Access Governance

Oracle Access Governance can be integrated with target identity systems by defining a connected system. A connected system allows you to load data from a remote target identity system into Oracle Access Governance. The connected system will define parameters, such as connection details, that are required to access remote identity data. Where a direct connection between Oracle Access Governance and the target identity system isn't possible, an agent might be deployed to act as a bridge between the two.

A connected system is the footprint definition for a target identity system that can be integrated with and provide data to Oracle Access Governance. After it's defined, the connected system enables integration and data synchronization between target identity systems and Oracle Access Governance through a direct connection or an agent.

The core component of the access governance cloud service is the access governance instance that provides physical separation of data and configuration for Access Governance. In the On-Premises area of the left-hand side of the diagram, there's an example of on-premises connected systems. Some of these systems might be authoritative sources that manage identity information. Some could be target systems in which you want to manage access to the resources.

One of the key design principles of Access Governance is to enable codeless and intuitive integration to connected systems. Most on-premises systems use an agent-based architecture to integrate with Access Governance. For each connected system where no direct connection between AG and the target system is available, an agent is generated when the connected system is configured. The agent must be downloaded and run in order to integrate the connected system with Access Governance. The agent is typically a container image that runs as a microservice. You can have one or more of these systems connected to access governance.

The previous diagram shows the integration of Oracle Identity Governance (OIG) and Access Governance. OIG is integrated to Access Governance through an OIG agent that can be run in the same virtual machine (VM) where OIG runs or a standalone VM instance with a compatible container engine that's either Docker or Podman.

Cloud-based connected systems might also be authoritative sources or target systems. For many of the cloud based connected systems, direct integration is provided. For example, you can integrate with OCI IAM using an API key. The following diagram shows the integration of Oracle OCI with Access Governance.

You can establish a connection between Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) and Oracle Access Governance by entering connection details and configuring your cloud service provider environment. To achieve this, use the Connected Systems option in the Oracle Access Governance Console. This integration is done through an API Key. An API Key is created for the AGCS user and configured in the connected systems page. Once connected, policy reviews can be performed for the OCI policies.

Oracle Access Governance automatically fetches core and custom attributes defined in a connected system. Details of attributes are automatically loaded into Access Governance when data is loaded from a connected system. If you create further custom attributes in the target system, following initial data load, you can refresh the custom attributes in the Access Governance schema so that the latest custom attributes are included in the next data load.

You can use these attributes in Oracle Access Governance to perform various functions, such as running access reviews campaigns, choosing identities for identity collections, defining event-based certifications, or applying attribute conditions to enable/disable the available identity data set.

The identity marking feature lets administrators activate or inactivate identities within the service, and flag identities as workforce or consumer users. It's important to understand the meaning of this terminology in Access Governance.

• Active identities: Identities flagged as active within the Oracle Access Governance service, which enables the main features including access reviews and access control.
• Inactive identities: Identities flagged as inactive within the Oracle Access Governance service which are not governed by Active Governance and not considered for billing.
• Workforce Users: Users who are typically employees that require access to Access Governance and whose identities are actively governed. These users can actively perform review or management activities in AG.
• Consumer Users: Users who have no access to the Access Governance service and their access privileges need to be assigned or managed by others.

One of the first steps in configuring Active Governance is to mark the identities appropriately as workforce or consumer user and activate them within the Active Governance system.

As an Oracle Access Governance user, you can request access to resources and roles. Requests can be made for yourself or for others. This process creates an access request that's granted without further action or is subject to an approval workflow.

• The process uses a self-service approach with a simplified access catalog.
• Access Governance provides a modernized user experience to raise and track access requests and to approvals.
• The approval workflow is customizable to the needs of the organization.
• Access Governance improves productivity by automating fulfilment for approved access privileges.

Every permission or role that needs to be assigned to a user must be processed through an approval workflow. As a resource administrator, you must design the workflow by specifying the required approval level and the number of approvers. You can use these workflows to obtain approvals before assigning or revoking user privileges.

For example, when a user requests access to an access bundle by way of Access Governance, the approval workflow associated with that access or permission triggers a notification through email to the approvers, who then review the request and approve it, reject it, or can request more information. The result of the approval process is updated in the permissions management system.

Workflows provided out of the box with Oracle Access Governance include the following features: 

• Reviewers are notified about assigned and pending access reviews.
• Oracle Access Governance supports one-level, two-level, and three-level access review workflows.
• Access reviews can be accepted or revoked.

Workflows in Oracle Access Governance enable:

• Fully configurable workflow creation with no coding.
• Workflows that support multi-stage approvals where the approvers can be configured.
• Ability to configure if all or one of the approvers need to approve the request
• Suggestions for intelligent workflow based-on selected criteria.
• Support for escalation approvers in cases where the approvers didn't take action.

Attribute-based access control (ABAC) is a method of controlling access to resources based on the attributes of the user and the resource. Attributes can include the user's job function, department, location, and time of day. Access Governance uses identity collections for ABAC.

Identity collections are groups of identities based on shared attributes or named identities. These identities are on boarded from connected systems using identity orchestration.

Identity Collections simplify tasks by letting you configure features for a collection of identities, instead of for each identity. You can use identity collections to: 

• Associate identities with appropriate access bundles or roles using policies.
• Delegate Access Review tasks to an Identity Collection.
• Assign as approvers in approval workflows.

Enterprises have multiple applications and services to which access needs to be controlled. Each of these applications might define multiple permissions that need to be granted based on the role of the user. Sometimes these permissions are coarse grained and sometimes they are fine grained. While it is possible to grant these permissions individually to users, it can be complex and error prone. Typically based on the use case, the users would require a set of permissions to perform their tasks. Granting only part of these permissions would cause issues and delays in performing their duties.

Access bundles are based on using a set of permissions that are always grouped together to perform the responsibilities of the user.

An access bundle is a collection of permissions that package access to resources, application features, and functionality into a requestable unit. A specific access bundle is associated with a single target. Users of a particular resource aren't required to request each permission associated with that resource. Instead they request the access bundle for that resource. This simplifies the process of requesting resource permissions.

For example, you can create an access bundle for developers using the target application Oracle Integration. You could call this bundle Integration Developer Access, and select read, edit, and create permissions required for an integration developer to use the application. When a developer in your organization needs to request developer access to the Oracle Integration application, they only need to request the bundle, not the individual permissions. Access bundles are managed by application owners and are can be requested from the access catalog.

Once you define the access bundle, it can be assigned to roles or used in policies to grant the set of permissions. Roles and policies are typically managed by administrators, which provides a way to separate duties.

Role-based access control (RBAC) is a method of controlling access to resources based on the roles that users have. Roles are assigned to users based on their job function, department, or other criteria.

In Access Governance, a role is a group of access bundles for one or more applications and services. The access bundles contained within a role can span multiple targets. An example might be a role of database administrator, which groups together the DB Admin for Oracle. DB Admin for DB2, and DB Admin for MySQL access bundles. This lets you create roles that combine the relevant access bundles for performing that role. These roles can then be associated with identities by way of policies. A role doesn't provide access to a resource by default. Access is given to an identity when a role is assigned to that identity by way of a policy or self-service request. Roles are managed by role administrators and can be requested from the access catalog.

Policy-based access control (PBAC) is a method of controlling access to resources based on policies. Policies are rules that define who can access what resources and under what conditions.

Policies associate resources and permissions with identities by way of roles and access bundles. The following diagram shows how you can maintain policies within the Access Governance service.

Identity collections are a group of user identities defined based on attributes. The users need access to the applications and services, and the permissions are put into access bundles. Roles can group access bundles based on use cases. Policies associate the identity collections with roles or access bundles. PBAC enables birth-right and just-in-time access, and provides a way of centralizing policy management and access reviews that can be managed by internal auditors and compliance administrators.

An access review campaign is a systematic process for reviewing and updating user access to resources. Access review campaigns are typically conducted on a regular basis, such as annually or quarterly, to ensure that users only have access to the resources they need to do their jobs.

Access review campaigns typically involve the following steps:

• Create the campaign.
• Define the scope for the campaign by choosing what is including in the review.
• Configure the approval workflow.
• Schedule the campaign as one-time or periodic campaign which eliminates the need for manually keeping track of these campaigns.
• Run the campaign.

The campaign is completed after all the review tasks are completed.

Access review campaigns are an important part of your security posture. By regularly reviewing user access, you can help to mitigate the risk of unauthorized access to sensitive data and systems.

Access review campaigns from Oracle Access Governance are used to review access rights. Access Governance supports the following types of access review campaigns:

• User access review campaigns: Comprises a group of access reviews for members of your enterprise population where individual access to a specific source is checked and either certified or remediated.
• Policy reviews campaigns: Comprises a group of policy reviews that evaluates access control of Identity and Access Management (IAM) policies.
• Event-based access reviews: Access reviews initiated automatically by Oracle Access Governance when one or more predefined event types occur.
• Identity collection review campaigns: One-time or periodic access review campaigns for reviewing identity collections defined in Access Governance or derived from OCI.

An access review is the review of access and permissions for an entity, typically an end user, that's carried out to confirm if the access and permissions assigned to that entity are still valid.

A campaign administrator can create one-time or periodic access review campaigns in the Oracle Access Governance Console. You can define selection criteria based on users, applications, permissions, and roles. You can also define the approval workflow to select the number of review levels, review duration, and reviewer details.

The previous diagram shows the selection criteria that scopes the access reviews. The following information describes the criteria:

• Who has access: Criteria to filter users based on standard (organization, job, location) or custom attributes.
• What they are accessing: Criteria to filter users based on resources they have access to.
• Which permissions: Criteria to filter users based on individual permissions, such as create, update, terminate, approve, or access bundles.
• Which identity collections: Lets you perform the identity collection review.

A campaign administrator can create on-demand policy reviews for OCI by defining the selection criteria based on the policies associated with users. The approval workflow can be created by selecting the number of review levels, review duration, and reviewer details.

The previous diagram shows the selection criteria that scopes the policy reviews. The following information describes the criteria:

• Who has access: Criteria to filter users based on standard (organization, job, location) or custom attributes.
• What they are accessing: Criteria to filter users based on resources they have access to.
• Which tenancies: Criteria to filter users based on the tenancies to be included in the scope.
• Which policies: Choose the policies on which the review will be performed.
• Which roles: Choose roles for which policy reviews are performed.

Event-based access reviews are access reviews initiated automatically by Oracle Access Governance when one or more predefined event types occur. The following diagram shows how event-based access reviews work.

Whenever events, such as job-code change, location change, and so on occur, the event-based access reviews are initiated. Reviewers can use these to check, certify, or remediate the impacted user or application roles, permissions, or entitlements. Event-based access reviews can be enabled for the core attributes (for example, job code, organization, location, and so on), in addition to custom attributes (for example, cost center, project code, and so on).

You can define the workflow for the review in terms of the number of review levels, duration, and who performs the review. Multi-events occur when Oracle Access Governance receives changes for more than one event-type that is associated with a single identity. A shared workflow is applied when multi-events are identified. Information on event-based access reviews can be analyzed by generating reports using the event-based report capability of Oracle Access Governance.

You might want to delegate approvals or access reviews to others for the following reasons:

• Unavailability because of vacation, sickness, or working on other tasks
• Having the most qualified person make decisions
• Developing someone's ability to handle additional assignments

The following diagram shows the concept of delegation.

In Oracle Access Governance, you can set up and manage preferences. Users can delegate tasks and activities using the Oracle Access Governance Console. You can use the My Preferences setting to assign tasks and activities to another user or identity collection. You can choose when to start this delegation process and also specify the duration of the delegation.

In Oracle Access Governance, you can delegate who performs access reviews and who performs approvals on your behalf. A task can be delegated to an individual or an identity collection. The identity collection can have one or more members in it. Duration for delegation can be set to a time range or indefinitely.

Prescriptive analytics is a type of data analytics that goes beyond describing or predicting what has happened or what might happen. It takes the next step of suggesting the best course of action to take in a given situation.

Prescriptive analytics uses a variety of techniques, including machine learning, optimization, and simulation, to analyze data and identify the best possible course of action. This can be used to improve decision-making in a wide range of areas, such as business, healthcare, and government.

Oracle Access Governance uses AI and machine learning based prescriptive analytics to provide intelligent insights and risk management. Deep analytics and high fidelity recommendations make it easy for reviewers to approve or deny the access.

Oracle Access Governance uses AI and machine learning to provide insights-based access reviews, identity analytics, and intelligence capabilities for businesses.

Some of the ways Oracle Access Governance uses AI and machine learning are:

• Peer group analysis: Oracle Access Governance uses AI to identify peer groups of users with similar access privileges. This information can be used to identify users who might have excessive access privileges.
• Outlier detection: Oracle Access Governance uses machine learning to identify users who have access patterns that are different from the norm. This information can be used to identify users who may be at risk of abusing their access privileges.
• Recommendations: Oracle Access Governance uses AI to generate recommendations for access reviews and remediation actions. This information can help you improve the security of their data.
• Automated workflows: Oracle Access Governance uses machine learning to automate tasks such as access reviews and remediation actions. This can help you improve the efficiency of their access management processes.

Access Governance, with intelligence at its core, fetches identities and gets the policies from various systems which makes it a system that can manage applications and other identity systems. With collected identities and permissions, Access Governance shows who has access to what. With policies, it can also show the intelligence for how the identities got access to permissions. With the information about usage from applications, it can also provide insight into what is happening with provisioning access. This helps you reduce risk and cost by optimizing accesses to the right people, bots, and services.

Access Governance uses a variety of techniques to provide visibility into access permissions:

• Oracle Access Governance can be used to conduct periodic or event-driven access reviews. This helps organizations to ensure that users only have the access they need to perform their jobs.
• Oracle Access Governance can be used to analyze identity data to identify potential risks, such as users with excessive access privileges or users who have left the organization but still have access to sensitive data.
• Oracle Access Governance can be used to generate reports and dashboards that provide insights into access permissions. This information can be used to improve the security of the organization's data.

Three dashboards give you more information on who has access to what, as shown in the following diagram.

The dashboards are:

• My Access
  • Users can view details of the application, cloud resources, permissions, and roles assigned to themselves.
• My Directs' Access:
  • Managers can view details of the applications, cloud resources, permissions, and roles assigned to their direct reports.
  • This feature is available based on your connected system, and not available with all supported connected systems.
• Enterprise-wide Access
  • Users with an administrator role can get a 360-degree view of all the resources and assigned permissions for those resources from the Oracle Access Governance Console.
  • On the Enterprise-wide Access page, you can view a list of the entire organization's resources and resource types across various systems connected with Oracle Access Governance and fetch which identities are currently assigned to that resource, at what permission level, and how those permissions are assigned or granted.

Security remediation is the process of identifying and addressing security vulnerabilities. It's an important part of an organization's security posture because it helps to reduce risk and improve compliance. Access Governance provides the following remediation related capabilities:

• Recommendations: Based on machine learning analytics, Access Governance helps identify and recommend the appropriate action. The remediation action could be accept or revoke as recommended by Access Governance.
• Customizable justification entry: When a reviewer takes action on the remediation, they have the option of providing justification. This is configurable in Access Governance based on the type of recommendation.
• Auto-remediation on campaign completion: When the campaign ends, Access Governance can automatically perform remediation in the Access Governance Console.

Identities from different systems are automatically correlated in Access Governance. Correlation is a capability that's the basis for providing a 360-degree view of users.

Access Governance performs the following correlation activities:

• Correlate the identities based on email ID and/or usernames.
• Combine the intelligence based on the unified identity and provide insights based on it.
• Detect unmatched identities for target systems and provide a report for troubleshooting.