Perform Access Review

Access reviews can be carried out from the Oracle Access Governance Console by any user with the User application role.

Any OCI user that logs into the Oracle Access Governance Console is automatically assigned the User application role. A user with this application role can perform access reviews but must be associated with the specific approval workflow assigned to the review. This means that a User cannot simply carry out any reviews in the system, they must be associated with the review by an approval workflow. For example, if UserA is the reviewer for WorkflowA, and UserB is reviewer for WorkflowB then UserA can only access reviews assigned WorkflowA and UserB can only access reviews assigned WorkflowB. If we have UserC who is not associated with any approval workflow, then that user cannot perform tasks against any reviews.

Users can review identity and access control review tasks. They can bulk approve low-risk items, check the AI/ML-equipped prescriptive analytic insights, review high-risks items, and make informed decisions based on AI/ML-driven recommendations provided by Oracle Access Governance.

Identity Review Tasks

Identity review tasks include audit of user access rights carried out by campaigns that are run periodically, on-demand, or are initiated on occurrence of some identity events. These access reviews tasks help organizations to evaluate user account, entitlements and roles, make informed decision based on the AI/ML driven recommendations, and deter any harm that could be caused due to misuse of access rights.

Identity access review tasks can be carried out by users with the following roles:
  • User (review access assigned to me/self)
  • Manager (review access assigned to users in my team)
  • Owner (review access assigned to users over resources I own)
  • Custom Reviewer (review access tasks assigned to a user other than end-user, manager, or owner. The default value is Me )
To perform an identity access review:
  1. In the Oracle Access Governance Console, select Access Reviews, and then My Access Reviews from the Navigation Menu navigation menu.
    You navigate to the My Access Reviews page. You can search a specific access review task by identity name or policy name, or apply the given filters to narrow down the search results. You can also view the count of total identity and policy review tasks assigned to you as a reviewer. By default, you will see the Identity review tasks tab. Select the Access control review tasks tab to view and take appropriate actions on the IAM policies.

On the Identity review tasks tab, you see all user and event-based review tasks assigned to you as a reviewer. The following information is displayed for each review item:

  • Identity name
  • Manager Name
  • Assignment name
  • Assignment type
  • Due days
  • Review source
  • Recommendation
  • Insights
  • Actions

The Insights column has a link for each review item which, when clicked, takes you to the Insights page. The insights are based on our in-house AI/ML-equipped prescriptive analytic-based Identity Intelligence system. On a high-level, analysis of the permission is based on the following factors:

  • Comparison with peers reporting to the same manager
  • Comparison with peers with the same job code
  • Comparison with peers in the same organization
  • Recent changes in a user profile

On the Insights page, based on the analysis, you can view recommendation for the access review task. On the left-panel, you can view the access rights information for that identity. On the page, you can view the graphical insights based on the analysis factors, series of access review tasks initiated for that identity since the time the specific permission was granted, and recent change events related to that identity.

To make a review decision:

  1. You can either revoke or accept a review item. This can be done either from the Insights page or by selecting the relevant option in the Actions column on the My Access Reviews page.
  2. To revoke a review item, select Revoke. In the confirmation pop-up dialogue, add a Justification and select Submit. You will be taken back to the My Access Reviews page and a confirmation that the decision has been saved will display.

    Note:

    • To approve an access privilege, all the reviewers must approve a review item. However, to revoke an access privilege, first revoke done by any-level reviewer is considered final.
    • If you revoke an Account task, then it will auto action to revoke all the related entitlement tasks.
    • If you accept an entitlement (Role or Permission) task, then it will auto action to accept the related Account tasks.
    • When you revoke a review item, the item is remediated automatically. A request is sent back to the orchestrated system to revoke the item in the back-end system. No manual steps are required.
  3. To accept a review item, select Accept. In the confirmation pop-up dialogue, add a Justification and select Submit. You will be taken back to the My Access Reviews page and a confirmation that the decision has been saved will display.

Oracle Access Governance gives you the provision to reassign a single or multiple review items to other users. Reassigning a review task is different from delegating a review task, as reassignment changes the ownership of review items. In reassignment, the review tasks will be moved from the original reviewer and gets assigned to the new reviewer. Only the new reviewer can see the reassignment details in the access review trail.

Note:

You cannot reassign self-review (one where a user is the beneficiary as well as the approver), delegated, or escalated review tasks. The Reassign button for these review tasks will be disabled on the console.

  1. To reassign a task to other users, select the Reassign icon. In the confirmation pop-up dialogue, select the new reviewer, add justification, and then select Submit.

Access Control Review Tasks

Access control review tasks include audit of Identity and Access Management (IAM) policies, and identity collections, initiated by access control review campaigns, that are run periodically or on-demand. These tasks help organizations to evaluate access control of cloud resources up to the statement level, review high-risk policies, make informed decision based on the AI/ML driven recommendations, and deter any harm that could be caused due to misuse of policy permissions.

Policy access review tasks can be carried out by users with the following roles:
  • Admin Custom Reviewer (review cloud resources such as OCI IAM Policies, and identity collections)
  • Administrator (modify, delete, monitor all access review campaigns)
To perform an access control review task:
  1. In the Oracle Access Governance Console, select My Access Reviews from the Navigation Menu navigation menu. You navigate to the My Access Reviews page.
    By default, you will see the Identity review tasks tab. Select the Access control review tasks tab to view and take appropriate actions on the IAM policies, and identity collections. You can search a specific access review task by a policy name, or apply the given filters to narrow down the search results. You can also view the count of total identity and access control review tasks assigned to you as a reviewer.

On the Access control review tasks tab, you will see all access control review tasks assigned to you as a reviewer. The following information is displayed for each review item:

  • Name
  • Type
  • Owner
  • Due days
  • Review source
  • Recommendation
  • Insights

Note:

If you have modified policies or identity collections since review tasks have been generated, these updated policies/identity collections would not be considered for review. To include them, either wait for the next periodic campaign to run, or create a fresh campaign after the incremental data load operation.

The Insights column has an Actions link for each review item, which when clicked, takes you to the Insights page. The insights are based on our in-house AI/ML-equipped prescriptive analytic-based Identity Intelligence system.

On the Insights page, you can view our recommendation for the policy review task. On the left-panel, you can view the policy/identity collection information. On the right, you can view a complete list of actionable and non actionable statements, view details, and make appropriate decisions on each statement.

You can also view a series of access review tasks initiated for that policy/identity collection since the time it was granted. The non actionable statements provide no access rights, therefore no action can be taken on those policy statements. For example, any rule statement that forms a construct which can further be used in other policy statements to provide access rights.

To make a review decision, you can either revoke all or accept all actionable statements in that policy at once, or make decision individually on each policy statement and then select Apply. By default, all the actionable statements are selected with a tick icon. The final remediation decision will be submitted per policy, and further sent to the orchestrated system for closed-loop access remediation.

  1. From the Insights page, to accept or to revoke statement(s):
    • To revoke all statements at once, select Revoke all.
    • To revoke an individual statement, select the cross icon to revoke access for that policy statement. Repeat this action on each statement that you want to revoke.
    • To accept all policy at once, select Accept all.
    • To accept an individual statement, select the tick or check mark icon to accept the statement. Repeat this action on each statement that you want to accept.

    Note:

    • To approve a policy, all the reviewers must approve a review item. However, to revoke an access privilege, first revoke done by any-level reviewer is considered final.
    • When you revoke a policy, the policy is remediated automatically. A request is sent back to the orchestrated system to revoke the item in the back-end system. No manual steps are required.
  2. After you have finalized the decision on all the statements, select Apply .

    The confirmation pop-up dialogue is displayed. The count for statements that you selected to accept and revoke is displayed. Add your comments in the Justification field, and then select Submit. You will be taken back to the My Access Reviews page and a confirmation that the decision has been saved will display.

You can reassign access reviews from the Insights page. This moves the access review tasks from the list of original reviewer and gets assigned to the new reviewer. You cannot reassign delegated or an escalated access review task.

  1. To reassign access reviews, select the Reassign button. In the confirmation pop-up dialogue, select a new reviewer, add justification, and then select Submit.

Ownership Review Tasks

Ownership review tasks include audit of Identity and Access Management (IAM) unmatched accounts, initiated by event-based access reviews. These tasks help organizations match any unmatched accounts with identities in Oracle Access Governance.

Ownership review tasks can be carried out by users with the following roles:
  • Application owner: The owner of the application to which the unmatched account is related.
  • Custom user: A custom user specified when enabling the unmatched accounts access review.
To perform an ownership review task:
  1. In the Oracle Access Governance Console, select My Access Reviews from the Navigation Menu navigation menu. You navigate to the My Access Reviews page.
    By default, you will see the Identity tab. Select the Ownership tab to view and take appropriate actions on any unmatched accounts. You can search a specific access review task by a policy name, or apply the given filters to narrow down the search results. You can also view the count of total identity, access control, and ownership review tasks assigned to you as a reviewer.

On the Ownership tab, you will see all access control review tasks assigned to you as a reviewer. The following information is displayed for each review item:

  • Name
  • Type
  • Due days
  • Review source
  • Recommendation

The View link for each review item, when clicked, takes you to the Insights page. The insights are based on our in-house AI/ML-equipped prescriptive analytic-based Identity Intelligence system.

On the Insights page, you can view our recommendation for the ownership review task. On the left-panel, you can view the unmatched account information. On the right, you can view details, and make appropriate decisions based on them.

To make a review decision, you can either select an Oracle Access Governance identity to match to, or you can remove the unmatched account from the orchestrated system. If you need to reassign the review to another user for some reason then you also have this option.

  1. From the Insights page, to apply a match to an unmatched account:

    Select the Select an identity button, which will open the Match account to identity panel.

    • Two tabs are displayed:
      • Suggested identities: This provides suggestions for the identities you can match to your unmatched account. You can accept one of the suggestions, or navigate to the All identities tab and search for an identity to match with
      • All identities: Allows you to search for the identity you want to match the account to.
    • Select the identity you want to match, and click Match.
    • Select Apply to match the unmatched account to the identity you selected.
  2. From the Insights page, to remove an unmatched account from the orchestrated system:
    Select Remove to remove the unmatched account from the orchestrated system.
  3. From the Insights page, to remove an unmatched account from the orchestrated system:
    Select Reassign to assign the review to another user.