Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Govern Orphan Accounts using Oracle Access Governance
Introduction
Oracle Access Governance is a cloud-native and modern identity governance and administration (IGA) solution that provides enterprisewide visibility to manage access across all your cloud services and on-premises systems. It offers dynamic access control, a prescriptive analytics-driven access review process that helps customers automate access provisioning, get insights into access permissions, identify anomalies, and remediate security risks. By combining simplicity, automation, and robust security features, Oracle Access Governance ensures that workforce and consumers in your enterprise have only the necessary access to the right resources for performing their jobs when needed.
Orphan accounts refer to accounts that lack a designated owner and originate from various systems or applications. By implementing this process in Oracle Access Governance, you will establish a centralized governance process ensuring visibility and control over ungoverned identities.
Micro-Certifications: Event Driven Access Reviews
Micro-certifications are automatically launched by Oracle Access Governance whenever an event, such as change event, timeline event, or unmatched account event, is detected. Oracle Access Governance continuously monitors identity profile and whenever a pre-defined event is detected, it launches access reviews related to that event.
Unmatched account events are triggered whenever Oracle Access Governance detects an orphan account, which cannot be associated with any identity. You can select the orchestrated system for which you want to configure this event type. You can configure to auto-remove unmatched accounts.
Audience
- Oracle Access Governance administrators and Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) administrators.
Objectives
-
Configure dynamic access reviews for orphan or unmatched accounts using Oracle Access Governance.
-
Configure event-based access reviews for unmatched accounts for a database.
-
Create users directly in a database using a client.
-
Perform data synchronization in Oracle Access Governance.
-
Validate automatically generated access review tasks.
-
Review and assign ownership to unmatched accounts.
Prerequisites
-
An Oracle Access Governance instance with administrative rights. For more information, see Set Up Service Instance and About Application Roles.
-
A target application or service such as a database or an active directory.
-
Target application integrated with Oracle Access Governance. For more information, see Integrate with Database User Management (Oracle).
Note: Even though the tutorial describes the process considering a database as a managed system, the same steps apply to any target being managed by Oracle Access Governance.
Task 1: Validate Orchestrated System Configuration in Oracle Access Governance
In this task, we will verify that the orchestrated system is correctly configured and the data load process is running successfully.
-
Open browser and navigate to the Oracle Access Governance console.
-
Enter Username and Password for the Oracle Access Governance administrator and click Sign In.
-
From the navigation menu, select Service Administration and Orchestrated Systems.
-
Locate your managed system, click the three-dots (⋮) icon on the right-hand side and select View Activity Log.
-
Confirm that the Full Data Load activity has been running successfully.
Task 2: Create Event-Based Access Review for Unmatched Accounts
In this task, we will configure an event-based access review for unmatched accounts originating from the database.
-
From the navigation menu, select Access Reviews and Event-Based Setup.
-
Navigate to Unmatched accounts and click Create an unmatched account event.
-
Enter a name for the event, such as Unmatched Accounts - Database and select Enabled to enable the event.
-
Select the database orchestrated system.
-
In the Choose your workflow page, select Custom User, and an administrator user in the Which user? field.
Task 3: Create Users in the Database
In this task, we will manually create user accounts in the target database using a database client.
-
Use a database client (for example, SQLDeveloper) to create several user accounts in the database. Ensure that the usernames are not already present in Oracle Access Governance.
Note: While this tutorial uses SQLDeveloper, you can use any preferred database client.
CREATE USER demousr1 IDENTIFIED BY demopasswd; CREATE USER demousr2 IDENTIFIED BY demopasswd; CREATE USER demousr3 IDENTIFIED BY demopasswd;
SELECT username, user_id, default_tablespace, temporary_tablespace, profile, external_name, password_versions, authentication_type FROM dba_users where Upper(username) like '%DEMO%';
Task 4: Synchronize and Validate Newly Created Database Users in Oracle Access Governance
In this task, we will synchronize the database users with Oracle Access Governance by running a data load.
-
Navigate to the managed system as described in Task 1. Click the three-dots (⋮) icon and select Manage Integration.
-
Click Load data now from the upper-right corner and wait for the data load to complete.
-
From the navigation menu, under Service Administration, click Unmatched accounts.
-
Filter by System (select the database), and sort by Date Created to view the newly created accounts.
Task 5: Review Unmatched Accounts and Assign Ownership
In this task, we will review the unmatched accounts and assign them to appropriate owners.
-
Go to the navigation menu, select Access Reviews and click My Access Reviews.
-
Navigate to Ownership. You should see the review tasks for the unmatched accounts. Click View to check detailed insights for each account.
-
To assign an owner, click Select an identity. Select the appropriate owner, click Match and Apply.
In this tutorial, you learned how to configure event-based access reviews for orphan or unmatched accounts. You observed how Oracle Access Governance continuously monitors identity profiles, and whenever a predefined unmatched accounts event is detected, it automatically triggers access review tasks, routing them to designated reviewers according to the workflow configuration. You also saw how reviewers can access detailed insights and assign ownership to these orphan accounts.
Next Steps
After completing these tasks, you can manage the entire lifecycle of accounts that were directly created in downstream applications and services but cannot be matched by Oracle Access Governance. Oracle Access Governance allows you to define policies to automate user provisioning, as well as create manual requests with approval workflows. You can govern access across your environment, establish access review campaigns to regularly audit user access, and implement remediation actions when necessary.
Related Links
Acknowledgments
- Author - Anuj Tripathi (NA Cloud & Tech Platform Security Specialist)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Govern Orphan Accounts using Oracle Access Governance
G15244-01
September 2024