Perform Access Review
Access reviews can be carried out from the Oracle Access Governance Console by users with the following roles, which are based on data attributes derived from the connected system:
Users can review identity and policy review tasks. They can bulk approve low-risk items, check the AI/ML-equipped prescriptive analytic insights, review high-risks items, and make informed decisions based on AI/ML-driven recommendations provided by Oracle Access Governance.
Identity Review Tasks
Identity Review Tasks include audit of user access rights carried out by campaigns that are run periodically, on-demand, or are initiated on occurrence of some identity events. These access reviews tasks help organizations to evaluate user account, entitlements and roles, make informed decision based on the AI/ML driven recommendations, and deter any harm that could be caused due to misuse of access rights.
- User (review access assigned to me/self)
- Manager (review access assigned to users in my team)
- Owner (review access assigned to users over resources I own)
- Custom Reviewer (review access tasks assigned to a user other than end-user, manager, or owner. The default value is Me )
On the Identity review tasks tab, you see all user and event-based review tasks assigned to you as a reviewer. The following information is displayed for each review item:
- Identity name
- Manager Name
- Assignment name
- Assignment type
- Due days
- Review source
- Recommendation
- Insights
- Actions
The Insights column has a link for each review item which, when clicked, takes you to the Insights page. The insights are based on our in-house AI/ML-equipped prescriptive analytic-based Identity Intelligence system. On a high-level, analysis of the permission is based on the following factors:
- Comparison with peers reporting to the same manager
- Comparison with peers with the same job code
- Comparison with peers in the same organization
- Recent changes in a user profile
On the Insights page, based on the analysis, you can view recommendation for the access review task. On the left-panel, you can view the access rights information for that identity. On the page, you can view the graphical insights based on the analysis factors, series of access review tasks initiated for that identity since the time the specific permission was granted, and recent change events related to that identity.
To make a review decision:
Policy Review Tasks
Policy Review tasks include audit of Identity and Access Management (IAM) policies initiated by policy access review campaigns that are run periodically or on-demand. These access review tasks help organizations to evaluate access control of cloud resources up to the statement level, review high-risk policies, make informed decision based on the AI/ML driven recommendations, and deter any harm that could be caused due to misuse of policy permissions.
- CloudAccessReviewer (review cloud resources such as OCI IAM Policies)
- Administrator (modify, delete, monitor all access review campaigns)
On the Policy review tasks tab, you will see all policy access review tasks assigned to you as a reviewer. The following information is displayed for each review item:
- Policy name
- Connected system
- Policy Provider
- Due days
- Review source
- Recommendation
- Insights
Note:
If you have modified the IAM policy after the policy review tasks have been generated, these updated policies would not be considered for review, either wait for the next periodic campaign to run, or create a fresh campaign after the incremental data load operation.The Insights column has an Actions link for each policy review item, which when clicked, takes you to the Insights page. The insights are based on our in-house AI/ML-equipped prescriptive analytic-based Identity Intelligence system.
On the Insights page, you can view our recommendation for the policy review task. On the left-panel, you can view the policy information. On the right, you can view a complete list of actionable and non actionable policy statements, view policy details to see who and what the policy statement is granting access to, and make appropriate decisions on each statement.
You can also view a series of access review tasks initiated for that policy since the time it was granted. The non actionable statements provide no access rights, therefore no action can be taken on those policy statements. For example, any rule statement that forms a construct which can further be used in other policy statements to provide access rights.
To make a review decision, you can either revoke all or accept all actionable statements in that policy at once, or make decision individually on each policy statement and then select Apply. By default, all the actionable policy statements are selected with a tick icon. The final remediation decision will be submitted per policy, and further sent to the connected system for closed-loop access remediation.