This chapter contains the following sections:
This chapter documents identity audit functionality that is available to business administrators, but not to general business users. Identity audit information for general business users is documented in the "Identity Audit" chapter in the User's Guide for Oracle Identity Analytics.
See the User's Guide for Oracle Identity Analytics to learn more about the following identity audit topics:
Identity audit overview
Understanding the identity audit user interface
Acting on audit policy violations
For information about configuring the identity audit module, including preventing self-remediation, see the following topic:
An identity audit rule has a rule condition. If, during an audit policy scan, the rule condition evaluates to true, the rule is triggered.
You can define complex rules with nested conditions on the basis of user information, resource types attributes, role metadata, classification, and business structure metadata.
An audit rule can be assigned one of three states: active, inactive, and decommissioned. Only active rules associated with an identity audit policy can be scanned.
When a rule condition is modified, all policies associated with this rule are impacted. If the modified rule is the cause of any existing open violations in the system, the cause and the associated violation will be impacted by the change in condition.
When users associated with an impacted violation are scanned against the policies associated with the modified rule, the system takes the following actions on the violation:
The system checks to see whether the modified condition still causes an exception.
If the rule condition still results in an exception, then the system sets the violation cause status to "Active." Otherwise, the system sets it to "Inactive."
An administrator may remove one or more rules from a policy only if all violations associated with that policy are in the "Closed" state. So if you intend to remove rules, you must change all unresolved (Open, Closed as Fixed, Closed as Risk Accepted) violations to the "Closed" state.
An administrator may add new rules to an existing policy. However, this change can impact some existing unresolved violations. The next time the modified policy is scanned, existing open violations that are impacted by this change are updated and new ones are created if the new rules have caused exceptions.
Log in to Oracle Identity Analytics.
Choose Identity Audit > Rules.
Click New Rule.
The New Rule form wizard opens.
Enter a name and description for the rule, and select whether the rule should be Active or Inactive.
Create one or more conditions for the rule.
Select the Object (either User, Role, Business Unit, or Resource Types objects are provided), the corresponding attribute, the rule condition, and enter the value. You can use operators such as AND and OR to add more conditions.
Use the Group and Ungroup buttons to create complex conditions.
Click Save.
The rule is created and is displayed on the Rule page.
Log in to Oracle Identity Analytics.
Choose Identity Audit > Rules.
All the rules that have been created are displayed.
Click the rule that you want to edit or to make active/inactive.
The Edit Rule page opens.
Edit the fields as required.
Change the state to Active, Inactive, or Decommissioned as required.
Note:
A decommissioned rule is made permanently inactive and cannot be activated again. All information about the rule, however, is retained in Oracle Identity Analytics.
Click Save.
An identity audit policy is a collection of audit rules that together enforce SoD business policies. Audit policies consist of metadata, such as the audit policy name, description, severity, creation date, and update data. Audit policies have designated policy owners and policy remediators.
An identity audit policy owner is responsible for the definition of the policy and approves any changes made to the policy. However, it is the remediator's responsibility to take action on an audit policy violation and fix the violation.
Log in to Oracle Identity Analytics.
Choose Identity Audit > Policies.
Click New Policy.
Enter the following details:
Name - Name of the policy.
Description - A short description of the policy.
Severity- Select from High, Medium, or Low. This information is displayed in the Identity Audit dashboard.
Status- Select from Active or Inactive.
Owner - Name of the owner of the policy. Use the Search option provided to search for the owner. For help using search, see the "Searching For a User" section in the "Identity Warehouse" chapter of the User's Guide for Oracle Identity Analytics.
Complete the Remediator section of the form to choose the user who will act as the remediator for any policy violations:
Primary - The primary remediator, who takes precedence over the Default remediator.
Default - Name of a remediator. Use the search option provided to search for the remediator.
Click Next.
Click the Add Rules button.
The Add Rules to Policy page opens.
Select the rules that you want to assign to the policy, or click the New Rule button in the top-left corner to create a new rule for the policy. Multiple rules can be assigned to the policy.
Click OK to close the Add Rules to Policy page.
Click Finish.
The new policy is created and appears on the Policy page.
Log in to Oracle Identity Analytics.
Choose Identity Audit > Policies.
All the policies that have been created are displayed.
Click the policy that you want to edit or to make active/inactive.
The Edit Policy page opens.
Edit the fields, as required.
Change the state to Active, Inactive, or Decommissioned, as required.
Note:
A decommissioned policy is made permanently inactive. This policy cannot be activated again. However, all information about the policy is retained in Oracle Identity Analytics.
Click Save.
Previewing a policy displays the policy scan results without saving them.
Log in to Oracle Identity Analytics.
Choose Identity Audit > Policies.
A list of policies is displayed.
Find the policy that you want to preview and click Preview.
When the User Selection Strategy page opens, select one of the following:
All Business Structures - Shows results only on all the business structures in Oracle Identity Analytics.
Selected Business Structures - Shows results on the business structures you select.
All Users - Shows results on all users in Oracle Identity Analytics.
Users Criteria - Shows results on the condition, which applies to users, you create.
Click Preview to get an idea of the set of users selected.
Selected Users - Shows results on the users you select individually.
When a Summary page is displayed, click Preview.
The View Results page opens showing the status.
Click the Policy to view the Scan Job> Policy Violation Preview.
Do one of the following:
To save the results, click Apply.
To delete the results, click Don't Apply.
After an audit policy scan runs, the results are saved to the system. To view the results of the policy scan, click View Results.
Note - The identity audit preview scan results are available only for a day after the scan is complete. Therefore, it is recommended to apply the result or discard them as soon as the scan is complete.
Log in to Oracle Identity Analytics.
Choose Identity Audit > Policies.
A list of policies is displayed.
Find the audit policy scan that you want to run and click Run. You can select multiple policies as well.
The User Selection Strategy page opens.
Select from the following options:
All Business Structures - Shows results based on the business structures in Oracle Identity Analytics.
Selected Business Structures - Shows results based only on the business structures you select.
All Users - Shows results based on all users in Oracle Identity Analytics.
Users Criteria - Shows results based on a condition that applies to users you create. Click Preview to get an idea of the set of users selected.
Selected Users - Shows results based only on the users you select.
Click Next.
The Summary Page opens.
Do one of the following:
To run a policy immediately, click Run Now.
A Policies Are Saved for Scan message appears after Oracle Identity Analytics has finished scanning the policy against the chosen criteria.
To view the policy scan results, click View Results.
The Status column displays the number of violations.
Click Close.
To run a policy at a later time or date, click Run Later.
The Schedule Job page opens.
Enter a task name and description, and select the time and day for the task to start.
Click Next.
The Summary page opens.
Click Schedule.
The scan job is scheduled for the desired day and time.