12.1 Identity Certification Overview
- 12.1.1 What Is Identity Certification?
Identity certification is the process of reviewing user entitlements and access-privileges within an enterprise to ensure that users have not acquired entitlements that they are not authorized to have. It also involves either approving (certifying) or rejecting (revoking) each access-privilege.
- User Certification
- Role Certification
- Application Instance Certification
- Entitlement Certification
- 12.1.2 Who Is Involved in Completing Identity Certifications?
- Certifier
- User manager
- Business reviewer
- Primary Reviewer
- Technical Reviewer
- Delegated Reviewer
- Final Reviewer
12.2 Certification UI
- Pending Certifications page
- Dashboard
12.3 Certification Name Formats
12.4 Searching and Viewing Certifications
- 12.4.1 Searching Certifications in the Dashboard
- Oracle Identity Self Service -> Compliance -> Identity Certification
- 12.4.2 Viewing Certifications From the Dashboard
- Oracle Identity Self Service -> Compliance -> click the Identity Certification box -> select Dashboard
12.5 Completing User Certifications in Offline Mode
- Download to Editable Excel
- Certify , Revoke, Abstain or Certify Conditionally
12.6 Generating Certification Reports
- 12.6.1 Generating Certification Reports From the Dashboard
- Oracle Identity Self Service -> Compliance -> Click the Identity Certification box, -> Dashboard -> Reports
- 12.6.2 Generating Exported Certification Reports From the Certification Pages
- Oracle Identity Self Service -> Self Service -> Certifications ->
13.1 Certification Concepts
- 13.1.1 Line of Business and Line Item
- LOB is a category of industry or business function
- 13.1.2 Certification Task
- Certification task consists of a set of work to be done within a certification process. Each set of line-items that is assigned to a particular reviewer initiates a Service-Oriented Architecture (SOA) task that contains that particular set of line items and that is routed to SOA Inbox of that particular reviewer.
- 13.1.3 Certification Object
- Certification object is a generated certification that is assigned to a particular certifier or primary reviewer
- A unique certification ID
- A set of line-items, each of which contains a set of details
- 13.1.4 Certification Definition
- Certification definition is a named set of parameters that is used as input to a certification job to generate certification objects.
- user certification, role certification, application instance certification, or entitlement certification
- 13.1.5 Certification Jobs
- Certification jobs are used to create certifications as requested or as scheduled.
- Scheduled to run at regular intervals, such as weekly, monthly, or quarterly, as required
- Run immediately from the Scheduler section of Oracle Identity System Administration
- Triggered from an event-listener action
- 13.1.6 Closed-Loop Remediation
- Closed-loop remediation is a feature that utilizes the provisioning system of Oracle Identity Manager to automatically revoke accounts, roles, and entitlements based on the results of the Oracle Identity Manager certification process
- 13.1.7 Remediation Tracking
- You can use the request catalog to track the remediation status of revoked accounts, access within accounts, or roles. This records whether and when each revocation request is fulfilled.
- 13.1.8 Event Listener
- Event listener is a service that responds to changes in users. Event listeners are supported for all certification types.
- Each event listener for certification contains:
- The selection-criteria specified by an administrator
- The certification definition to use in response
- 13.1.9 Certification Authorization
- Oracle Identity Manager admin roles grant the assignee privileges required to administer the certification feature and monitor the progress of certification instances
- Certification Administrator
- Certification Viewer
13.2 Configuring Certifications
- 13.2.1 Prerequisites for Configuring Certifications
- 13.2.1.1 Marking a Catalog Item as Certifiable
- 13.2.1.2 Setting the Certifier in the Request Catalog
- 13.2.1.3 Setting User Manager and Organization Certifier
- Setting the user manager or organization certifier is required if you want to use the Reviewer option of User Manager or Organization Certifier. Otherwise, this is not required.
- Role organization certifier does not support the Hierarchy aware option. For the organization certifier, the role must be available in the organization. In other words, the specific organization must be specified for the role. Otherwise, certification will not be generated. Make sure that the role and organization are linked and organization has the certifier user assigned.
- 13.2.1.4 Setting User Attributes for Certification Snapshot
- 13.2.1.5 Setting Risk Levels for Individual Entities
- Risk Aggregation scheduled job
- 13.2.1.6 Tagging Attributes
- Entitlement = true in Form Designer
- AccountName = true
- ITResource = true
- 13.2.1.7 Configuring the Availability of Identity Certification
- Identity Auditor Feature Set Availability = TRUE (SYS Property)
- 13.2.1.8 Configuring Reminders, Notifications, Escalations, and Expiry for Certifications (Optional)
- SOA Human Task (Reminders & Escalations)
- 13.2.2 Configuring Certification Options
- Properties Available
- Password required on sign-off
- Allow comments on certify operations
- Allow comments on all non-certify operations
- Verify employee access
- Prevent self certification
- User and Account Selections
- Allow advanced delegation
- Allow multi-phased review
- Allow reassignment
- Allow auto-claim
- Perform closed loop remediation
- Enable Interactive Excel
- Enable Certification Reports
- Composite Name
13.3 Managing Certification Definitions
- 13.3.1 Creating Certification Definitions
- 13.3.1.1 Creating a User Certification Definition
- 13.3.1.2 Creating a Role Certification Definition
- 13.3.1.3 Creating an Application Instance Certification Definition
- 13.3.1.4 Creating an Entitlement Certification Definition
- 13.3.2 Modifying Certification Definitions
- 13.3.3 Deleting Certification Definitions
13.4 Scheduling Certifications
- Scheduled as part of certification creation process
13.5 Understanding How Risk Summaries are Calculated
- You can directly assign high, medium, and low risk levels to roles, application instances, and entitlements, as well as to certain predefined risk factors. A risk-aggregation job calculates Risk Summaries for the remaining higher-order data objects that are required to support identity certification. These objects include every user, user-role assignment, account, and entitlement-assignment in Oracle Identity Manager.
- 13.5.1 Understanding Item Risk and Risk-Factor Mappings
- Item risk and the risk-factor mappings are settings that are under your direct control.
- 13.5.1.1 Setting Item Risk
- Item risk refers to the risk levels that you and other administrators can assign to specific roles, application instances, and entitlements.
- Three bars signifies high risk, two bars signifies medium risk, one bar signifies low risk.
- 13.5.1.2 Understanding Risk-Level Mappings (Risk Factors)
- Risk-Factor Mappings are settings that map risk levels to certain predefined conditions. For example, you might configure "items with open audit violations" as high risk, whereas "items that are closed as risk-accepted" you might configure as medium risk.
- 13.5.2 Understanding Risk Aggregation and Risk Summaries
- The Risk Aggregation Task scheduled job processes Item-Risk levels and Risk-Factor levels, and calculates Risk Summaries for each higher-order object that supports identity certification.
- Risk aggregation Task is used to seed the predefined Risk Aggregation Job.
- 13.5.3 Understanding How Changing Risk Configuration Values Impacts the System
- There are three main actions or system events that can impact Risk Summary values. Depending on the action or system event, the impact can be minor, moderate, or major.
- Users and/or Oracle Identity Manager make changes to individual entitlements (Minor)
- An administrator makes item-risk changes to roles, resources, and entitlements (Moderate)
- An administrator makes configuration changes to the Risk-Level Mappings (Major)
13.6 Understanding Closed-Loop Remediation and Remediation Tracking
- Closed-loop remediation is a feature that allows you to directly revoke roles, application accounts, and entitlements from the provisioning solution as a result of roles and entitlements revoked during the certification process.
- 13.6.1 Configuring Challenge Workflows
- 13.6.2 Disabling Accounts When Revoked
- When closed-loop remediation is enabled and the account is deleted from the target system when the certifier revokes an account, Oracle Identity Manager supports changing the behavior to disable the account.
13.7 Understanding Event Listeners
- The Event Listener mechanism detects specific business events and stores the event details for certification. The stored event details are called Certification Event Triggers, and these are processed into certifications by the Certification Event Trigger Task, running as a scheduled job. The business events currently detected by event listeners are modifications of Oracle Identity Manager users, either individually or in bulk.
13.8 Configuring Event Listeners and Certification Event Trigger Jobs
- 13.8.1 Creating an Event Listener
- 13.8.2 Modifying an Event Listener
- 13.8.3 Deleting an Event Listener
- 13.8.4 Configuring Certification Event Trigger Jobs
- 13.8.4.1 Setting the Event Listener Name List
- Certification Event Trigger Job
- Parameters
- Event Listener Name List (comma separated)
- 13.8.4.2 Adding More Trigger Jobs
13.9 Configuring Certification Reports
- RTF
- HTML
- Microsoft Excel
- CSV
13.10 Understanding Multi-Phased Review in User Certification
- 13.10.1 Multiple Phases of Review
- Business Review
- Technical Review
- Final Review
- 13.10.2 Delegation to Multiple Reviewers Within Each Phase
- 13.10.3 Stages of Certification in TPAD
- 13.10.3.1 Phase One With Verification
- 13.10.3.2 Phase Two With Verification
- 13.10.3.3 Final Review
13.11 Understanding Certification Oversight
- Certification oversight is the activity of reviewing, and possibly overriding, the decisions of the primary reviewer within the scope of a particular primary-review task.
- A person who has the opportunity to override the certification decisions of a primary reviewer within the scope of a particular primary-review task is called an overseer.
13.12 Troubleshooting Identity Certification
14.1 Identity Audit Concepts
- Detective mode
- Preventive mode
- 14.1.1 Identity Audit Rules
- An identity audit rule consists of a rule condition. These rules can be simple or complex based on the entities and user access privileges. You can define complex rules with nested conditions on the basis of user information, catalog metadata associated to applications, entitlements, roles, and organization metadata.
- 14.1.2 Rule Condition
- A rule has a single condition. A rule's condition is the IF portion of the rule and is evaluated to be either true or false against the input values passed to the rule at policy evaluation time.
- 14.1.3 Identity Audit Policies
- An identity audit policy is a collection of audit rules that together enforce SoD business policies. Identity audit policies consist of metadata, such as the identity audit policy name, description, severity, creation date, and update data. Identity audit policies have designated policy owners and policy remediators.
- 14.1.4 Scan Definitions
- An identity audit scan is the action of executing an identity audit policy along with its associated rules against a given population of entities (users).
- Detective scan
- Preventive scan
- 14.1.5 Scan Jobs
- An identity audit scan can be effectively saved as a scheduled task (a scan job) in the Oracle Identity System Administration that performs an audit scan, using selection criteria from its scan definition with a preface of Identity Audit_ScanDefinitionName, and can be scheduled by an administrator with a given date and time, or on a repeated basis.
- 14.1.6 Policy Violations
- An identity audit policy violation occurs if one or more rules associated with an identity audit policy is broken by a user account (including entitlements within the account), a user attribute, or a user role.
- 14.1.7 Remediators
- An identity audit policy must have one or more remediators. A remediator can be a role, a manager, or any user with or without any particular role associated. You cannot assign multiple users as remediator. Assigning multiple users as remediator can be achieved only by assigning any role as the remediator. A remediator is responsible for fixing an identity audit policy violation or for reassigning the violation to another eligible remediator.
- 14.1.8 Policy Violation Remediation
- An IDA scan creates a Policy Violation when the scan detects a target entity (for example, a User) matching one or more rules specified in the policy set referenced by the scan definition.
- 14.1.8.1 Violation Causes
- Each violation cause includes the rule, condition, and attributes resulting in the violation.
- Request for Remediation (remediate)
- Close As Fixed
- Close As Risk Accepted
- Violation Cause States
- Active
- Risk Accepted
- Manually Fixed
- Remediation Requested
- Resolved
- 14.1.8.2 Policy Violation States
- Open
- Assigned
- Remediation in Progress
- Remediation Under Review
- Remediation Completed
- Closed
- 14.1.9 Policy Violation Reports
- Oracle Business Intelligence Publisher is used for IDA Policy Violation Reports. Reports are available in BI Publisher RTF template format. BI Publisher uses the appropriate SQL queries (defined in the data model) to query Oracle Identity Manager database (specifically IDA tables) for the violation data.
14.2 Enabling Identity Audit
- Identity Auditor Feature Set Availability = TRUE
14.3 Configuring Identity Audit
- 14.3.1 Setting Identity Audit Options
- Oracle Identity Self Service -> Compliance -> Identity Audit -> Configuration
- Prevent self remediation
- Scan Run Details Retention Period
- User Batch Size
- Threads per scan
- Composite Name
- Maximum Risk Acceptance period for Policy Violation Causes
- 14.3.2 Configuring Reminders, Notifications, Escalations, and Expiry for Identity Audit (Optional)
- IdentityAuditRemediationTask
- SoaComposer ->
- OOTB 2 reminders are sent
14.4 Managing IDA Rules
- 14.4.1 Searching Rules
- 14.4.1.1 Performing Basic Search for Rules
- 14.4.1.2 Performing Advanced Search for Rules
- 14.4.2 Creating Rules
- 14.4.3 Understanding Rule Expressions
- 14.4.4 Modifying Rules
- 14.4.5 Duplicating Rules
- 14.4.6 Deleting Rules
14.5 Managing IDA Policies
- 14.5.1 Searching Policies
- 14.5.1.1 Performing Basic Search for Policies
- 14.5.1.2 Performing Advanced Search for Policies
- 14.5.2 Creating IDA Policies
- 14.5.3 Modifying IDA Policies
- 14.5.4 Duplicating IDA Policies
- 14.5.5 Deleting IDA Policies
- 14.5.6 Previewing the Results of IDA Policies
14.6 Managing Scan Definitions
- 14.6.1 Searching Scan Definitions
- 14.6.1.1 Performing Basic Search for Scan Definitions
- 14.6.1.2 Performing Advanced Search for Scan Definitions
- 14.6.2 Creating Scan Definitions
- 14.6.3 Modifying Scan Definitions
- 14.6.4 Running and Viewing Scans
14.7 Managing Policy Violations
- Pending Violations page: As a remediator of identity audit policy violations that are assigned to you, you can access the pending violations and take action on them by using the Pending Violations page.
- Policy Violations page: You can view and take actions on the identity audit policy violations for administrative purpose by using the Policy Violations page, which you can open from the Compliance tab of the Identity Self Service.
- 14.7.1 Searching Policy Violations
- 14.7.1.1 Performing Basic Search for Policy Violations
- 14.7.1.2 Performing Advanced Search for Policy Violations
- 14.7.2 Opening Policy Violation Details
- 14.7.3 Completing Policy Violations
- 14.7.4 Closing Policy Violations
- 14.7.5 Remediating or Closing Policy Violations Causes
- Remediate
- Close as Fixed
- Close as Risk Accepted
- 14.7.6 Generating Identity Audit Policy Violation Reports
- Categories
- By Remediator
- By Scan Stop Date
- By Policy
- By Manager
- By User