in the Subject and Body fields. |
Certification (IDC) |
|
User First Name |
|
Used to specify the user's first name. This variable can be used only in certain templates. Use User Full Name, otherwise. This variable can be used in the Subject and Body fields. |
Certification (IDC) |
|
Url |
|
Used to embed the Oracle Identity Analytics URL in an e-mail. This variable can be used in the Body field. |
Certification (IDC) |
|
Certification Name |
|
Used to specify the name of the certification being processed. This variable can be used in the Subject and Body fields. |
Certification (IDC) |
|
Report Name |
|
User to specify the name of the report being processed.(It can be used to attach report name in certifications, but not in reminders.) This variable can be used in the Subject and Body fields. |
Certification (IDC) |
|
Proxy User Email |
|
Used to specify the e-mail of the proxy user. This variable can be used in the To and CC and BCC fields of the proxy assignment e-mail template. |
Certification (IDC) and Proxy (System) |
|
Proxy User Fullname |
|
Used to specify the proxy user's full name. This variable can be used in the Subject and Body fields of the proxy assignment e-mail template. |
Proxy (System) |
|
Proxy StartDate |
|
Used to specify the start date of the proxy period. This variable can be used in the Body of the proxy assignment e-mail template. |
Proxy (System) |
|
Proxy EndDate |
|
Used to specify the end date of the proxy period. This variable can be used in the Body of the proxy assignment e-mail template. |
Proxy (System) |
|
User Manager Email |
|
Used to specify the e-mail address of the manager of the roleOwner, policyOwner, or other Owners. Used in workflow escalation e-mails. This variable can be used in the To, CC, and BCC fields. |
Workflows |
|
User Request RequesterName |
|
Used to specify the name of the user who has initiated a request. This variable can be used in the Subject and Body fields. |
Workflows |
|
User Request Type |
|
Used to specify the request type (for example, "role change request"). This variable can be used in the Subject and Body fields. |
Workflows |
|
User Request Date |
|
Used to specify the date when a request was created. This variable can be used in the Subject and Body fields. |
Workflows |
|
User Role Name |
|
Used to specify the name of the role sent for approval. This variable can be used in the Subject and Body fields. |
Workflows |
|
User Role VersionNumber |
|
Used to specify the version number of the role sent for approval. This variable can be used in the Subject and Body fields. |
Workflows |
|
User RoleOwner Email |
|
Used to specify the e-mail addresses of role owners who own roles for which a version is sent for approval. This variable can be used in the To, Subject, and Body fields. |
Workflows |
|
User PolicyOwner Email |
|
Used to specify the e-mail addresses of policy owners who own policies for which a version is sent for approval. This variable can be used in the To, Subject, and Body fields. |
Workflows |
|
User Policy Name |
|
Used to specify the name of the policy whose version is sent for approval. This variable can be used in the Subject and Body fields. |
Workflows |
|
User Policy VersionNumber |
|
Used to specify the version number of the policy that is sent for approval. This variable can be used in the Subject and Body fields. |
Workflows |
|
Newly Reviewed Policy Owner Email |
|
Used to send an e-mail notification to individual policy owners when a policy they own is approved or rejected during the Policy Owner Approval step of the Role Modification workflow. This variable should only be used with the Approve Role and Reject Role workflow steps. Added in release 11.1.1.5. |
Workflows |
|
User Manager Name |
|
Used to specify the full name of the user's manager. This variable can be used in the Subject and Body fields. |
Identity Audit (IDA) |
|
User Manager |
|
Used to specify the e-mail address of the user's manager. This variable can be used in the To, CC, BCC, Subject, and Body fields. |
Identity Audit (IDA) |
|
Identity Audit Violation Name |
|
Used to display the name of the identity audit policy violation. This variable can be used in the Subject and Body fields. |
Identity Audit (IDA) |
|
Identity Audit Violation Action |
|
Used to display the event or type of action that resulted in an e-mail being sent to the user. This variable can be used in the Subject and Body fields. |
Identity Audit (IDA) |
|
Identity Audit Policy Owner Name |
|
Used to display the full name of the identity audit policy owner associated with the violation. This variable can be used in the Subject and Body fields. |
Identity Audit (IDA) |
|
Identity Audit Policy Owner Email |
|
Used to display the e-mail address of the identity audit policy owner associated with the violation. This variable can be used in the To, CC, BCC, Subject, and Body fields. |
Identity Audit (IDA) |
|
Identity Audit Violation Remediator Name |
|
Used to display the full name of the identity audit violation remediator associated with the violation. This variable can be used in the Subject and Body fields. |
Identity Audit (IDA) |
|
Identity Audit Violation Remediator Email |
|
Used to display the e-mail address of the identity audit violation remediator associated with the violation. This variable can be used in the To, CC, BCC, Subject, and Body fields. |
Identity Audit (IDA) |
|
Identity Audit Violation Old Remediator Name |
|
Used to display the full name of the previous identity audit violation remediator associated with the violation for which a new user is being assigned as a remediator. This variable can be used in the Subject and Body fields. |
Identity Audit (IDA) |
|
Identity Audit Violation Old Remediator Email |
|
Used to display the e-mail address of the previous identity audit violation remediator associated with the violation for which a new user is being assigned as a remediator. This variable can be used in the To, CC, BCC, Subject, and Body fields. |
Identity Audit (IDA) |
|
Identity Audit Violation Remediator Manager Email |
|
Used to display the e-mail address associated with the manager of a user who is currently the remediator of a violation. This variable can be used in the Subject and Body fields. |
Identity Audit (IDA) |
You can import the following in Oracle Identity Analytics:
Users
Roles
Accounts
Policies
Business Structures
Resource Metadata
Resources
Glossary
Details about importing are discussed in Chapter 2, "Oracle Identity Analytics Importing."
A workflow is a specific sequence of actions or tasks that are related to a business process. In Oracle Identity Analytics, workflows enumerate each step involved in the various process, such as role and policy creation, role and policy modification, and so on. It lists all the actors, who play a pivotal role in management of roles and policies, and their function.
Oracle Identity Analytics has eight workflows:
Role Creation Workflow
Role Modification Workflow
Role Membership Workflow
Mass Modification Workflow
Policy Creation Workflow
Policy Modification Workflow
Role Membership Rule Creation Workflow
Role Membership Rule Modification Workflow
Details about understanding and designing workflows are discussed in Chapter 6, "Oracle Identity Analytics Workflows."
The Event Listener mechanism allows a user to create listeners to business events that are happening in the system and take some actions when those events happen. An example of a business event is a user update, which occurs when some of the user attributes are updated. A listener, when created, defines the events to examine based on a condition, and also defines the actions that are to be executed by the system in response to those events.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Event Listeners.
Click Add Event Listener.
The new event listener form opens.
Add the name with which the event will be identified in the name section, the description, and the status, and click Next.
Add a condition that will be evaluated when an event takes place, then click Next.
(For example, when a user is updated, a condition can check if the user's title property or location property has changed.)
The Action Types form opens, specifying a list of actions that will be taken by the system when events that match the condition occur in the system.
Select one or more of the following actions to execute when an event condition is met:
Run Business Structure Membership Rules - Runs selected user-to-business structure rules.
Run Role Membership Rules - Runs the selected role membership rules on users.
Run Identity Audit Scans - Run selected identity audit policies on users based on a condition.
Create User Entitlement Certifications - Creates a user entitlement certification.
Configure the form, then click Finish.
Table 11-7 Action Types Selected (Add Event Listener) Form Properties
| Listener Action Properties | Description |
|---|---|
|
Status |
Select Enable to run the action. Clear the checkbox if the action should not be executed. |
|
Threshold Levels |
For Time Delay, type the Hours and/or Minutes to wait before executing the actions. The timer begins when the first event occurs. All events after the timer starts are queued until the timer expires. |
|
Event Count |
Select Event Count and type a number to limit the number of events that can occur during the specified time period. Specifies the upper limit of the number of events that can occur in the time interval for an action. If the event count exceeds this limit, then the action will not be executed. Use this to avoid executing an action in case of bulk updates. |
|
Actions |
Add the rules that will run against the subjects that match this event listener when the threshold levels are met. |
|
Certification Configuration |
Enter details about the certification that should be created when an event condition is met. For help completing the Configuration Details section, see Section 11.2.1.2, "Help on Completing the Identity Certification Configuration Options." |
This section documents the configuration pages that are available when you choose Administration > Settings from the menu bar.
This section describes how to configure the Oracle Identity Analytics identity certification feature. In addition, the following identity certification configuration topic is covered in the System Integrator's Guide for Oracle Identity Analytics:
"Configuring Identity Certification Batch Sizes in the UI" is covered in the System Integrator's Guide for Oracle Identity Analytics in the "Customizing the Oracle Identity Analytics User Interface" chapter.
Log in to Oracle Identity Analytics.
Choose Administration > Settings.
Click Identity Certification.
The Certification Configuration page opens.
Click a section to expand it.
Complete the form and click Save.
For help completing the form, see the following sections.
Before You Begin - See Section 11.2.1.1, "To Configure Identity Certification" for help opening the Certification Configuration page.
|
Business Structure Hierarchy / Hierarchy Depth |
Select the Business Structure Hierarchy option to include in a certification all the users in the business structure and all the users in business structures under it, up to the hierarchy depth chosen by the administrator. |
|---|---|
|
Allow multiple open certifications per business structure |
Select to allow the system to open more than one certification with an open status per business structure. |
|
Password required to complete certifications |
Select to require users to sign off in order to complete a certification. |
|
Send E-mail copies to Admin for new certifications |
Select to send a copy to the admin when a new certification is created. |
|
Create single certification for all managers of a business structure |
Select to allow multiple managers to review a single certification. The system will track the actions each manager performs along with a timestamp. Clear this option to create one certification per business structure manager. |
|
Disallow self-certification |
Select to prevent managers from being able to certify their own access. Enabling this option allows the certification creator to assign the certification to an alternate reviewer. |
|
Enable access to Oracle Identity Manager Provisioning Server |
Select to enable Oracle Identity Manager (OIM) to revoke or re-provision target system accounts based on the revocations and certifications that occurred during the Oracle Identity Analytics certification process. |
|
Allow comments on all non-certify selections |
Select to allow the user to type a comment if a revoke action is selected. (The system does not require the user to type a comment.) |
|---|---|
|
Allow comments on certify selections |
Select to allow the user to type a comment if a certify action is selected. (The system does not require the user to type a comment.) |
|
Select the users to certify based on the following criteria |
Complete this section to select which entitlements should be reviewed.
|
|---|---|
|
Select the items to certify for each user |
Complete this section to select what will be certifed.
|
|
View User Activity Information |
Allows the certifier to see the user's recent account activity. Note - This feature is functional if Oracle Identity Analytics is integrated with Intellitactics Security Manager. To learn about this feature, see "Integrating with Intellitactics Security Manager" in the System Integrator's Guide for Oracle Identity Analytics. |
|
Employee Verification Required |
Select this to require managers to verify the work status (Works For Me, Does Not Work For Me, Terminated, Reports To...) of their assigned employees, then select the Create new certification per reporting manager option. |
|
Create new certification per reporting manager |
Select this to create a new certification if, during the employee verification process, the certifier selects "Reports To" and names a new manager for the user. |
|
Employee Verification |
Select the following options to make them available to managers during the employee verification process. Click Edit Label to change the name of an employee verification action option.
|
|---|---|
|
Certification Sign off |
Select the following options to make them available to managers during the certification process. Click Edit Label to change the name of a certification action option.
|
|
Certify Entitlements |
Choose one of the following:
|
|---|
|
Data Owner Verification |
Select the following options to make them available to certifiers during the data owner verification process. Click Edit Label to change the name of a data owner verification action option.
|
|---|---|
|
Approve or Revoke Data Access |
Select the following options to make them available to certifiers during the certification process. Click Edit Label to change the name of a data owner certification action option.
|
|
Certify Resources |
Choose one of the following:
|
|---|
|
Resource Verification |
Select the following options to make them available to end-users during the resource-entitlement verification process. Click Edit Label to change the name of a resource verification action option.
|
|---|---|
|
Verify employee access |
Select the following options to make them available to end-users during the certification process. Click Edit Label to change the name of a verify employee access action option.
|
|
Certify Roles |
Choose one of the following:
|
|---|---|
|
Certify Policies |
Also certify policies that belong to roles, as well as attributes of the policy. |
|
Certify Members |
Also certify members that belong to roles. |
|
Role Verification |
Select the following options to make them available to end-users during the role verification process. Click Edit Label to change the name of a role verification action option.
|
|---|---|
|
Policy, Entitlement, and Member Access |
Select the following options to make them available to end-users during the certification process. Click Edit Label to change the name of a verification or certification action option.
|
|
New Certification Notification |
|
|---|---|
|
Upcoming Certification Notification |
|
|
Pending Certification Notification |
|
|
Certification Completion Notification |
|
|
Certification Expiry Notification |
|
|
Access Revoke |
|
|---|---|
|
Reporting Changes |
|
|
Remediation |
|
This section describes how to configure the Oracle Identity Analytics role mining and "SoD evaluation of role assignment" feature.
Log in to Oracle Identity Analytics.
Choose Administration > Settings.
Click Role Management.
The Role Management page opens
Click on New Excluded Value.
Complete the form by selecting the attribute value that needs to be excluded from mining and click Ok.
Log in to Oracle Identity Analytics.
Choose Administration > Settings.
Click Role Management.
The Role Management page opens.
Click on Roles.
Select from the following to perform an SoD evaluation of a role assignment:
Disallow Assignment - Blocks the assignment if there is a SoD Violation.
Allow Assignment and Flag Audit Exception - Allows the assignment even if there is a SoD violation, but flags the audit exception.
The identity audit configuration page provides the interface for setting up the e-mail notification preferences for audit policy violation events and actions.
Log in to Oracle Identity Analytics.
Choose Administration > Settings.
Click Identity Audit.
Select the desired configurations based on the requirements of the organization.
Follow these steps to prevent users from being able to remediate their own violations if their attributes, roles, or entitlements are causing a Segregation of Duties violation.
Log in to Oracle Identity Analytics.
Choose Administration > Settings.
Click Identity Audit.
Select Prevent Self-Remediation.
Note:
Self-remediation is allowed by default for Oracle Identity Analytics customers who upgraded from a version older than 11gR1 PS1 because previous versions of the product allowed self-remediation. Self-remediation, however, is not considered a best practice and customers are encouraged to choose the Prevent Self-Remediation option.
Use the Alternate reviewer select box to specify who should be the designated alternate reviewer. Choose from the following:
User Manager - Make the original reviewer's manager the designated reviewer/remediator.
Select - Type a name in the user search box to make a specific user the designated reviewer/remediator.
Log in to Oracle Identity Analytics.
Choose Administration > Settings.
Click Identity Audit.
Do one of the following in the Violation Reminder and Escalation section:
Select Send Email Reminder(s) to choose when and how frequently reminder e-mails are sent to the violation assignee when no action is taken on the violation after it is assigned. You can also choose the template for the reminder e-mail.
Select Escalate After Reminders to choose the maximum number of reminders to send before escalating the violation to the assignee's manager. You can also choose an e-mail template to use for the escalation notice.
Click Save.
Log in to Oracle Identity Analytics.
Go to Administration > Settings.
Click Identity Audit.
Select from the following options in the Violation Lifecycle Event Notifications section:
Send E-mail For New Violations - Choose an e-mail template and also send e-mail notifications to actors associated with the new violations that are created.
Send E-mail For Reopened Violations - Choose an e-mail template and send e-mail notifications to actors associated with the violations that are reopened.
Send E-mail For User or System Remediated Violations - Choose an e-mail template and also send e-mail notifications to actors associated with the violations that are closed as resolved by the system or user.
Send E-mail When Violation is Assigned - Choose an e-mail template and send e-mail notifications to actors associated with the violation that is assigned to a user.
Send E-mail When Violation Closed as Risk Accepted - Choose an e-mail template and send e-mail notifications to actors associated with the violation that is closed as risk accepted.
Click Save.
You can configure Oracle Identity Analytics to send e-mails to data owners using pre-defined e-mail templates. Reminder e-mails can be sent to data owners, the data owners' managers, and to the Information Security Department.
Log in to Oracle Identity Analytics.
Choose Administration > Settings.
Click Reports.
The Report Configuration page opens.
To configure the send-reminder-email workflow, select a reminder, select a reminder interval, and select an e-mail template.
E-mail templates are created on the E-mail Templates tab. For help, see Chapter 11, "E-mail Templates Configuration (Configuring E-mail Notification)" in the Oracle Identity Analytics Configuration chapter.
Click Save.
Only Privileged Users in Candidate Owner List - When associating role owners with roles or policy owners with policies, you can restrict the menu to only include those users who have sufficient access rights to perform the job. To do so, enable this option. If this option is not enabled, the menu of users will list all users, which means it is possible to select a user who does not posses the permissions required to do the job.
Note:
If this feature is enabled, to appear in the menu the user must be assigned an OIA Role containing these user privileges:
Create Role (Policy)
Decommission Role (Delete Policy)
Update Role (Policy)
To manage Identity Warehouse Roles (Policies) from the UI, the following additional privileges must be assigned:
Access to Role (Policy) View
Access to My Requests