Implement Event-Based Access Reviews with Oracle Access Governance

Introduction

Oracle Access Governance addresses the growing challenges security owners face in dealing with the increase in advanced security threats and regulations. This cloud-native solution helps meet governance and compliance requirements across many applications, workloads, infrastructures, and identity platforms.

Event-Based Access Reviews are action-oriented access reviews carried out by Oracle Access Governance when one or more predefined event types occur. Whenever events, such as job-code change, location change, and so on occur, the event-based access review feature helps reviewers to check, certify or remediate the impacted user or application roles, permissions, or entitlements.

For more information on Oracle Access Governance, see:

• Oracle Access Governance Product Page
• Access Governance Service Guide
• Access Governance Product Documentation
• Access Governance APIs
• Oracle Access Governance FAQ

Objectives

In this tutorial, you will learn to:

• Enable and configure event-based access reviews
• Examine access review tasks raised by the event-based setup
• Manage and monitor event-based access reviews
• Understand multiple event-based access reviews

Intended Audience

This tutorial is specifically designed for:

• Access Governance Administrators so that they can learn to configure event-based access review campaigns
• Reviewers so that they can make informed decisions on such event-based access reviews

Prerequisites

You must have:

• Oracle Access Governance service instance with AG Administrator rights. For more info, see Understanding Application Roles.
• Access to Oracle Identity Governance (OIG) instance with user administrator rights. This would automatically give you access to the Identity Self Service portal, which is part of the OIG suite of products.
• Completed the following tutorials:
  • Perform Access Reviews with Oracle Access Governance
  • Manage and Monitor Access Review Campaigns with Oracle Access Governance
• Read and gained understanding on the following topics:
  • Manage Event-Based Access Reviews
  • Generate Event-Based Access Reviews Report
  • Perform Access Review
  • Who Has Access to What

Tutorial Scenario

Acme Corporation is using OIG and Access Governance as the identity management and governance solution.

Ema, an employee at Acme corporation, has moved to a different team or project within the same “Quality Assurance” organization. She previously reported to QA lead, Jerry Poland but now she will start reporting to Betty Cook. As a result, HR must update the corresponding reporting manager changes in HCM. From an identity viewpoint, Ema no longer requires access privileges required by direct reports of Jerry but now requires new access privileges used by Betty’s team. Let’s see how event-based access reviews are invoked on occurrence of such event types and help the reviewers to make informed decisions.

Actors
The following actors are involved in this tutorial:

• Betty Cook as the Access Governance Administrator and the User Manager to configure event-based access reviews, examine event-based tasks, and perform access reviews.
• John Edward as the OIG User Administrator who will update the user attributes in the Identity Self Service portal.

Note: This is a mock-up assignment used exclusively for training purposes. Actors used in this tutorial are fictional and do not represent any real identity. We are using mock data sets to explain the topic in discussion.

Scenario Workflow:

1. In this tutorial, you will first log on as Betty Cook to the Oracle Access Governance Console.
2. View access rights of your direct reports.
3. Then, configure event-based access reviews.
4. After that, log on as User Administrator, John, to the Identity Self Service portal and make desired user attribute changes.
5. Again log on as Betty to Oracle Access Governance Console to run on-demand incremental data load from OIG.
6. At last, you can examine access review tasks raised by event-based setup.

Task 1: Sign in to Oracle Access Governance Console as a User

1. From your browser, go to the Oracle Access Governance Console.
2. In the Username field, enter username.
3. In the Password field, enter password and select Sign In.

You will be navigated to the home page of your Oracle Access Governance Console.

Task 2: View Access Rights of the Direct Reports reporting to a User Manager

1. From the navigation menu, select Who Has Access to What -> My Directs’ Access.
2. See the Applications, Roles, and Permissions assigned to your direct reports.

In this tutorial, Betty’s direct reports have view-only access permission to the Figma application.

Description of the illustration DirectReports.png

Task 3: Enable and Configure Event-Based Access Reviews

You have seen the access rights of your direct reports. Let’s see how you can enable the event-based access reviews.

1. On the Oracle Access Governance Console home page, from the navigation menu, select Access Reviews -> Event-Based Setup.

   

   Description of the illustration NavigateEventBasedReview.png

   You will see the Event-Based Access Review Setup page. By default, the event-based access reviews are disabled.

2. To enable event-based access reviews for an event type, select Actions and then select Edit. For this tutorial, you will enable the Manager.

   

   Description of the illustration EventBasedReviewSetup.png

   The Configure the event-type - Manager Change page displays.

3. On this page, you can enable the event-based access reviews, auto-approve low-risk tasks, define the workflow for the review in terms of the number of review levels, duration, and who performs the review. For this tutorial, you will just enable this event-based access review.

4. In the Enable or disable this event-based access reviews, select Enabled and then select Save.

   

   Description of the illustration EnableManagerChange.png

The event-based access review for Manager Change is successfully enabled. You can enable multiple events and opt to select a shared workflow for an identity. See Special Case: Understand Multi-Event Access Review Tasks in Event-Based Setup for more information.

Task 4: Update User Attribute Changes in the Identity Portal

Assumption: In this tutorial, we are directly making changes in the Identity Self Service portal of OIG to update the user attributes. However, in actual implementation, OIG can synchronize changes from any connected HCM (for example, PeopleSoft). Access Governance can then sync up data changes from OIG through Connected Systems.

1. Sign in to Identity Self Service as a User Administrator.

2. Go to Manage -> Users.

   

   Description of the illustration IdentityUsers.png

3. Search the user name for which user details needs to be updated. For this tutorial, type, “Ema” and then click the Search icon.

   

   Description of the illustration SearchUser.png

4. Select the user and then click Actions -> Edit.

5. In the Basic Information section, update the manager name by clicking on the Search icon corresponding to the Manager field. For this tutorial, in the Manager field, find and select Betty Cook.

   

   Description of the illustration ChangeManager.png

6. Click Submit.

After approval, the user attributes are successfully updated.

Task 5: Run On-demand Incremental Data Load from OIG

1. Log on to the Oracle Access Governance Console as an AG Administrator. In this tutorial, log on as Betty Cook.

2. On the Oracle Access Governance Console home page, from the navigation menu, select Service Administration -> Connected Systems.

   

   Description of the illustration ConnectedSystems.png

3. Click … corresponding to OIG Connection and click Manage connection.

4. Towards right, select Actions and then select Load data now.

   

   Description of the illustration LoadData.png

The new data load activity will begin within a few seconds. Depending upon the data volume, it will take around a few minutes for the data load to complete. After completion, the Status column changes from In Progress to Success.

Description of the illustration SuccessDataLoad.png

Task 6: Examine Access Review Tasks raised by Event-based Setup

1. From the navigation menu, go to Access Reviews -> My Access Reviews.

2. Search Ema and apply filters on Assignment type Permission.

   

   Description of the illustration AccessReviewEma.png

   Observe how Access Governance automatically raised the access review tasks of Event - Manager Change.

3. Observe that Access Governance raised a Review recommendation for Admin permissions. Let’s check out the insights to know more about this recommendation.

4. Click View to see insights corresponding to the Admin assignment name.

   

   Description of the illustration ReviewAccess.png

5. On the Insights page, for the Figma application, you can check the insights and view the recent changes. These insights are driven by our unique AI/ML-equipped prescriptive analytics-based Identity Intelligence system. In this tutorial, our system suggests that Betty should review this access privilege assigned to Ema.

   

   Description of the illustration ReviewRecommendation.png

6. Now, observe that Access Governance raised Accept recommendation for Viewer permissions. Let’s check out the insights to know more about this recommendation.

   

   Description of the illustration AcceptAccessReview.png

7. On the Insights page, for the Figma application, you can check the insights and view the recent changes. These insights are driven by our unique AI/ML-equipped prescriptive analytics-based Identity Intelligence system. In this tutorial, our recommendation system suggests that Betty should accept this access privilege assigned to Ema.

   

   Description of the illustration AcceptRecommendation.png

Special Case: Understand Multi-Event Access Review Tasks in Event-Based Setup

Access Governance will raise multi-events when more than one event types occur, that are associated with a single identity. Whenever events, such as job-code change, location change, organization change, and so on occur related to a single entity, the event-based access review feature helps the reviewers to check, certify or remediate the impacted application, roles, or permissions for that identity.

Multi-Event Access Review Scenario

Ruby Paul, an employee at Acme corporation, has recently made an in-house career shift from Product Management to the Quality Assurance division. As a result, her organization has changed to Quality Assurance and she will now be reporting to Betty Cook. She was previously reporting to Chelsea Neal.

From an identity viewpoint, Ruby no longer requires access privileges required by direct reports of Chelsea but now requires new access privileges used by Betty’s team.

You must enable more than one event-type for which you want to trigger the multi-event-based access reviews, and you should configure the shared workflow in the Event-Based Setup. In this tutorial, you can enable Organization name and Manager event types.

Description of the illustration SharedWorkflowSetup.png

After updating the user attributes for Ruby, Access Governance will automatically raise multiple event-based access review tasks for that single identity, in this case, Ruby.

Let’s check out the Access Review insights.

Description of the illustration MultiEventInsights.png

You can either approve or reject the access review tasks based on the recommendations. You can also view information on event-based access reviews by generating reports using the Event-Based Report capability of Oracle Access Governance. For further information, see Generate Event-Based Access Reviews Report.

So, that’s how on occurrence of identity changes, event-based and regular access reviews effectively help an organization to deter any harm that could be caused due to misuse of access rights.

Acknowledgements

• Author - Komalreet Kaur
• Contributors - Abhishek Juneja, Mike Howlett, Oracle IAM Product Management

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Implement Event-Based Access Reviews with Oracle Access Governance

F72104-03

September 2023

Copyright © 2023, Oracle and/or its affiliates.