When defining a review, you assign users and roles to perform the review. Depending on the type of review, you can specify any of the following options:
|
Reviewing User Access |
Reviewing Unmapped Accounts |
Reviewing Accounts |
Reviewing Business Role Membership |
|---|---|---|---|
|
Supervisor of the individual being reviewed |
Owner of the application being reviewed |
Supervisor of the individual being reviewed |
Supervisor of the individual being reviewed |
|
Owners of the applications being reviewed |
Selected users or groups |
Owner of the application being reviewed |
Business role owner |
|
Owners of the permissions being reviewed (not available for roles reviews) |
Account custodian |
Owner of the account being reviewed |
Selected users or groups |
|
Holder of the permission being reviewed, called self review |
Business role |
Selected users or groups |
Business role |
|
Selected users or groups |
|
Account custodian |
|
|
Coverage map |
|
Coverage map |
|
|
Business role |
|
Business role |
|
For more information about owners of applications and permissions, see Understanding Identity, Application, and Permission Management. For more information about coverage maps, see Using Coverage Maps.
If you specify more than one reviewer stage, the reviewers must complete the review in the assigned order. For example, you might want the permission holders to verify that they continue to need the assigned permission, then the individual’s supervisor can approve that ongoing need. As a final step, the permission owners can review the assigned permission. In this case, you would specify Self review, Supervisor, then Permission owners as the reviewers. Each stage shows as a separate group of review items to the review owner. When you select Self Review, users can review their own access for that stage only, unless the Review Options are set to Allow self review in all stages.
If you specify more than one reviewer (such as a set of users or groups), each of the reviewers share the responsibility for submitting a decision within a single reviewer stage. For example, you might want the permission holders to verify that they continue to need the assigned permission, then you want a group of users called Super group to approve the ongoing need. In this case, you would specify Self review then Review by Selected Users: Super group as the reviewers.
At any point during a review run, Identity Governance might not be able to resolve a reviewer. For example, if you specify Permission owners as one of the reviewers and no permission owner is actually specified in the catalog, Identity Governance cannot resolve the reviewer to an identity. When this happens, the review item is escalated to the Escalation Reviewer, if one exists, or to the Review Owner, and this reviewer must complete the remaining review tasks for the item. In this situation, the review owner sees an Exceptions stage with these review items in that stage.
To ensure a timely review process, you can also specify an Escalation Reviewer. This individual resolves all review tasks that are not completed on time. If you do not specify an Escalation Reviewer, the owner of the review must perform these tasks. Escalated review items also appear in the Exceptions stage. If Identity Governance detects any escalations at the start of a review, all of the review items appear in the Exceptions stage.
For more information about review authorizations, see Runtime Authorizations.