11 Oracle Identity Analytics Configuration and Settings

This chapter has two parts: The first section documents the configuration pages that are available from the menu bar under Administration > Configuration, and the second section documents the pages that are available under Administration > Settings.

Configuration Pages Help Topics

Settings Pages Help Topics

11.1 Configuration Pages

This section documents the configuration pages that are available when you choose Administration > Configuration from the menu bar.

11.1.1 System Configuration

This section describes how to configure settings for the Proxy Assignment Notifications, Mail Server Settings, and OIA Server Settings options.

11.1.1.1 Proxy Assignment Notification

This option enables e-mail notifications to be sent to the users who have been set as proxies using the My Settings > New Proxy Assignment tab. An e-mail template can be selected for the proxy user.

11.1.1.2 Mail Server Settings

This option helps in setting up the mail server.

Email Encoding

UTF-8

SMTP Server Name

mail.example.com

SMTP Port

25

SMTP Authentication

Select if required


11.1.1.3 OIA Server Settings

This option helps in setting up the Oracle Identity Analytics server.

System Email

rbacx@example.com

OIA URL

http://localhost:8282/rbacx


11.1.2 Risk Mapping

For a discussion of Risk Mapping, see Section 1.4, "Understanding How Risk Summaries are Calculated."

11.1.2.1 External Provisioning (Provisioning Scenarios)

Use this screen to assign risk levels to roles and entitlements that are assigned to users outside of Oracle Identity Analytics.

Note - To use this feature, Oracle Identity Analytics must be configured to capture "provisioned-by" information for entitlements. This information needs to originate from an authoritative source, such as Oracle Identity Manager. "Provisioned-by" information cannot currently be captured in file-based imports.

Enable Provisioning Method Risks

Select to assign a high, medium, or low default risk level for each provisioning scenario listed on the page.

  • Reconciliation from target system - Applies to user access that was created outside of OIA when an identity and access management (IAM) system reconciled its identities with those of the target system.

  • Direct provisioning by administrator - Applies to user access that was manually assigned to the user outside of OIA by an administrator in an identity and access management system.

  • Access request - Applies to access that was assigned as the result of an access request.

  • Provisioned by access policy - Applies to user access that was assigned by an access policy that is defined outside of OIA.

  • Rule-based role-assignment - Applies to user access that was assigned due to a rule assigning a role to a user based on one or more properties that triggered the rule.

11.1.2.2 System Defaults

Use this screen to assign risk levels to roles and entitlements that are assigned to users from within Oracle Identity Analytics.

WARNING:

Do not make frequent changes to risk level mappings.

Changing risk level mappings can cause a huge ripple effect in the Identity Warehouse. Each change to a risk-level mapping affects every account or account-attribute value, every user-role assignment, and every user in the system.

For more information, see Section 1.4.3, "Understanding How Changing Risk Configuration Values Impacts the System."

Assignment Scenarios

Assign high, medium, or low risk levels to the following provisioning actions applied from within OIA:

  • Rule-based role assignment - Applies to user access that was assigned because of a rule in OIA.

  • Role mining role assignment - Applies to user access that was assigned during the OIA role mining process. The role mining process discovers relationships between users based on similar access permissions that can logically be grouped to form a role.

  • Approval request - Applies to an access request that was assigned after an OIA approval process was completed.

  • Import process - Applies to user access that was created during the role import process, during which roles from one or more external systems are imported into OIA.

  • Unknown action - Applies to user access that was assigned, but details about the assignment are not available in OIA.

Warehouse Settings

Assign high, medium, or low Item-Risk levels to OIA data warehouse items. If you do not directly assign an Item-Risk level to a metadata object in the Identity Warehouse, the system references the following settings to assign a default Item-Risk level for you.

  • Roles - Select the risk level that should be applied to Roles that otherwise do not have an assigned Item-Risk level.

    Roles represent unique job functions performed by users. Roles contain Policies that describe the access that individuals have on a directory.

  • Resources - Select the risk level that should be applied to Resources that otherwise do not have an assigned Item-Risk level.

    Resources are the applications and enterprise information assets that users need to do their jobs.

  • Entitlements - Select the risk level that should be applied to Entitlements that otherwise do not have an assigned Item-Risk level.

    Note:

    If you change the Entitlements setting, the system assigns the new risk level to all Resource-Attribute Values that (1) were imported into the Identity Warehouse by way of an Account import, and (2) do not have a directly-assigned Item-Risk level. Resource-Attribute Values that were imported by way of a Glossary import, however, are not assigned a new risk level when the Entitlements risk-mapping setting is changed

    Each Entitlement is a specific value of a specific resource-attribute. A particular resource-attribute may have many values, each of which could be defined as an entitlement that confers a specific access-privilege.

Last Certification Action

Assign high, medium, or low risk levels to the last action performed against a certification entry, as follows:

  • Certified - Applies to a certification item that was approved during the previous certification.

  • Revoked - Applies to a certification item that was revoked during the previous certification.

  • Abstain - Applies to a certification item whereby during the previous certification the certifier indicated that they are not responsible for reviewing or certifying the item.

  • Certify Conditionally - Applies to a certification item that was temporarily certified during the previous certification, even though the certification may not be valid. Certifiers who select this action are required to enter an end date. The system does not revoke the access or send out notices regarding expired end dates

  • Unknown Action - Applies to a certification item that has not been acted on yet. This occurs in systems when a certification is run for the first time so there is not a base value to refer to.

Audit Violations

Assign high, medium, or low risk levels to items associated with an audit trail, as follows:

  • Open audit violations - Applies to items that are associated with an unresolved audit violation.

  • No audit violations - Applies to items that are not associated with an audit violation.

  • Closed as risk-accepted - Applies to items that were flagged during an Identity Audit, but were closed as risk-accepted.

11.1.3 Resource Types Configuration

In Oracle Identity Analytics, a resource is an application or some other enterprise information asset that users need to do their jobs, whereas a resource type is a grouping of like resources. A resource type defines meta-data common to all resources of that type. For example, a resource type of "Oracle DBMS" might define entitlements (that is, attribute-values of Oracle database accounts) that are common to all database instances. Each resource of that type represents a specific database instance to which a user might have access.

Systems such as UNIX®, Windows, Oracle DBMS, and so on are commonly defined as resource types, whereas individual servers or databases are examples of resources.

Administrators need to create and define resource types in Oracle Identity Analytics. Oracle Identity Analytics makes it possible to create detailed descriptions of the hierarchy levels and user entitlements associated with resource types. The Oracle Identity Analytics metadata module enables the user to define resource types, list the entitlements for each resource type, and define the various levels of hierarchy associated with each entitlement.

To define metadata in Oracle Identity Analytics, choose Administration > Configuration > Resource Types in the user interface.

11.1.3.1 To Create or Delete a Resource Type

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Configuration.

  3. Click Resource Types.

    To create, rename, or delete a resource type, do one of the following:

  • To create a new resource type, do this:

    1. Click New Resource Type.

    2. Complete the form and click Save.

      For Short Name, type a three-letter abbreviation.

  • To delete a resource type, do this:

    1. Click the resource type to be deleted.

    2. Click Delete.

      A dialog box confirming the action appears.

11.1.3.2 Understanding Resource Type Attributes and Attribute Categories

Resource type metadata is defined in Oracle Identity Analytics using the following hierarchy:

Resource Type > Attribute Categories > Attributes

Attributes are entitlements that map to different objects in a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on. A collection of similar types of attributes makes up an attribute category. Attributes and attribute categories are uniquely defined for each resource type.

11.1.3.3 To Create, Rename, and Delete an Attribute Category

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Configuration.

  3. Click Resource Types.

    To create, rename, or delete an attribute category, do one of the following:

  • To create an attribute category for a given resource type, do this:

    1. Click the resource type and click New Attribute Category.

    2. Complete the form as follows:

      • Attribute Category Name - Type the name of the attribute category.

      • Category Order - Type a number to specify where the tab for this attribute category should appear relative to the other tabs in the tab sequence on the Accounts and Policies pages. For example, type 1 to have the tab appear in the first position.

      • Link Attributes option and Parent menu - The Link Attributes option should only be selected when Oracle Identity Analytics is integrated with Oracle Identity Manager. In the Parent menu select the field that is defined as the OIAParentAttribute in Oracle Identity Manager. This property is needed so that OIA can exchange data with OIM.

        For more information, see "Integrating With Oracle Identity Manager, Preferred Method" in the System Integrator's Guide for Oracle Identity Analytics.

    Oracle Identity Analytics creates the new attribute category.

  • To rename an attribute category, do this:

    1. Click the attribute category and click Rename.

    2. Type the new name and click Save.

  • To delete an attribute category, do this:

    1. Click the attribute category.

    2. Click Delete.

      A dialog box confirms the deletion.

11.1.3.4 Configuring Resource Type Attributes

Oracle Identity Analytics provides a detailed properties page to define an attribute. The following parameters are used to define an attribute.

Table 11-1 Attribute Parameters

Name Attribute Description

Description

Description of the attribute

Min Length

The minimum length that can be specified for an attribute

Max Length

The maximum length that can be specified for an attribute

Case

Specifies whether the attribute value can be uppercase or lowercase

Edit Type

Specifies the data type of the attribute

Order

Specifies the order in which the attribute is listed or imported

Min Value

The minimum value that the attribute can have

Default Value

The default value an attribute should have when it is imported

Values

A predefined list of values that the attribute can have

Excluded Value

A value that an attribute cannot have when it is imported

Label

The display label for the attribute

Classifications

Free-form labels or tags that should be associated with the attribute. For example, Invoicing, Purchasing, Accounting.


In addition, the following flags further define an attribute:

Table 11-2 Additional Attribute Flags

Flag Flag Description

Space Allowed

Allows the attribute values to have a space in them

Hidden

The attribute value can be hidden (for password fields)

Managed

To display an attribute or import it, the managed flag needs to be set for the attribute

Importable

Allows the attribute to be imported from a CSV / Text File

Certifiable

Specifies that the attribute can be certified, for example in a Data Owner certification.

Multiple Value

Allows an attribute to have comma-separated multiple values

Mandatory

This flag, when selected, specifies all the privileges for the attribute such as managed, importable, and so on.

Auditable

Allows the attribute to be checked for audit exceptions

Minable

Allows Oracle Identity Analytics to perform role engineering operations


11.1.3.5 To Create, Rename, Edit, and Delete an Attribute

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Configuration.

  3. Click Resource Type.

  • To create an attribute, do this:

    1. Highlight the Attribute Category under which you want to create an Attribute and click the New Attribute tab.

      A dialog box appears.

    2. Enter the New Attribute values.

  • To rename an attribute, do this:

    1. Click Rename for the appropriate attribute.

      A dialog box appears.

    2. Enter the new name and save it.

  • To edit an attribute, do this:

    1. Click Modify for the appropriate attribute.

    2. Modify the required values.

  • To delete an attribute, do this:

    1. Click Delete for the appropriate attribute.

      A dialog box confirming the action appears.

11.1.4 Provisioning Servers Configuration

A Provisioning Server is a server or system that administers user accounts on target resources. Oracle Identity Analytics supports four provisioning platforms. In addition, Oracle Identity Analytics can import provisioning information from a file, as well as export to a file.

Supported provisioning platforms include:

  • Oracle Identity Manager (OIM)

  • Oracle Waveset (previously Sun Identity Manager)

  • File

Note:

By default, the Administration > Configuration > Provisioning Servers tab displays file and sun as the available options. To display other supported provisioning servers, edit iam-context.xml in the RBACX_Home/WEB-INF folder.

For more information, refer to the following chapters in the System Integrator's Guide for Oracle Identity Analytics.

  • For Oracle Identity Manager, see the "Integrating With Oracle Identity Manager, Preferred Method" chapter.

  • For Oracle Waveset, see the "Integrating With Oracle Waveset (Sun Identity Manager)" chapter.

11.1.4.1 To Create a New Provisioning Server Connection

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Configuration.

  3. Click Provisioning Servers.

  4. Click New Provisioning Server Connection.

    The New Provisioning Server Connection wizard asks you to choose the type of provisioning server connection to create.

  5. Choose the correct provisioning server type for your environment and click Next.

  6. Complete the form:

    • If you selected Oracle Identity Manager- refer to Table 11-3 for information about how to complete the form.

    • If you selected Oracle Waveset (Sun Identity Manager) - refer to Table 11-4 for information about how to complete the form.

    • If you selected File - refer to Table 11-5 for information about how to complete the form.

Table 11-3 Help on Completing the Oracle Identity Manager New Provisioning Server Connection Form

Server Name

Type the Oracle Identity Manager server name.

Xellerate Home

Type the path to the xellerate folder in OIM.

(Example: C:\oracle\xellerate)

If Oracle Identity Manager is on a separate machine, create a local xellerate folder and copy the config folder from <OIMDesignConsole> in the xellerate folder.

Login Config

Type the path to the authentication configuration ( auth.config ) file.

(Example: C:\oracle\xellerate\config\authwl.conf)

User Name

Enter the OIM user name (for example, xelsysadm). The specified OIM user needs to have system administrator priviliges.

Password

Enter the OIM password.


Table 11-4 Help on Completing the Oracle Waveset (Sun Identity Manager) New Provisioning Server Connection Form

Connection Name

Type a new connection name for Oracle Waveset (Sun Identity Manager). This connection name is used during the import process instead of the host name and port.

SPML URL

Format the SPML URL as follows:
http://IdentityManagerApplicationServerName:PortNumber/idm/servlet/rpcrouter2

For example:

http://localhost:8080/idm/servlet/rpcrouter2

User Name

Type a user name that Oracle Identity Analytics will use to connect to Oracle Waveset.

You should create a special Oracle Waveset user account for this purpose. For details, see the "System Integrator's Guide" portion of the Administrator's Guide for Oracle Identity Analytics, "Integrating With Oracle Waveset (Sun Identity Manager)" chapter, "To Create an Oracle Waveset User That Oracle Identity Analytics Will use to Connect." Do not use the configurator account

Password

Type the password that Oracle Identity Analytics will use to connect to Oracle Waveset.

Role Consumer

Select this box to export roles and role content from Oracle Identity Analytics to Oracle Waveset on a real-time basis. Oracle recommends that you select this option.

Role Update Schedule

Choose to schedule when to send updates back to Identity Manager.

  • Now - Send changes immediately.

  • Later- Send updates on a daily, weekly, or monthly basis, or just one time, and select the time and date for the update task to start.


Table 11-5 Help on Completing the New Provisioning Server Connection Form - File Option

Connection Name

Type a name for the new connection being created. This connection name is used to denote the file import process.

Import Drop Location

Specify the complete path to the drop folder where the input file to be imported is located.

Import Complete Location

Specify the complete path to the folder used in the import process.

Import Schema Location

Specify the complete path to the schema folder where the schema file for the import process is located.

Export Drop Location

Specify the path to the location where the output file will be dropped after a successful export.

Export Schema Location

Specify the path to the schema folder where the schema file for the export process is located.


11.1.5 E-mail Templates Configuration (Configuring E-mail Notification)

Oracle Identity Analytics enables you to create notifications, reminders, and escalation e-mails based on the organization's need. The e-mail templates are HTML-supported.

11.1.5.1 To Create and Configure E-mail Notifications

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Configuration.

  3. Click E-mail Templates.

  4. Click New E-mail Template.

  5. Complete the form using variable entries wherever required and click the Show Parameter hyperlink to select from the list of pre-configured parameters.

    See Section 11.1.5.2, "E-mail Parameter Definitions"for more information.

  6. Click Save.

11.1.5.2 E-mail Parameter Definitions

Oracle Identity Analytics has 36 e-mail parameters (or variables) that can be selected when you create e-mail templates. Not every e-mail variable can be used with every template. If a variable is used in an unsupported scenario, the variable may appear as plain text in the e-mail, or, if the variable is used in the To or CC fields in an unsupported scenario, the e-mail may not be sent. Test your template before putting it into production.

Table 11-6 E-Mail Parameters

Name Parameter Definition Applicable Modules

System Email

$(systemEmail)

Used for specifying system e-mail. Example: rbacx@example.com

This variable can be used in the From and Body fields in all e-mails.

All

User Email

$(userEmail)

Used to specify the user's e-mail address and the user's manager's e-mail address in cases where escalations occur within certifications. May also be used in workflow e-mail reminders, but not for escalations of workflow reminder e-mails.

This variable can be used in the To field.

Certification (IDC) and Workflows

User Secondary Email

$(userSecondaryEmail)

Used to specify the user's secondary e-mail address and the user's manager's secondary e-mail address in cases where escalations occur within certifications.

This variable can be used in the To field.

Certification (IDC)

User Full Name

$(userFullName)

Used to specify the user's full name. Example: Baker, Angela.

This variable can be used in the Subject and Body fields.

Certification (IDC)

User Last Name

$(userLastName)

Used to specify the user's last name. This variable can be used only in certain templates. Use User Full Name, otherwise.

This variable can be used in the Subject and Body fields.

Certification (IDC)

User First Name

$(userFirstName)

Used to specify the user's first name. This variable can be used only in certain templates. Use User Full Name, otherwise.

This variable can be used in the Subject and Body fields.

Certification (IDC)

Url

$(url)

Used to embed the Oracle Identity Analytics URL in an e-mail.

This variable can be used in the Body field.

Certification (IDC)

Certification Name

$(certificationName)

Used to specify the name of the certification being processed.

This variable can be used in the Subject and Body fields.

Certification (IDC)

Report Name

$(reportName)

User to specify the name of the report being processed.(It can be used to attach report name in certifications, but not in reminders.)

This variable can be used in the Subject and Body fields.

Certification (IDC)

Proxy User Email

$(proxyUserEmail)

Used to specify the e-mail of the proxy user.

This variable can be used in the To and CC and BCC fields of the proxy assignment e-mail template.

Certification (IDC) and Proxy (System)

Proxy User Fullname

$(proxyUserFullname)

Used to specify the proxy user's full name.

This variable can be used in the Subject and Body fields of the proxy assignment e-mail template.

Proxy (System)

Proxy StartDate

$(proxyStartDate)

Used to specify the start date of the proxy period.

This variable can be used in the Body of the proxy assignment e-mail template.

Proxy (System)

Proxy EndDate

$(proxyEndDate)

Used to specify the end date of the proxy period.

This variable can be used in the Body of the proxy assignment e-mail template.

Proxy (System)

User Manager Email

$(manager.email)

Used to specify the e-mail address of the manager of the roleOwner, policyOwner, or other Owners. Used in workflow escalation e-mails.

This variable can be used in the To, CC, and BCC fields.

Workflows

User Request RequesterName

$(request.requesterName)

Used to specify the name of the user who has initiated a request.

This variable can be used in the Subject and Body fields.

Workflows

User Request Type

$(request.type)

Used to specify the request type (for example, "role change request").

This variable can be used in the Subject and Body fields.

Workflows

User Request Date

$(request.date)

Used to specify the date when a request was created.

This variable can be used in the Subject and Body fields.

Workflows

User Role Name

$(role.name)

Used to specify the name of the role sent for approval.

This variable can be used in the Subject and Body fields.

Workflows

User Role VersionNumber

$(role.versionNumber)

Used to specify the version number of the role sent for approval.

This variable can be used in the Subject and Body fields.

Workflows

User RoleOwner Email

$(roleOwner.email)

Used to specify the e-mail addresses of role owners who own roles for which a version is sent for approval.

This variable can be used in the To, Subject, and Body fields.

Workflows

User PolicyOwner Email

$(policyOwner.email)

Used to specify the e-mail addresses of policy owners who own policies for which a version is sent for approval.

This variable can be used in the To, Subject, and Body fields.

Workflows

User Policy Name

$(policy.name)

Used to specify the name of the policy whose version is sent for approval.

This variable can be used in the Subject and Body fields.

Workflows

User Policy VersionNumber

$(policy.versionNumber)

Used to specify the version number of the policy that is sent for approval.

This variable can be used in the Subject and Body fields.

Workflows

Newly Reviewed Policy Owner Email

$(newlyReviewedPolicyOwner.email)

Used to send an e-mail notification to individual policy owners when a policy they own is approved or rejected during the Policy Owner Approval step of the Role Modification workflow. This variable should only be used with the Approve Role and Reject Role workflow steps. Added in release 11.1.1.5.

Workflows

User Manager Name

$(userManagerFullName)

Used to specify the full name of the user's manager.

This variable can be used in the Subject and Body fields.

Identity Audit (IDA)

User Manager

$(userManagerEmail)

Used to specify the e-mail address of the user's manager.

This variable can be used in the To, CC, BCC, Subject, and Body fields.

Identity Audit (IDA)

Identity Audit Violation Name

$(identityAuditViolationName)

Used to display the name of the identity audit policy violation.

This variable can be used in the Subject and Body fields.

Identity Audit (IDA)

Identity Audit Violation Action

$(identityAuditViolationAction)

Used to display the event or type of action that resulted in an e-mail being sent to the user.

This variable can be used in the Subject and Body fields.

Identity Audit (IDA)

Identity Audit Policy Owner Name

$(identityAuditPolicyOwnerFullName)

Used to display the full name of the identity audit policy owner associated with the violation.

This variable can be used in the Subject and Body fields.

Identity Audit (IDA)

Identity Audit Policy Owner Email

$(identityAuditPolicyOwnerEmail)

Used to display the e-mail address of the identity audit policy owner associated with the violation.

This variable can be used in the To, CC, BCC, Subject, and Body fields.

Identity Audit (IDA)

Identity Audit Violation Remediator Name

$(identityAuditViolationRemediatorFullName)

Used to display the full name of the identity audit violation remediator associated with the violation.

This variable can be used in the Subject and Body fields.

Identity Audit (IDA)

Identity Audit Violation Remediator Email

$(identityAuditViolationRemediatorEmail)

Used to display the e-mail address of the identity audit violation remediator associated with the violation.

This variable can be used in the To, CC, BCC, Subject, and Body fields.

Identity Audit (IDA)

Identity Audit Violation Old Remediator Name

$(identityAuditViolationOldRemediatorFullName)

Used to display the full name of the previous identity audit violation remediator associated with the violation for which a new user is being assigned as a remediator.

This variable can be used in the Subject and Body fields.

Identity Audit (IDA)

Identity Audit Violation Old Remediator Email

$(identityAuditViolationOldRemediatorEmail)

Used to display the e-mail address of the previous identity audit violation remediator associated with the violation for which a new user is being assigned as a remediator.

This variable can be used in the To, CC, BCC, Subject, and Body fields.

Identity Audit (IDA)

Identity Audit Violation Remediator Manager Email

$(identityAuditViolationRemediatorManagerEmail)

Used to display the e-mail address associated with the manager of a user who is currently the remediator of a violation.

This variable can be used in the Subject and Body fields.

Identity Audit (IDA)


11.1.6 Import/Export

You can import the following in Oracle Identity Analytics:

  • Users

  • Roles

  • Accounts

  • Policies

  • Business Structures

  • Resource Metadata

  • Resources

  • Glossary

Details about importing are discussed in Chapter 2, "Oracle Identity Analytics Importing."

11.1.7 Workflows Configuration

A workflow is a specific sequence of actions or tasks that are related to a business process. In Oracle Identity Analytics, workflows enumerate each step involved in the various process, such as role and policy creation, role and policy modification, and so on. It lists all the actors, who play a pivotal role in management of roles and policies, and their function.

Oracle Identity Analytics has eight workflows:

  • Role Creation Workflow

  • Role Modification Workflow

  • Role Membership Workflow

  • Mass Modification Workflow

  • Policy Creation Workflow

  • Policy Modification Workflow

  • Role Membership Rule Creation Workflow

  • Role Membership Rule Modification Workflow

Details about understanding and designing workflows are discussed in Chapter 6, "Oracle Identity Analytics Workflows."

11.1.8 Event Listeners Configuration

The Event Listener mechanism allows a user to create listeners to business events that are happening in the system and take some actions when those events happen. An example of a business event is a user update, which occurs when some of the user attributes are updated. A listener, when created, defines the events to examine based on a condition, and also defines the actions that are to be executed by the system in response to those events.

11.1.8.1 To Create a New Event Listener

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Configuration.

  3. Click Event Listeners.

  4. Click Add Event Listener.

    The new event listener form opens.

  5. Add the name with which the event will be identified in the name section, the description, and the status, and click Next.

  6. Add a condition that will be evaluated when an event takes place, then click Next.

    (For example, when a user is updated, a condition can check if the user's title property or location property has changed.)

    The Action Types form opens, specifying a list of actions that will be taken by the system when events that match the condition occur in the system.

  7. Select one or more of the following actions to execute when an event condition is met:

    • Run Business Structure Membership Rules - Runs selected user-to-business structure rules.

    • Run Role Membership Rules - Runs the selected role membership rules on users.

    • Run Identity Audit Scans - Run selected identity audit policies on users based on a condition.

    • Create User Entitlement Certifications - Creates a user entitlement certification.

  8. Configure the form, then click Finish.

Table 11-7 Action Types Selected (Add Event Listener) Form Properties

Listener Action Properties Description

Status

Select Enable to run the action. Clear the checkbox if the action should not be executed.

Threshold Levels

For Time Delay, type the Hours and/or Minutes to wait before executing the actions. The timer begins when the first event occurs. All events after the timer starts are queued until the timer expires.

Event Count

Select Event Count and type a number to limit the number of events that can occur during the specified time period. Specifies the upper limit of the number of events that can occur in the time interval for an action. If the event count exceeds this limit, then the action will not be executed. Use this to avoid executing an action in case of bulk updates.

Actions

Add the rules that will run against the subjects that match this event listener when the threshold levels are met.

Certification Configuration

Enter details about the certification that should be created when an event condition is met. For help completing the Configuration Details section, see Section 11.2.1.2, "Help on Completing the Identity Certification Configuration Options."


11.2 Settings Pages

This section documents the configuration pages that are available when you choose Administration > Settings from the menu bar.

11.2.1 Identity Certification Configuration

This section describes how to configure the Oracle Identity Analytics identity certification feature. In addition, the following identity certification configuration topic is covered in the System Integrator's Guide for Oracle Identity Analytics:

  • "Configuring Identity Certification Batch Sizes in the UI" is covered in the System Integrator's Guide for Oracle Identity Analytics in the "Customizing the Oracle Identity Analytics User Interface" chapter.

11.2.1.1 To Configure Identity Certification

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Settings.

  3. Click Identity Certification.

    The Certification Configuration page opens.

  4. Click a section to expand it.

  5. Complete the form and click Save.

    For help completing the form, see the following sections.

11.2.1.2 Help on Completing the Identity Certification Configuration Options

Before You Begin - See Section 11.2.1.1, "To Configure Identity Certification" for help opening the Certification Configuration page.

11.2.1.2.1 General Panel,

"General" Section

Business Structure Hierarchy / Hierarchy Depth

Select the Business Structure Hierarchy option to include in a certification all the users in the business structure and all the users in business structures under it, up to the hierarchy depth chosen by the administrator.

Allow multiple open certifications per business structure

Select to allow the system to open more than one certification with an open status per business structure.

Password required to complete certifications

Select to require users to sign off in order to complete a certification.

Send E-mail copies to Admin for new certifications

Select to send a copy to the admin when a new certification is created.

Create single certification for all managers of a business structure

Select to allow multiple managers to review a single certification. The system will track the actions each manager performs along with a timestamp. Clear this option to create one certification per business structure manager.

Disallow self-certification

Select to prevent managers from being able to certify their own access. Enabling this option allows the certification creator to assign the certification to an alternate reviewer.

Enable access to Oracle Identity Manager Provisioning Server

Select to enable Oracle Identity Manager (OIM) to revoke or re-provision target system accounts based on the revocations and certifications that occurred during the Oracle Identity Analytics certification process.


"Status Options" Section

Allow comments on all non-certify selections

Select to allow the user to type a comment if a revoke action is selected. (The system does not require the user to type a comment.)

Allow comments on certify selections

Select to allow the user to type a comment if a certify action is selected. (The system does not require the user to type a comment.)


11.2.1.2.2 User Entitlement Panel,

"General" Section

Select the users to certify based on the following criteria

Complete this section to select which entitlements should be reviewed.

  • Any level of risk - Select all users, regardless of risk level.

  • High-risk summaries - Select users whose overall risk is high.

  • High-risk roles - Select users who have high-risk roles assigned to them.

  • High-risk resources - Select users who have high-risk resources assigned to them.

  • High-risk entitlements - Select users who have high-risk entitlements assigned to them.

  • Include users with no accounts - Allow managers to select users under them who do not have an account.

  • Include accounts with no certifiable attributes - Allow managers to select users under them who do not have any certifiable attributes.

Select the items to certify for each user

Complete this section to select what will be certifed.

  • Entitlements

    • All Entitlements - Certify all entitlements.

    • Entitlements outside roles - Certify entitlements that are not part of a role.

    • Accounts with high-risk entitlements - Certify only accounts that have one or more entitlements marked as high-risk.

    • Only high-risk entitlements - Certify only those entitlements classified as high-risk.

    • None - Do not certify accounts or entitlements.

  • Roles

    • All roles - Certify all roles.

    • Only high-risk roles - Certify only roles that are high risk.

    • None - Do not certify roles.

View User Activity Information

Allows the certifier to see the user's recent account activity.

Note - This feature is functional if Oracle Identity Analytics is integrated with Intellitactics Security Manager. To learn about this feature, see "Integrating with Intellitactics Security Manager" in the System Integrator's Guide for Oracle Identity Analytics.

Employee Verification Required

Select this to require managers to verify the work status (Works For Me, Does Not Work For Me, Terminated, Reports To...) of their assigned employees, then select the Create new certification per reporting manager option.

Create new certification per reporting manager

Select this to create a new certification if, during the employee verification process, the certifier selects "Reports To" and names a new manager for the user.


"Status Options" Section

Employee Verification

Select the following options to make them available to managers during the employee verification process. Click Edit Label to change the name of an employee verification action option.

  • Claim - The user works for you and you are the correct person to complete the certification.

  • Decline - The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements.

  • Disclaim - The user is no longer part of the organization. All of the user's roles, entitlements, and accounts will be revoked and the user is removed from the certification process.

  • Delegate - The user reports to another manager who is responsible for verifying this user's assigned roles and entitlements. You will not approve or revoke roles and entitlements for this user.

Certification Sign off

Select the following options to make them available to managers during the certification process. Click Edit Label to change the name of a certification action option.

  • Certify - The certification is valid.

  • Revoke - The certification is not valid.

  • Abstain - The user does not work for you and you are not responsible for the certification.

  • Certify Conditionally - Issue a temporary certification. An end date when the certification expires must be specified.


11.2.1.2.3 Data Owner Panel,

"General" Section

Certify Entitlements

Choose one of the following:

  • All entitlements - Certify all entitlements.

  • Only high risk entitlements - Certify only entitlements that have been marked as high risk.


"Status Options" Section

Data Owner Verification

Select the following options to make them available to certifiers during the data owner verification process. Click Edit Label to change the name of a data owner verification action option.

  • Claim - The data source belongs to you and you are the correct person to complete the certification.

  • Decline - The data source does not belong to you and you are not responsible for completing the certification.

Approve or Revoke Data Access

Select the following options to make them available to certifiers during the certification process. Click Edit Label to change the name of a data owner certification action option.

  • Certify - The certification is valid.

  • Revoke - The certification is not valid.

  • Abstain - The user does not work for you and you are not responsible for the certification.

  • Certify Conditionally - Issue a temporary certification. An end date when the certification expires must be specified.


11.2.1.2.4 Resource Entitlement Panel

"General" Section

Certify Resources

Choose one of the following:

  • All resources - Certify all resources.

  • Only high risk resources - Certify only resources that have been marked as high risk.


"Status Options" Section

Resource Verification

Select the following options to make them available to end-users during the resource-entitlement verification process. Click Edit Label to change the name of a resource verification action option.

  • Claim - The resource belongs to you and you are the correct person to complete the certification.

  • Decline - The resource does not belong to you and you are not responsible for completing the certification.

Verify employee access

Select the following options to make them available to end-users during the certification process. Click Edit Label to change the name of a verify employee access action option.

  • Certify - The user entitlement is valid for this resource for this certification.

  • Revoke - The user entitlement is not valid for this resource for this certification.

  • Abstain - You are not responsible for verifying the entitlement.

  • Certify Conditionally - The user entitlement should be temporarily certified for this certification. An end date when the certification expires must be specified.


11.2.1.2.5 Role Entitlement Panel,

"General" Section

Certify Roles

Choose one of the following:

  • All roles - Certify all roles.

  • Only high risk roles - Certify only roles that have been marked as high risk.

Certify Policies

Also certify policies that belong to roles, as well as attributes of the policy.

Certify Members

Also certify members that belong to roles.


"Status Options" Section

Role Verification

Select the following options to make them available to end-users during the role verification process. Click Edit Label to change the name of a role verification action option.

  • Claim - The role belongs to you and you are the correct person to complete the certification.

  • Decline - The role does not belong to you and you are not the correct person to complete the certification.

Policy, Entitlement, and Member Access

Select the following options to make them available to end-users during the certification process. Click Edit Label to change the name of a verification or certification action option.

  • Members

    • Certify - The user assigned to this role is valid for this certification.

    • Revoke - The user assigned to this role is not valid for this certification.

    • Abstain - The role does not belong to you and you are not responsible for verifying any users assigned to the role.

    • Certify Conditionally - The user assigned to this role should be temporarily certified for this certification. An end date when the certification expires must be specified.

  • Policies and Entitlements

    • Certify - The policy or entitlement assigned to this role is valid for this certification.

    • Revoke - The policy or entitlement assigned to this role is not valid for this certification.

    • Abstain - The role does not belong to you and you are not responsible for verifying any policies or entitlements assigned to the role.

    • Certify Conditionally - The policy or entitlement assigned to this role should be temporarily certified for this certification. An end date when the certification expires must be specified.


11.2.1.2.6 Reminders Panel

New Certification Notification

  • Send New Certification Notification - When a new certification is assigned, send e-mail to the certifier. Click E-mail Template to select which notification template to use.

  • Send E-mail When Certifier is Updated - When a certification is assigned to a new certifier, send e-mail to the new certifier. Click E-mail Template select the notification template to use.

Upcoming Certification Notification

  • Reminder to Manager - Before the certification process is scheduled to begin, send a reminder e-mail to the managers affected. Use the Reminder Interval list to select when the e-mail notice should be sent. Click E-mail Template to select the notification template to use.

Pending Certification Notification

  • Pending Certification Notifications - From the list select if pending notifications should be based on the Certification Create Date (the date the certification was created), the Certification Start Date (the date that the certification is scheduled to start), or the Certification End Date (the date that the certification is scheduled to end).

  • First Reminder to Manager - Select to schedule when a first reminder e-mail should be sent to a manager who has an assigned certification to complete. Use the Reminder Interval list to select when the e-mail notice should be sent. Click E-mail Template to select the notification template to use.

  • Second Reminder to Manager - Select to schedule when a second reminder e-mail should be sent to a manager who has an assigned certification to complete. Use the Reminder Interval list to select when the e-mail notice should be sent. Click E-mail Template to select the notification template to use.

  • First Reminder to Manager's Manager - Select to schedule when a first reminder e-mail should be sent to the manager of the manager who has an assigned certification to complete. Use the Reminder Interval list to select when the e-mail notice should be sent. Click E-mail Template to select the notification template to use.

  • Second Reminder to Manager's Manager - Select to schedule when a second reminder e-mail should be sent to the manager of the manager who has an assigned certification to complete. Use the Reminder Interval list to select when the e-mail notice should be sent. Click E-mail Template to select the notification template to use.

  • Reminder to Information Security Department - Select to schedule when a notification e-mail should be sent to the information security manager who is responsible for ensuring that certifications are completed. Use the Reminder Interval list to select when the e-mail notice should be sent. Click E-mail Template to select the notification template to use.

Certification Completion Notification

  • Send Certification Completion E-mail - When a certification has been completed, send a notification e-mail to the certifier. Click E-mail Template to select which notification template to use.

Certification Expiry Notification

  • Certification About to Expire Notification - Select to schedule when a reminder e-mail should be sent to a manager who has an assigned certification that is about to expire. Use the Reminder Interval list to select when the e-mail notice should be sent (that is, choose how many days in advance of the certification expiring the notice should be sent). Click E-mail Template to select the notification template to use.

  • Expired Certification Notification - When a certification has expired, send a notification e-mail to the certifier. Click E-mail Template to select which notification template to use.


11.2.1.2.7 Revoke and Remediation Panel

Access Revoke

  • Send e-mail to security administrators on access revoke - Select to send e-mail to security administrators when a certifier revokes access. Choose from the following options how the security administrator should be notified.

    • By certification - Send a notification e-mail that summarizes revoked access for the certification.

    • By each resource type in the certification - Send a notification e-mail that, for a given certification, summarizes revoked access by each resource type.

    • By each account in the certification - Send a notification e-mail that, for a given certification, summarizes revoked access per account.

Reporting Changes

  • Send reporting changes to HR - Select to send e-mail to Human Resources (HR) when a manager declines, delegates, or disclaims an employee because the employee does not work for the manager, the employee works for another manager, or the employee is no longer part of the organization. Choose from the following options how HR should be notified.

    • By certification - Send one notification e-mail that summarizes reporting changes for the certification.

    • By user - Send one e-mail per user.

Remediation

  • Display Remediation Instructions - Select to display instructions to help end-users complete remediation steps.

  • Perform Closed Loop Remediation - Select to enable closed loop remediation. See Section 7.4, "Understanding Closed-Loop Remediation and Remediation Tracking" for more information.

    • Certification End Date - The date that the certification is scheduled to end.

    • Certification Completion Date - The date that the certification is completed.


11.2.2 Role Management Configuration

This section describes how to configure the Oracle Identity Analytics role mining and "SoD evaluation of role assignment" feature.

11.2.2.1 To Configure Mining

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Settings.

  3. Click Role Management.

    The Role Management page opens

  4. Click on New Excluded Value.

  5. Complete the form by selecting the attribute value that needs to be excluded from mining and click Ok.

11.2.2.2 To Configure Roles

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Settings.

  3. Click Role Management.

    The Role Management page opens.

  4. Click on Roles.

  5. Select from the following to perform an SoD evaluation of a role assignment:

    • Disallow Assignment - Blocks the assignment if there is a SoD Violation.

    • Allow Assignment and Flag Audit Exception - Allows the assignment even if there is a SoD violation, but flags the audit exception.

11.2.3 Identity Audit Configuration

The identity audit configuration page provides the interface for setting up the e-mail notification preferences for audit policy violation events and actions.

11.2.3.1 To Configure the Identity Audit Module

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Settings.

  3. Click Identity Audit.

  4. Select the desired configurations based on the requirements of the organization.

11.2.3.2 To Prevent Self-Remediation of Audit Violations

Follow these steps to prevent users from being able to remediate their own violations if their attributes, roles, or entitlements are causing a Segregation of Duties violation.

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Settings.

  3. Click Identity Audit.

  4. Select Prevent Self-Remediation.

    Note:

    Self-remediation is allowed by default for Oracle Identity Analytics customers who upgraded from a version older than 11gR1 PS1 because previous versions of the product allowed self-remediation. Self-remediation, however, is not considered a best practice and customers are encouraged to choose the Prevent Self-Remediation option.

  5. Use the Alternate reviewer select box to specify who should be the designated alternate reviewer. Choose from the following:

    • User Manager - Make the original reviewer's manager the designated reviewer/remediator.

    • Select - Type a name in the user search box to make a specific user the designated reviewer/remediator.

11.2.3.3 To Configure E-mails for Violation Reminder and Escalation

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Settings.

  3. Click Identity Audit.

  4. Do one of the following in the Violation Reminder and Escalation section:

    • Select Send Email Reminder(s) to choose when and how frequently reminder e-mails are sent to the violation assignee when no action is taken on the violation after it is assigned. You can also choose the template for the reminder e-mail.

    • Select Escalate After Reminders to choose the maximum number of reminders to send before escalating the violation to the assignee's manager. You can also choose an e-mail template to use for the escalation notice.

  5. Click Save.

11.2.3.4 To Configure E-mails For Violation Lifecycle Event Notifications

  1. Log in to Oracle Identity Analytics.

  2. Go to Administration > Settings.

  3. Click Identity Audit.

  4. Select from the following options in the Violation Lifecycle Event Notifications section:

    • Send E-mail For New Violations - Choose an e-mail template and also send e-mail notifications to actors associated with the new violations that are created.

    • Send E-mail For Reopened Violations - Choose an e-mail template and send e-mail notifications to actors associated with the violations that are reopened.

    • Send E-mail For User or System Remediated Violations - Choose an e-mail template and also send e-mail notifications to actors associated with the violations that are closed as resolved by the system or user.

    • Send E-mail When Violation is Assigned - Choose an e-mail template and send e-mail notifications to actors associated with the violation that is assigned to a user.

    • Send E-mail When Violation Closed as Risk Accepted - Choose an e-mail template and send e-mail notifications to actors associated with the violation that is closed as risk accepted.

  5. Click Save.

11.2.4 Reports Configuration

You can configure Oracle Identity Analytics to send e-mails to data owners using pre-defined e-mail templates. Reminder e-mails can be sent to data owners, the data owners' managers, and to the Information Security Department.

11.2.4.1 To Configure Report Reminder E-mails

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Settings.

  3. Click Reports.

    The Report Configuration page opens.

  4. To configure the send-reminder-email workflow, select a reminder, select a reminder interval, and select an e-mail template.

    E-mail templates are created on the E-mail Templates tab. For help, see Chapter 11, "E-mail Templates Configuration (Configuring E-mail Notification)" in the Oracle Identity Analytics Configuration chapter.

  5. Click Save.

11.2.5 Identity Warehouse Configuration

Candidate List

Only Privileged Users in Candidate Owner List - When associating role owners with roles or policy owners with policies, you can restrict the menu to only include those users who have sufficient access rights to perform the job. To do so, enable this option. If this option is not enabled, the menu of users will list all users, which means it is possible to select a user who does not posses the permissions required to do the job.

Note:

If this feature is enabled, to appear in the menu the user must be assigned an OIA Role containing these user privileges:

  • Create Role (Policy)

  • Decommission Role (Delete Policy)

  • Update Role (Policy)

To manage Identity Warehouse Roles (Policies) from the UI, the following additional privileges must be assigned:

  • Access to Role (Policy) View

  • Access to My Requests