1. Access Governance Cloud Service
  2. Review
  3. Review Access and Permissions
  4. Perform Access Review

Perform Access Review

Access reviews can be carried out from the Oracle Access Governance Console by users with the following roles, which are based on data attributes derived from the connected system:

Users can review identity and policy review tasks. They can bulk approve low-risk items, check the AI/ML-equipped prescriptive analytic insights, review high-risks items, and make informed decisions based on AI/ML-driven recommendations provided by Oracle Access Governance.

Identity Review Tasks

Identity Review Tasks include audit of user access rights carried out by campaigns that are run periodically, on-demand, or are initiated on occurrence of some identity events. These access reviews tasks help organizations to evaluate user account, entitlements and roles, make informed decision based on the AI/ML driven recommendations, and deter any harm that could be caused due to misuse of access rights.

Identity access review tasks can be carried out by users with the following roles:
  • User (review access assigned to me/self)
  • Manager (review access assigned to users in my team)
  • Owner (review access assigned to users over resources I own)
  • Custom Reviewer (review access tasks assigned to a user other than end-user, manager, or owner. The default value is Me )
To perform an identity access review:
  1. In the Oracle Access Governance Console, select Access Reviews, and then My Access Reviews from the Navigation Menu navigation menu.
    You navigate to the My Access Reviews page. You can search a specific access review task by identity name or policy name, or apply the given filters to narrow down the search results. You can also view the count of total identity and policy review tasks assigned to you as a reviewer. By default, you will see the Identity review tasks tab. Select the policy review tasks tab to view and take appropriate actions on the IAM policies.

On the Identity review tasks tab, you see all user and event-based review tasks assigned to you as a reviewer. The following information is displayed for each review item:

  • Identity name
  • Manager Name
  • Assignment name
  • Assignment type
  • Due days
  • Review source
  • Recommendation
  • Insights
  • Actions

The Insights column has a link for each review item which, when clicked, takes you to the Insights page. The insights are based on our in-house AI/ML-equipped prescriptive analytic-based Identity Intelligence system. On a high-level, analysis of the permission is based on the following factors:

  • Comparison with peers reporting to the same manager
  • Comparison with peers with the same job code
  • Comparison with peers in the same organization
  • Recent changes in a user profile

On the Insights page, based on the analysis, you can view recommendation for the access review task. On the left-panel, you can view the access rights information for that identity. On the page, you can view the graphical insights based on the analysis factors, series of access review tasks initiated for that identity since the time the specific permission was granted, and recent change events related to that identity.

To make a review decision:

  1. You can either revoke or accept a review item. This can be done either from the Insights page or by selecting the relevant option in the Actions column on the My Access Reviews page.
  2. To revoke a review item, select Revoke. In the confirmation pop-up dialogue, add a Justification and select Submit. You will be taken back to the My Access Reviews page and a confirmation that the decision has been saved will display.

    Note:

    • To approve an access privilege, all the reviewers must approve a review item. However, to revoke an access privilege, first revoke done by any-level reviewer is considered final.
    • If you revoke an Account task, then it will auto action to revoke all the related entitlement tasks.
    • If you accept an entitlement (Role or Permission) task, then it will auto action to accept the related Account tasks.
    • When you revoke a review item, the item is remediated automatically. A request is sent back to the connected system to revoke the item in the back-end system. No manual steps are required.
  3. To accept a review item, select Accept. In the confirmation pop-up dialogue, add a Justification and select Submit. You will be taken back to the My Access Reviews page and a confirmation that the decision has been saved will display.

Policy Review Tasks

Policy Review tasks include audit of Identity and Access Management (IAM) policies initiated by policy access review campaigns that are run periodically or on-demand. These access review tasks help organizations to evaluate access control of cloud resources up to the statement level, review high-risk policies, make informed decision based on the AI/ML driven recommendations, and deter any harm that could be caused due to misuse of policy permissions.

Policy access review tasks can be carried out by users with the following roles:
  • CloudAccessReviewer (review cloud resources such as OCI IAM Policies)
  • Administrator (modify, delete, monitor all access review campaigns)
To perform a policy access review task:
  1. In the Oracle Access Governance Console, select My Access Reviews from the Navigation Menu navigation menu. You navigate to the My Access Reviews page.
    By default, you will see the Identity review tasks tab. Select the Policy review tasks tab to view and take appropriate actions on the IAM policies. You can search a specific access review task by a policy name, or apply the given filters to narrow down the search results. You can also view the count of total identity and policy review tasks assigned to you as a reviewer.

On the Policy review tasks tab, you will see all policy access review tasks assigned to you as a reviewer. The following information is displayed for each review item:

  • Policy name
  • Connected system
  • Policy Provider
  • Due days
  • Review source
  • Recommendation
  • Insights

Note:

If you have modified the IAM policy after the policy review tasks have been generated, these updated policies would not be considered for review, either wait for the next periodic campaign to run, or create a fresh campaign after the incremental data load operation.

The Insights column has an Actions link for each policy review item, which when clicked, takes you to the Insights page. The insights are based on our in-house AI/ML-equipped prescriptive analytic-based Identity Intelligence system.

On the Insights page, you can view our recommendation for the policy review task. On the left-panel, you can view the policy information. On the right, you can view a complete list of actionable and non actionable policy statements, view policy details to see who and what the policy statement is granting access to, and make appropriate decisions on each statement.

You can also view a series of access review tasks initiated for that policy since the time it was granted. The non actionable statements provide no access rights, therefore no action can be taken on those policy statements. For example, any rule statement that forms a construct which can further be used in other policy statements to provide access rights.

To make a review decision, you can either revoke all or accept all actionable statements in that policy at once, or make decision individually on each policy statement and then select Apply. By default, all the actionable policy statements are selected with a tick icon. The final remediation decision will be submitted per policy, and further sent to the connected system for closed-loop access remediation.

  1. From the Insights page, to accept or to revoke policy statement(s):
    • To revoke all policy statements at once, select Revoke all.
    • To revoke an individual policy statement, select the cross icon to revoke access for that policy statement. Repeat this action on each policy statement that you want to revoke.
    • To accept all policy statements at once, select Accept all.
    • To accept an individual policy statement, select the tick or check mark icon to accept the policy statement. Repeat this action on each policy statement that you want to accept.

    Note:

    • To approve a policy, all the reviewers must approve a review item. However, to revoke an access privilege, first revoke done by any-level reviewer is considered final.
    • When you revoke a policy, the policy is remediated automatically. A request is sent back to the connected system to revoke the item in the back-end system. No manual steps are required.
  2. After you have finalized the decision on all the policy statements, select Apply .

    The confirmation pop-up dialogue is displayed. The count for policy statements that you selected to accept and revoke is displayed. Add your comments in the Justification field, and then select Submit. You will be taken back to the My Access Reviews page and a confirmation that the decision has been saved will display.