Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Delegate Group Membership Reviews with Access Reviews in Oracle Access Governance

Introduction

Oracle Access Governance is a cloud native solution which helps meet governance and compliance requirements across many applications, workloads, infrastructures, and identity platforms. It provides organization wide visibility and capabilities to identify anomalies and mitigate security risks across cloud and on-premises environments. It offers dynamic access control, a prescriptive analytics-driven access review process that helps customers automate access provisioning, get insights into access permissions, identify anomalies, and remediate security risks.

Group Membership Reviews

Oracle Access Governance offers the feature - Oracle Cloud Infrastructure (OCI) group membership reviews. Using this, OCI administrators can now gain a simplified overview of OCI group memberships, the members and their access privileges. This helps administrators identify OCI group memberships that are no longer needed on a timely basis.

Delegation

• You might want to delegate approvals or access reviews to others for the following reasons:

  • Unavailability because of vacation, sickness, or working on other tasks..

  • Having the most qualified person make decisions.

  • Developing someone’s ability to handle additional assignments.

  

• In Oracle Access Governance, you can set up and manage preferences. Users can delegate tasks and activities using the Oracle Access Governance Console. You can use the My Preferences setting to assign tasks and activities to another user or Identity Collection. You can delegate who performs access reviews and who performs approvals on your behalf. A task can be delegated to an individual or an Identity Collection. The Identity Collection can have one or more members in it. Duration for delegation can be set to a time range or indefinitely.

  

Audience

• Oracle Access Governance administrators and OCI administrators.

Objectives

• Delegate group membership reviews with Access Reviews in Oracle Access Governance. For this, you will need to:

  • Create and perform group membership review campaigns for Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) users.

  • Delegate Access Review tasks to an Identity Collection.

Prerequisites

• Access to an OCI account with administrator rights. Oracle Access Governance service instance provisioned in OCI. For more information, see Set Up Service Instance.

• Your Oracle Access Governance user must have Oracle administrator rights. For more information, see About Application Roles.

• OCI groups and OCI IAM users assigned to them.

• Integrate OCI IAM with Oracle Access Governance. For more information, see Integrate with Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM).

  

• Create an Identity Collection. For more information, see Create Identity Collections.

  

• Create an approval workflow in Oracle Access Governance. For more information, see Create Approval Workflow.

  

Task 1: Create Group Membership Review Campaign

1. Log in to the Oracle Access Governance Console as the administrative user. Click the navigation menu, Access Reviews and Campaigns. Alternatively, you can select “Let’s create some work and define a new campaign”.

   

2. In the Campaigns page, click Create a campaign.

   

3. In the Selection criteria section, select Which tenancies? and you will see a list of available cloud tenancies.

   

4. Select an appropriate cloud tenancy. In this tutorial, select your cloud tenancy. A green tick is marked against your selection and click Refine further. You can further refine your selection by selecting a specific compartment and a domain, to run domain-specific policy reviews.

   

5. Enter the compartment (ag-compartment) and click Apply.

   

6. Select Which identity collections? to select Identity Collections that you want to review. You will see a list of available Identity Collections in the domain that you selected.

   

7. Select the following Identity Collections and click Apply my selections.

   • Auditors
   • NetworkAdmins
   • SecurityAdmins

   

8. Click I’m good, go to workflows.

   

9. In the Assign workflow section, enter the following information and click Next.

   • Which approval workflow should be used?: Select One-level-approval-workflow (Select the approval workflow).

   

10. In the Add details section, you can define the frequency (one-time or periodic) at which to run an access review campaign, give a meaningful name to your campaign, add a supporting description, and assign values to additional attributes, such as who owns it and when the campaign should start or end and click Next.

    • How often do you want this to run?: select One time.

    • What do you want to call this campaign?: Enter Group-Membership-Review-Campaign.

    • How do you want to describe this campaign?: Enter Group-Membership-Review-Campaign.

    • Who owns this campaign?: Select Me.

    • How would you like to schedule your campaign?: Select Run now (will start 10 minutes from creation).

    

11. In the Review and submit section, review the information you have added and click Create to create the campaign.

    Your campaign is scheduled and is displayed in the Campaigns page. It will run 10 minutes from creation.

    

    The campaign has been scheduled successfully.

    

Task 2: Configure the Delegation

In this task, we will configure the delegation for the group membership review tasks to an Identity Collection to take action during your absence.

1. Go to the Oracle Access Governance Console and navigate to the homepage.

   

2. Navigate to Access Controls and Identity Collection to view the Identity Collection you will assign the Delegation to.

   

3. Click My Stuff and My Preferences.

   

4. Click Add delegation.

   

5. In the Add a delegation page, enter the following information and click Save.

   • Which tasks you want to delegate?: Select Access Reviews.

   • Who do you want to delegate to?: Select An identity collection.

   • Who?: Select IT-Team.

   • How long do you want the delegation to last?: Select During a time range.

   

   

   Note: The delegation has been configured, where you (administrator) are delegating the campaigns to IT-Team Identity Collection. The members of this Identity Collection will have the ability to perform the access reviews during the defined period. Both the Administrator and the Delegates receive the Notification Emails for the campaigns requiring action.

Task 3: Perform Group Membership Review Tasks

In this task, we will review and certify group membership review tasks raised by the campaign created in Task 1.

1. Go to the Oracle Access Governance Console and navigate to the homepage.

2. Click Access Reviews and My Access Reviews.

   

3. To view review tasks created by your policy review campaign, click Access control. You will see all policy access review tasks assigned to you as a reviewer. Oracle Access Governance uses in-house analytic-based Intelligence system to provide accept/review recommendations.

   

4. For this tutorial, let us check the recommendations given by Oracle Access Governance.

   • Auditors is marked for Review.
   • NetworkAdmins is marked for Review.
   • SecurityAdmins is marked to Review.

5. Click Actions one by one to make review decisions, you can either revoke all or accept all actionable statements in that policy at once, or make decision individually on each policy statement.

   • Use case 1: Accept all the user identities to accept the group membership for Auditors.

     1. Click Accept all.

        

     2. Click Apply

        

     3. Enter Justification for why you accept all the named user identities to have access to the group membership and click Submit. This will trigger the auto-remediation process in the Oracle Access Governance system.

        

   • Use case 2: Revoke 2 out of the 4 named identities to accept the group membership for NetworkAdmins.

     

     1. Let us revoke the access for identities (David Brown and Jerry Poland). The remaining 2 users (John Smith and Mark Hernandez) have been accepted to have the group membership and click Apply.

        

     2. Enter Justification and click Submit. The closed loop access remediation will take place automatically.

        

   • Use case 3: Revoke all the named identities that have the group membership for SecurityAdmins.

     

     1. Click Revoke all and Apply.

        

     2. Enter Justification and click Submit. The closed loop access remediation will take place automatically.

        

6. Log in to the OCI Console as the identity domain administrator, navigate to Identity & Security, Identity, click identity domain (ag-domain) and Users.

   

   Verify the group membership of the users have been processed successfully.

   

Related Links

• Oracle Access Governance

• Integrate with Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM)

• Oracle Access Governance - Product Tour

• Oracle Access Governance FAQ

Acknowledgments

• Author - Indiradarshni Balasundaram (Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Delegate Group Membership Reviews with Access Reviews in Oracle Access Governance

G16580-01

October 2024

Copyright ©2024,

Oracle and/or its affiliates.