Tutorial duplicate detective6/21/2023 The following admin role capabilities related to identity audit policies cannot be used from Identity Self Service, but can be used through APIs:įor information about using APIs, see Using APIs in the Developing and Customizing Applications for Oracle Identity Governance and Java API Reference for Oracle Identity Governance. See Managing Administration Roles for information about admin roles and admin role capabilities. Any user can be a rule owner irrespective of the admin role privileges of the user. Identity audit rules must be owned by a user. Otherwise, the violation cause status is set to Inactive. If the rule condition still results in an exception, then Oracle Identity Manager sets the violation cause status to Active. Oracle Identity Manager checks whether the modified condition still causes an exception. When entities associated with an impacted violation are scanned against the policies associated with the rule, Oracle Identity Manager takes the following actions on the violation: If the modified rule is the cause of any existing open violations in the system, then the cause and the associated violation are impacted by the change in condition.Ī rule can be specified by entering an IF condition, and then return values when the condition matches. When a rule condition is modified, all policies associated with this rule are impacted. You can define complex rules with nested conditions on the basis of user information, catalog metadata associated to applications, entitlements, roles, and organization metadata.Īn identity audit rule can be associated with multiple policies. These rules can be simple or complex based on the entities and user access privileges. The solution also maintains a comprehensive history of audit scans.Īn identity audit rule consists of a rule condition. User accounts (including entitlements), user attributes, and roles/access policies that violate an identity audit policy are flagged and tracked until the violation is resolved. User profiles as well as their associated roles, accounts, entitlements, and organizations are then scanned for identity audit policy violations. An audit policy is composed of one or more audit rules, and each rule detects a cause of the violation. A single audit policy detects a specific violation on users. There may be multiple audit policies defined. Preventive mode: In preventative mode, any access that is requested via the access catalog in real-time can be automatically detected as an Identity Audit policy violation, and preventative action can be taken. This can be one of the following types:ĭetective mode: In a detective mode, the entire identity warehouse of users can be monitored for anomalies or toxic combinations of user access rights. The detection mechanism of Identity Audit monitors users' actual access to resources, and captures any violations on a continuous basis. You can use Identity Audit to detect SoD violations. Identity audit uses detective mode or preventive mode for detecting policy violations.
0 Comments
Leave a Reply. |