Who Has Access to What - Comprehensive Access Profile Visibility across Enterprises

Get comprehensive visibility on all the components, access information, and resources within an enterprise framework using Oracle Access Governance Who has Access to WhatEnterprise-wide Browser. With this, you can track and monitor who has access to different systems, data, and applications, at what permission level, and for what it is being used, to make informed decisions and detect potential security issues for effective governance.

With Enterprise-wide Browser, you can get details into access profiles of identities across enterprise. As a manager, you can go to My Directs' Access to view access profiles of your team, enabling you to oversee the access privileges of team members. As an Oracle Access Governance user, you can view your own accesses from the My Stuff, and then My Access page. For more information on what access components you can view, refer to Enterprise-wide Access Profile Reference

  • Applicable Roles for Enterprise-wide Browser: Enterprise-wide Access Administrator or Administrator
  • Applicable Roles for My Directs' Access and My Access: User

Related Topics

Why Enterprise-wide Access Visibility Matters?

Enterprises today use multiple systems and go through various personnel changes in their ecosystem. With the extensive use of digital platforms, cloud services, physical assets, and interconnected systems, it is vital to safeguard information. Enterprises need to have a centralized view of all identity and access management information to identify vulnerabilities, detect risk, foresee potential gaps, and adjust policies to better protect the security posture of their organization.

Oracle Access Governance Who has Access to What - Enterprise-wide Browser enables enterprises to get access profile details into an enterprise infrastructure, providing a unified view of the security posture. You can get thorough insights into identities, resources, permissions, access bundles, accounts, policies, roles, group membership, organizations, and so on.

Use advanced filters to narrow down your search and locate specific infrastructure components within the enterprise. For example, you can locate information based on identity location, job code, department, or any other specific identity attribute. You can personalize the access insights dashboard by customizing (hiding/showing) the available information for a better user experience. By gaining deep visibility into enterprise security information, you can help enforce proper compliance and proactively validate that appropriate access has been granted throughout your enterprise.

Browsing Views: Selection Parameters to Explore Access Profile across Enterprise

You can view access information using various perspectives, such as Identities, Identity Collections, Roles, Permissions, Policies, Resources, and Organizations. Each one offers a different angle to view access information across the enterprise.

You can perform search or apply filters to refine your search results. For easier navigation, you can use quick links to traverse through and back various detail pages while exploring access insights. Using quick links, you can move up to five (5) levels, with the first one being as the Enterprise-wide Browser page, and the remaining four (4) are the four (4) most recently visited pages.

Refresh Timings

For entities local to Oracle Access Governance, you can immediately view them on the Enterprise-wide Browser page; the ingested access information is refreshed and visible as per the orchestrated system data load schedule. On the details page, reference counts are updated every hour to provide you with the latest counts. If you notice an entity listed before the count is updated, this is likely due to scheduled refresh timings followed by the service.

Here’s what each browsing component offers:

Identities

Get a comprehensive view of all the available Active identities in Oracle Access Governance. You can view identity details displaying identity attributes along with intelligent risk insights generated by Oracle Access Governance. For example, you can view the access profile information of an intern working in your enterprise to ensure they are not part of any strategic group or have access to any critical resource. Browse an individual identity to get access details for the selected identity.

You will see the same set of information when exploring your own accesses within Oracle Access Governance, or when managers view identity details for their team members. For more information on what components you can view, refer to Enterprise-wide Access Profile Reference.

Identity Collections

Get comprehensive access insights at a group-level using Identity Collections as your perspective view. You can view identity collections created within Oracle Access Governance or groups in Oracle Cloud Infrastructure (OCI). It displays the basic details, such as status, number of members, or owner of the identity collection. This view is beneficial if you want to view access profiles for a group, rather than an individual. For example, you may want to ensure that only the identities part of the Finance department have access to critical accounting systems and data.

For OCI groups, the Owner is marked as AG System. Browse an individual identity collection to view access summary, reference count summary, its creation rule, intelligent insights, and member details. Additionally, you can run access reviews and download a PDF report presenting Identity collection details. For more information on what components you can view, refer to Enterprise-wide Access Profile Reference.

Organizations

Get a list of organizations created within Oracle Access Governance, displaying basic details, such as name, status, member count, and owner details. Browse an individual organization to view its membership rules and member details. These are beneficial for looking out for hierarchical access within an enterprise. You can easily set up rules based on your department when creating an Organization. For example, in a banking system, regional branch managers can get access profile information of all the employees across all the branches managed by them. For more information on what components you can view, refer to Enterprise-wide Access Profile Reference.

Permissions

Get a list of all the permission types, such roles, privileges, groups, access bundles, and permissions for each resource ingested from an Orchestrated system. Browse an individual permission to see a reference count summary related to the selected permission along with the included resource access. For example, you may want to get a list all the available permissions associated with a critical resource in a tenancy. Within Permissions perspective, the viewable details for each permission varies based on Granted permission type and Access Governance type. For example, for Access Governance type Access Bundle, you can view associated identities, identity collections, roles, and policies but for Access Governance type Roles, you can view identities.

For more information on what components you can view, refer to Enterprise-wide Access Profile Reference.

Policies

Get a list of all the Oracle Cloud Infrastructure (OCI) policies and Oracle Access Governance policies, displaying basic policy details. Browse an individual policy to see a reference count summary related to the selected policy along with policy details, such as policy statements or associated roles or access bundles. For example, you can view all the available OCI policies for a specific compartment. Another example can be if you want to view what resources are assigned to an Identity Collection and its association for a specific Oracle Access Governance policy.

If you browse through an OCI policy, you will see OCI policy statements, Identities, Identity Collections (OCI groups), Resources. If you browse through Oracle Access Governance policy, you will see Identities, Identity Collections, Resources, Access Bundles, and Roles. For more information on what components you can view, refer to Enterprise-wide Access Profile Reference.

Resources

Get a list of enterprise resources and resource types across various systems or cloud tenancies integrated with Oracle Access Governance. You can also fetch which identities are currently assigned to that resource. For example, you may want to get access details related to a specific OCI bucket.

Manage a large set of resources by applying sorting techniques. Use the Sort by drop-down to sort resources by Resource Name or Resource Type and/or use the Sort Direction drop-down to arrange resources alphabetically either in ascending (A-Z) or descending (Z-A) order. Browse an individual resource to view access summary, identity details, or allocation insights based on Organization, Source Organization (Source Org), Job Code, or Location. For more information on what components you can view, refer to Enterprise-wide Access Profile Reference.

Roles

Get list of the roles created in Oracle Access Governance. These roles are associated with identities via policies or self-service requests so that appropriate accesses can be assigned to identities to perform a task. For example, you can create a database administrator role in Oracle Access Governance to associate database applications and privileges to identities or identity collections. For more information on what components you can view, refer to Enterprise-wide Access Profile Reference Roles Reference.

Search Capabilities: Using Keywords, Suggested and Advanced Filters

You can use our search capabilities to get specific and relevant results. You can use a basic keyword search for anything that you want to locate within an Enterprise-wide Browser, scope your search using the suggested filters, or apply advanced filters to further specify your search criteria and improve results.

Basic Keyword Search

The basic search covers keyword search, where you can input terms directly related to your requirement. For example, typing “IND” in the search box returns all the available rows that contain this match. This search can locate beyond the default view visible to you, and can find across all the available columns, including the hidden columns from the view.

Suggested Filters

You can scope the search and enhance the results by using the available suggested filters. These filters will vary based on the browsing selection you opted. For example, for Identities, you can limit your search to view workforce identities only by applying the Access Governance subtype Workforce filter.

Advanced Filters

If you are looking for something specific, then use Advanced filters. The attributes and logical operators vary based on the perspective view selected. For example, to view specific policy details in a compartment, you can use advanced filters to choose the compartment name. Another example would be if you want to view access information for the permissions assigned after a certain date, then you would use the Created Date advanced filter to specify the date. These are helpful to perform advanced searches to get specific result quickly.

Let’s see how you can use all three search capabilities to get improved results. For example, you want to locate the Workforce identity containing the keyword Alison, belonging either to India or Chile location. To search this,
  • Type “Alison” in the search box for your basic search.
  • Apply suggested filters on the Access Governance subtype Workforce filter.
  • Add an advanced filter on Location, selecting India or Chile.

Usage Examples: Monitoring Access Profile Details in an Enterprise

Let's look at a few scenarios to understand how you can use the Who has Access to What feature to its full potential.

Scenario 1: Monitoring Access Profile Insights for the High-Risk Interns

You want to review the access profile of interns, having job codes IN101 and IN102, to get comprehensive insights of accesses assigned to them.

To do this:
  1. Log on to Oracle Access Governance as an Enterprise-wide Access Administrator
  2. Navigate to Who has Access to What, and then Enterprise-wide Browser.
  3. In Select what you want to browse list, select Identities.
  4. Apply the suggested filter on Insights High Risk.
  5. Add an advanced filter on Job code Equals IN101 or IN102.

    You will get a list of high-risk identities fulfilling the applied conditions.

  6. For an identity, click the View Details button to view its assigned permissions, roles, policies, organizations, identity collection, resources, and accounts.

    You can further generate user-created access reviews for such high-risk identities so that reviewers can approve or revoke accesses appropriately.

Note:

Alternatively, you can create an identity collection for Interns by applying the job code membership rule. You can browse this identity collection from the Enterprise-wide Browser page. You can generate access review campaigns or provision the identities using this identity collection.

Scenario 2: Exploring OCI Policies across an OCI tenancy

As a cloud administrator, you want to view all the available Oracle Cloud Infrastructure (OCI) policies across a specified tenancy (ewbgov) to get a clear overview of access controls, permissions and resources allocated.

To do this:
  1. Log on to Oracle Access Governance as an Enterprise-wide Access Administrator
  2. Navigate to Who has Access to What, and then Enterprise-wide Browser.
  3. In the Select what you want to browse list list, select Policies
  4. Apply suggested filter on Provider Oracle Cloud Infrastructure.
  5. Add an advanced filter on Cloud account name Equals ewbgov.

    The layout displays the count and list of all the OCI policies fulfilling the applied conditions.

  6. For a policy, click the View Details button to view policy statements, identities, identity collections (OCI groups), or resources associated with this policy.

Access Reviews in Enterprise-wide Browser

You can run access reviews for identities, identity collections, policies. For an identity, you can create access reviews to verify roles, access bundles, accounts, or permissions from the Enterprise-wide Browser. You can directly initiate Identity access reviews or Access control reviews while exploring the access profile insights.

The scope of usage is a bit different from generating periodic or ad-hoc campaigns which are part of planned access review audits in an enterprise. Generally, you need user-created access reviews to generate spontaneous access reviews. For example, you may generate access reviews for an identity where you identify access anomalies while exploring access profile for that identity. The reviewer can then validate these access reviews from the My Access Reviews page following the process defined in Perform Access Reviews. On the My Access Reviews page, you can differentiate these access reviews from the ones generated by campaigns by viewing the Review Source column. The ones marked with User created are initiated from the Enterprise-wide Browser. You can generate the following user-created access reviews:
  • Identity Access Reviews: When you want to review accesses granted to an identity and verify that the assigned access rights are appropriate. For example, you can generate user-created access reviews to review accounts, permissions, and resources assigned to a high-risk identity.
    • If you select Actions, and then Create access review from the top banner of the details page, then all the possible review tasks for that identity including role, permission, and account will be generated for that identity.
    • If you select More Actions, and then Create access review, then access review for that specific permission, role, or account will be created. Refer to the Access Review Creation Criteria section to know for what permissions you can generate access reviews.
  • Access Control Reviews: When you want to review the implementation of access controls, such as performing review on Identity Collection assigned to an identity, or reviewing or auditing accesses assigned through the Oracle Access Governance or Identity and Access Management (IAM) policy.

Access Review Creation Criteria

You can generate individual access reviews for a specific permission or role meeting the criteria given in the following table. For example, you cannot generate access reviews for permissions not managed or provisioned by Oracle Access Governance, other than Oracle Identity Governance (OIG) and Oracle Cloud Infrastructure (OCI). Another example can be, you cannot review permissions granted through a policy unless it is an Oracle Access Governance policy. Let's look at the criteria for generating user created access reviews.

Table - Criteria to run Access Reviews from Enterprise-wide Browser

System Valid Entities to Review Valid Conditions for Review
Oracle Identity Governance (OIG)
  • Accounts
  • Permissions
  • Identities
  • Roles
 Grant Type for Entitlement
  • Request
  • Direct Provision
  • Reconciliation
  • Bulk Load
Account Status
  • Provisioned
  • Enabled
Grant Type for Role
  • Direct
  • Request
OCI
  • Roles
  • Identity Collections or OCI Groups
  • Identities
 Grant Type for Role Membership
  • SERVICE_MANAGER_TO_USER
  • ADMINISTRATOR_TO_USER
Oracle Access Governance
  • Identities
  • Accounts
  • Policies
  • Identity Collections
  • Roles
  • Permissions (Access Bundles)
 Grant Type
  • Request

User-Created Access Review Report

Generate a monthly report on access reviews created from Enterprise-wide Browser by selecting the View user created access review report button. You can generate a report based on the date range and access review type.
Similar to Campaign, you see a report displaying access review details and a breakdown of pending, approved, or revoked access review decisions for user role, user account and permission.
  • For identity access reviews, you see the bifurcation of the review decisions based on top five organization, source organization, roles, and applications.
  • For access control reviews, you see a breakdown of pending, approved, revoked, or modified access review decisions along with grouping of top five created since date ranges for identity collections or policies.
In addition to viewing report, you can also save the reports offline in PDF format or download the CSV data for record-keeping or further analysis or audit.