Perform User Access Reviews with Oracle Access Governance
Introduction
Oracle Access Governance addresses the growing challenges security owners face in dealing with the increase in advanced security threats and regulations. This cloud-native solution helps meet governance and compliance requirements across many applications, workloads, infrastructures, and identity platforms. One of the key features of Oracle Access Governance is Access Review Campaigns.
Access review campaigns comprise a group of access reviews for members of your enterprise population where individual access to a specific source is checked and either certified or remediated.
As a user, manager, or owner of the organization, you can perform access reviews and take required actions in Oracle Access Governance. By leveraging the prescriptive analytics and risk factor embedded in access reviews, users and user managers can make informed decisions about access entitlements. Users can also bulk approve low-risk items based on AI/ML recommendations provided by Oracle Access Governance.
For more information on Oracle Access Governance, see:
- Oracle Access Governance Product Page
- Access Governance Service Guide
- Access Governance Product Documentation
- Access Governance APIs
- Oracle Access Governance FAQ
Objectives
In this tutorial, you will learn to:
- Evaluate Access Review tasks assigned to you as a User (Employee)
- View Direct Reports’ privileges as a Manager (Employee’s Manager)
- Evaluate Access Review tasks assigned to you as a Manager (Employee’s Manager)
Intended Audience
This tutorial is specifically for users with the following roles, which are based on data attributes derived from the connected system:
- User (review access assigned to me/self)
- Manager (review access assigned to users in my team)
- Owner (review access assigned to users over resources I own)
Prerequisites
You must have:
- Access Governance User rights as a user and as a user manager. For more info, see Understanding Application Roles.
- Oracle Access Governance service instance with user names and passwords.
Tutorial Scenario
A new division, called Software Engineering, is set up in your organization, and James Butt is the business owner of the Software Engineering division. He creates an access review campaign, Entire Org, for all users in his division to check, certify or remediate the access privileges. He wants all users and their line managers to review the access privileges. For example, Leota Dilliard reports directly to James. So, Leota will perform the first review of her own access privileges, and James as her line manager will perform the second-level review of her access privileges.
Actors
- User (Self-review) - Leota Dilliard as the First-Level Approver
- User Manager - James Butt as the Second-Level Approver
Assumption: In this tutorial, you will first log on as Leota (the user) to Oracle Access Governance and perform your own access review tasks. After that, log on as James Butt (the manager) to perform the second-level review of the tasks that Leota performed related to her access privileges.
Task 1: Sign in to Oracle Access Governance Console as a User
- From your browser, go to the Access Governance Console.
- In the Username field, enter user name.
- In the Password field, enter the password and select Sign In.
You will be navigated to the home page of your Oracle Access Governance Console.
Task 2: Perform Access Review Tasks as a User (Employee User Review)
-
Select the Identity review tasks tab to perform user access reviews. Here you will see a list of your access review tasks.
Description of the illustration OpenMenuReview.png
You will see a list of your access review tasks.
Note: Access reviewers must select the Identity review tasks tab to perform user access reviews. -
For a review task, before taking any action go through the following best practices:
- Check review task information such as Assignment name, Manager name, Assignment type, and Due days.
- Apply filters on the review tasks list by selecting Recommend Accept or Recommend Review. Oracle Access Governance uses Prescriptive Analytics for each review item and provides recommendations based on calculated risk scores and analytics.
- To view analytic insights, click View in the Insights column to review a task.
- You can accept the review item by clicking the tick icon of Accept in the Actions column.
-
Click View in the Insights column for a review item marked with recommendation status as Review. On the insights page, observe the following:
- AI/ML driven insights with alignment score. For example, notice the text Most peers of this user don’t have the same permissions for their accounts., which is the result based on an ML peer group analysis conducted by Oracle Access Governance.
- Description of review task.
- Access review trail.
-
Select Accept or Revoke. For this example, select Accept and provide a justification for your action.
Description of the illustration AcceptHighRisk.png
You will be navigated back to the My Access Reviews page.
-
For the rest of the privilege accesses, you can bulk approve or revoke the review tasks. For this tutorial, apply the filter Recommend Accept. Select the check box corresponding to the Identity name header and then click the Accept button.
-
Provide a justification for your action and then click Submit.
Task 3: Sign in to Oracle Access Governance Console as a User Manager
- From your browser, go to the Access Governance Console.
- In the Username field, log on as a manager by entering the user name.
- In the Password field, enter the password and select Sign In.
Task 4: Perform Access Review Tasks as a Manager (User Manager)
In this tutorial, the user manager is the second-level approver or reviewer. As a user manager, you can see the access review items accepted by your users.
-
Check your direct reports. On the Oracle Access Governance console home page, select Navigation Menu -> Who has Access to What -> My Directs’ Access.
Description of the illustration MyDirectsAccess.png
You will see a list of your direct reports. You can use this feature to get insights into the number of applications, permissions, and roles assigned to your direct reports.
-
Click the username to view the permissions, applications and roles assigned to that user.
You can modify the view to see the privileges grouped either by application, cloud resources, or role. -
Now, navigate back to the homepage.
-
Click Select on the I am busy, let’s just review the recommended for review tile to review only the recommended items.
Description of the illustration HighRiskReview.png
You will see a list of your own access review tasks and being a second-level approver, you will also see your direct reports’ access review tasks.
Note: Access reviewers must select the Identity review tasks tab to perform user access reviews. -
For a review task, before taking any action go through the following best practices:
- Check review task information such as Assignment name, Manager name, Assignment type, and Due days.
- Apply filters on the review tasks list by selecting Recommend Accept or Recommend Review. Oracle Access Governance uses Prescriptive Analytics for each review item and provides recommendations based on calculated risk scores and analytics.
- To view analytic insights, click View in the Insights column to review a task.
- Choose to accept the review item by clicking the tick icon of Accept in the Actions column.
-
Click View in the Insights column for a review item marked with recommendation status marked as Review. On the insights page, observe the following:
-
AI/ML driven insights with alignment score. For example, notice the text Most peers of this user don’t have the same permissions for their accounts., which is the result based on ML peer group analysis conducted by Oracle Access Governance.
-
Description of review task
-
Access review trail
Description of the illustration DirectsReviewItemInsights.png
-
-
Select Accept or Revoke. For this example, select Revoke for a high-risk task and provide justification or reasoning to support your action and then click Submit.
The access to that privilege will be revoked. To approve an access privilege, all the reviewers must approve a review item. However, to revoke an access privilege first revoke done by any-level reviewer is considered final.
In this tutorial, you have successfully performed an access review as a user and as a manager for your direct reports using the Oracle Access Governance console.
Acknowledgments
- Author - Komalreet Kaur, Edward Lu
- Contributors - Abhishek Juneja, Mike Howlett, Oracle IAM Product Management
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Perform User Access Reviews with Oracle Access Governance
F70244-06
August 2023
Copyright © 2023, Oracle and/or its affiliates.