Enable Event-based Access Reviews

Event-Based Access Reviews are access reviews initiated automatically by Oracle Access Governance when one or more predefined event types occur. Whenever events, such as job-code change, location change, or application renewal occur, event-based access reviews are initiated, which reviewers can use to check, and accept or remediate permissions associated with the change.

Oracle Access Governance supports three event types:
  • Change event: an event associated with joiner-mover-leaver actions.
    • Joiner refers to action taken by the system when an identity joins the company, such as assigning some birth-right access privileges.
    • Mover refers to action taken by the system when an identity moves within the same organization, for example, changes in access privileges when user changes location or job.
    • Leaver refers to action taken by the system when an identity leaves the company, such as revoking access over all corporate applications and systems.

    Let's understand this with a scenario. Ema, an employee at Acme corporation, has moved to a different project and will be reporting to a different manager within the same department. From an identity viewpoint, Ema no longer requires access privileges required by direct reports of her previous manager and project but now requires new access privileges.

    Note:

    In this scenario, we are assuming Manager is the core attribute in your data schema and Project Code is one of the custom attributes in your data schema.

    For this, you need to enable event-based access reviews for the core attribute Manager Change and a custom attribute Project Code. Whenever the latest data synchronization happens from the orchestrated system with these updates, Oracle Access Governance will automatically raise multiple event-based access reviews associated with this single identity.

  • Timeline event: an event which is raised for a particular date. This may refer to a specific event, for example:
    • An anniversary event such as an employee's organization start date, or a software application license renewal date.

    A review task is generated for the configured event on the date configured, to determine if permission associated with the event are still appropriate. Alternatively, you can configure a number of days prior to the event date on which to generate the review task.

    Let's understand this with a scenario. Bill, an employee at Acme corporation, uses the CorporateLDAPdirectory application. Bill's access to this application needs to be reviewed on an annual basis, based on the ActiveStartDate attribute. When Bill is first granted access to CorporateLDAPdirectory the ActiveStartDate is recorded. If you enable a timeline event on this application/attribute combination, then on the anniversary of Bill's first grant of the application, an access review will be generated, which allows a reviewer to revoke Bill's access to the application, or accept and allow Bill access to the application for another 12 months.

  • Unmatched Accounts Event: an event triggered when an account is onboarded which does not match any identity within Oracle Access Governance.

As a user with the Administrator application role, you can enable event-based access reviews from the Oracle Access Governance Console. You can define the workflow for the review in terms of the number of review levels, duration, and who performs the review.

Note:

The Event-Based Setup menu option is not available when:
  • You have integrated only OCI IAM, as your orchestrated system in Oracle Access Governance.
  • You have not activated any identities containing data including organization, job code or location. To view this option, you must activate at least one identity from the Manage Identities page. See Select Included Identities for details on how to enable identities in Oracle Access Governance.

You can enable event-based access reviews for core attributes (for example, Job Code, Organization, Location, and so on) as well as custom attributes (for example, Cost Center, Project Code, and so on).

Event-based access reviews can be enabled and configured for the following event-types:

  • Identity Enabled
  • Identity Disabled
  • Department Change
  • Manager Change
  • Organization Change
  • Location Change
  • Job Code Change
  • Custom Attribute

    Display name of the custom attribute is displayed in a list format. You may see one or more custom attributes' row depending on whether the attribute is configured to enable the event-based functionality.

    Note:

    If you don't see the option for selecting custom attributes, contact the Oracle Access Governance Administrator. You first need to enable it from the Administration settings within Oracle Access Governance Console. See View and Configure Identity Attributes.
  • Timeline Events
  • Multiple Event Changes
  • Unmatched Accounts

Setup Change Event Access Review

Configuring Change Events

To configure Change events, complete the following tasks:
  1. Log on to the Oracle Access Governance Console with a user assigned the Administrator application role.
  2. Select from the Navigation Menu navigation menu. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  3. On the Event-Based Setup page, select the Change tab.
  4. Each event type is displayed as in a list of available change events. Each change event has a status of Enabled or Disabled and an Actions drop-down menu action menu, providing the option to Edit or View details. Select Edit for the event-type you want to enable.
  5. On the Configure the event type screen:
    1. Use the radio button to Enable or Disable the event-type.
    2. If you want to auto-approve low risk task for this event type, select Yes.
  6. Select which approval workflow you want to assign to this access review campaign. A list of the available workflows is visible. For details on how to create and manage approval workflows see Create Approval Workflow and Manage Approval Workflow. Once you have selected your workflow the View approval workflow link is displayed. Click on this to see a diagram of the selected workflow.
  7. Select the scope of justification required for access review decisions from the following values:
    • Required for all review decisions
    • Required only for revoke decisions
    • Optional for all review decisions
  8. Select Save to save your workflow definition or Cancel to discard your changes.
  9. You return to the Configure the event type screen. Select Save to keep the changes to your event-type configuration, or Cancel to abandon the changes.

Setup Timeline Event Access Review

Configuring Timeline Events

To configure Timeline events, complete the following tasks:

Note:

Currently, Oracle Access Governance supports timeline events only on an annual basis.
  1. Log on to the Oracle Access Governance Console with a user assigned the Administrator application role.
  2. Select from the Navigation Menu navigation menu. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  3. On the Event-Based Setup page, select the Timeline tab.
  4. Each event type is displayed as in a list of available change events. Each change event has a status of Enabled or Disabled and an Actions drop-down menu action menu, providing the option to Edit, View details, or Delete. When an Oracle Access Governance service instance is created there are no timeline event changes configured. To create events, select the Create timeline event button.
  5. On the Add a new timeline event configuration screen:
    1. Select a date attribute from the Which date attribute should the event be triggered from? drop-down list. Date attributes are those attributes with a date type, that are enabled for event-based campaigns. For further details on defining attributes, review View and Configure Identity Attributes.
    2. Add a value for the number of days prior to the date when the event should be triggered, into the How many days prior to the date should the event be triggered?
    3. Provide a name for the event in the What do you want to name this event? field. The name for the event must be unique.
    4. Use the radio button to Enable or Disable the event-type.
    5. If you want to auto-approve low risk task for this event type, select Yes.
  6. Select the applications you want to include in the timeline event change. By default all applications will be included in the review. To filter the list of applications reviewed:
    1. From the drop-down list, What type of access do you want to review?, select one of the following:
      1. All

        Note:

        If you select All Oracle Access Governance will generate access reviews for all accesses that the identity has, and cannot be further narrowed down.
      2. Systems managed by Access Governance
      3. Systems managed by Oracle Cloud Infrastructure
      4. Systems managed by Oracle Identity Governance
    2. Applications available for review are displayed as tiles. Select the tiles associated with the applications you want to review.
  7. Select which approval workflow you want to assign to this access review campaign. A list of the available workflows shows all approval workflows defined in your system. For details on how to create and manage approval workflows see Create Approval Workflow and Manage Approval Workflow. Once you have selected your workflow the View approval workflow link is displayed. Click on this to see a diagram of the selected workflow.
  8. Select the scope of justification required for access review devisions from the following values:
    • Required for all review decisions
    • Required only for revoke decisions
    • Optional for all review decisions
  9. Select Save to save your workflow definition or Cancel to discard your changes.
  10. You return to the Configure the event type screen. Select Save to keep the changes to your event-type configuration, or Cancel to abandon the changes.

Setup Unmatched Accounts Access Review

Configuring Unmatched Accounts Events

To configure unmatched account events, complete the following tasks:
  1. Log on to the Oracle Access Governance Console with a user assigned the Administrator application role.
  2. Select from the Navigation Menu navigation menu. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  3. On the Event-Based Setup page, select the Unmatched accounts tab.
  4. To create an unmatched account event configuration, select the Create an unmatched accounts event button.
  5. You are directed to the Add a new unmatched account event configuration page. Enter the following details to configure your unmatched account event.
    1. In What do you want to name this event? add a meaningful name which describes the unmatched accounts event you are creating.
    2. For Enable or disable this event-based access reviews select Enable.
    3. You have the option to remove all unmatched accounts reported by this event automatically. To do this, select Yes for the auto remove unmatched accounts option. All unmatched accounts will be removed from your environment including Oracle Access Governance and any Managed Systems from which the account was ingested.

      If you want unmatched accounts to be reviewed via an approval workflow, select No.

    4. All orchestrated systems will be added to the unmatched accounts event by default. If you want to restrict the event to a specific orchestrated system, or group of orchestrated systems, select the tiles representing the orchestrated systems you would like to include in the event.
    5. Choose the workflow for this event.
      • In Which approval workflow should be used? select one from of the following:
        • Application owner:
        • Custom user:
      • In Is justification required on decisions? select one from the following:
        • Require for all review decisions
      • In Who is the default access review owner? select one from the following:
        • Me
  6. You return to the Configure the event type screen. Select Save to keep the changes to your event-type configuration, or Cancel to abandon the changes.

Configure Multi-Events

Multi-events occur when Oracle Access Governance receives changes for more than one event-type, that is associated with a single identity.

Users with the Administrator application role can configure a shared workflow which is applied when multi-events are identified. To configure the shared workflow:

  1. Log on to the Oracle Access Governance Console with a user assigned the Administrator application role.
  2. Select from the Navigation Menu navigation menu. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  3. On the Change tab, select Edit shared workflow.
  4. On the How do you want multi-event reviews to proceed? screen:
    1. Confirm if you want to auto-approve low risk task for this event type by selecting Yes or No.
    2. Select which approval workflow you want to assign to this access review campaign. A list of the available workflows is visible. For details on how to create and manage approval workflows see Create Approval Workflow and Manage Approval Workflow. Once you have selected your workflow the View approval workflow link is displayed. Click on this to see a diagram of the selected workflow.
    3. Select the scope of justification required for access review devisions from the following values:
      • Required for all review decisions
      • Required only for revoke decisions
      • Optional for all review decisions
    4. Enter a name for the default access review owner.
    5. Select Save to update the shared workflow configuration, or Cancel to discard the changes.

View Event-Types

As an Administrator you can view the details of each event-type in the Oracle Access Governance Console.

To view event-based settings:

  1. Select from the Navigation Menu navigation menu. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  2. Select View details from the Actions drop-down menu for the event-type you want to view.
  3. The Event - <event type name> screen is displayed, allowing you to view the following details:
    • Status of the event type (Disabled or Enabled), and the date when the status was last changed
    • Whether the low-risk tasks for this event-based access review will be auto-approved or not
    • Details of the approval workflow
    • Details of when justification is required
    • Details of the completion rule
    • Default owner of the access review