Create and Perform Policy Review Campaigns with Oracle Access Governance

Introduction

Oracle Access Governance addresses the growing challenges security owners face in dealing with the increase in advanced security threats and regulations. This cloud-native solution helps meet governance and compliance requirements across many applications, workloads, infrastructures, and identity platforms.

Policy Review Campaigns involves running on-demand (on-time or periodic) policy review campaigns to ensure that the Identity and Access Management (IAM) policies remain relevant, accurate, and aligned with organization’s goals and objectives.

For more information on Oracle Access Governance, see:

Objectives

In this tutorial, you will learn to:

Intended Audience

This tutorial is designed for Campaign Administrator to learn about creating policy review campaigns in Oracle Access Governance Console. Here, we will also learn responsibilities of Cloud Access Reviewer to perform (accept or revoke) review tasks on OCI IAM policies so that they can make informed decisions on currently active IAM policies.

Prerequisites

You must have:

Tutorial Scenario

Betty Cook as the cloud security owner of Acme Corporation, wants to setup quarterly periodic reviews of OCI IAM policies for one of the domains, and take appropriate actions so that these policies remain relevant, accurate, and aligned with her organization’s goals and objectives.

Let’s see how policy review campaigns are created in the Oracle Access Governance Console and how to perform policy review tasks to make informed decisions.

Scenario Workflow:

  1. In this tutorial, you will first log on as Access Governance Campaign Administrator to the Oracle Access Governance Console.
  2. Create Policy Review Campaigns to review policies on an OCI domain.
  3. Then, log on as Access Governance Cloud Access Reviewer to examine review tasks and take review decision (accept or revoke) a policy.

Task 1: Sign in to Oracle Access Governance Console

  1. From your browser, go to the Oracle Access Governance Console.
  2. In the Username field, enter Oracle Access Governance Campaign Administrator or Administrator username.
  3. In the Password field, enter your password and select Sign In.

You will be navigated to the home page of your Oracle Access Governance Console.

Task 2: Create a Policy Review Campaign

  1. On the Oracle Access Governance console home page, under Access Reviews tab scroll down and select the Define a new campaign tile. Alternatively, you can select Navigation Menu -> Access Reviews -> Campaigns. On the Campaigns page, click the Create a campaign button.

    Description of the illustration createcampaign.png

Choose Selection Criteria

  1. Click Select on the Review access to Oracle Cloud Infrastructure tile.

  2. In the Selection criteria step, select the Which tenancies? tile. You will see a list of available cloud tenancies.

  3. Select an appropriate cloud tenancy. In this tutorial, select the oracleidm tenancy. A green tick is marked against your selection. You can further refine your selection by selecting a specific compartment and a domain, to run domain-specific policy reviews.

  4. In this tutorial, select the Refine further link.

    Description of the illustration SelectCloudProvider.png

  5. In the Select one or more compartment list, select an appropriate compartment, and then click Apply.

    Description of the illustration Select_Domain_Compartment.png

  6. Move on to the next step to select policies that you want to review. Select Which policies? tile. You will see a list of available policies in the domain that you selected.

  7. Select the policies that you want to review. In this tutorial, select Admin_Policy and Users_Policy and then click Apply my selections.

    Description of the illustration SelectPolicies.png

    Note: You can search the policies by policy name, or narrow down your search results by applying predefined date filters.

Assign Policy Review Workflow

  1. Proceed to the Assign workflow step. To do this, click I’m good, go to workflows. Here, you can define the approval workflow for your review tasks.
  2. You can modify the suggested workflow by clicking the I’ll choose my own workflow button. In this tutorial, you do not need to modify the suggested workflow, click Next.

Add Policy Review Campaign Details

  1. In the Add details step, you can define the frequency (one-time or periodic) at which to run an access review campaign, give a meaningful name to your campaign, add a supporting description, and assign values to additional attributes, such as who owns it and when the campaign should start or end.

  2. For this tutorial make the following changes in the Add details step:

    • How often do you want this to run? : Quarterly
    • What do you want to call this campaign?: PolicyReview_OCI_IAM
    • How do you want to describe this campaign?: PolicyReview_OCI_IAM
    • Who owns this campaign?: Me

  3. Select start and end date of this campaign. This policy review campaign will run every quarter, initiating from the start date until the end date.

  4. Click Next.

  5. The Review and submit step displays the information you have added in the previous steps. Select Create to create the campaign. Your campaign is scheduled and is displayed on the Campaigns page. It will run at the mentioned start date and time.

    Description of the illustration ReviewDetails.png

Task 3: Perform Policy Review Tasks

In this task, you will log on as Cloud Access Reviewer to review and certify OCI IAM review tasks raised by the campaign created in the previous task.

  1. On the Oracle Access Governance Console home page, from the navigation menu, select Access Reviews -> My Access Reviews. You will see the My Access Reviews page. By default, the Identity review tasks tab is opened, which you will use to conduct user access reviews.

  2. To view review tasks created by your policy review campaign, click the Access control review tasks tab. You will see all policy access review tasks assigned to you as a reviewer. Oracle Access Governance uses in-house analytic-based Intelligence system to provide accept/review recommendations.

  3. For this tutorial, let’s check the recommendations given by Oracle Access Governance. Here, the Admin_Policy is marked for Review and Users_Policy is marked to Accept.

    Description of the illustration Policy_Review.png

  4. Let’s check out the Insights generated by Oracle Access Governance. For Admin_Policy, click the corresponding Actions links under the Insights column.

  5. On the Insights page, you can view our recommendation for the policy review task. On the left-panel, you can view the policy information. On the right, you can view a complete list of actionable and non actionable policy statements, view policy details to see who and what the policy statement is granting access to, and make appropriate decisions on each statement.

    Description of the illustration Policy_Review.png

  6. To make a review decision, you can either revoke all or accept all actionable statements in that policy at once, or make decision individually on each policy statement. For this tutorial, let’s revoke the first policy to manage all-resources in compartment ag_oci_tutorial as this as this policy is overly-permissive.

  7. Click Apply. The Confirmation dialog box is displayed.

  8. Provide justification and then click Submit.

    Description of the illustration Justification.png

The closed loop access remediation will take place automatically.

Note: You may check the remediation status by downloading the CSV file from the campaign details page or verify it from your cloud account.

This concludes the tutorial on create and perform OCI IAM policy reviews.

Acknowledgements

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.