The review definition contains all of the information required to run a review. You can also modify the definition for subsequent review runs without the need to create additional review definitions. To create a review definition, the catalog must contain published data.
Log in as a Review Administrator.
Select Definitions.
Select + to create a new review definition.
Select the review type based on the object or objects you want to review. For more information, see Selecting a Review Type.
Name and describe the review.
(Optional) For Review Instructions, enter information that explains to reviewers what they need to do. For example, please review these items or reassign to someone else if necessary.
Specify review items.
(Conditional) For User Access Review items, specify the permissions, authorizations, accounts, applications, users, or a combination of these that you want to review for user access reviews.
Use the following options:
Specifies that you want to review the selected users regardless of assigned permissions.
Indicates that you want to enter the permissions criteria for reviewing users.
Specifies that you want to review the selected users only if their permissions are included in a role in Identity Governance.
Indicates that you want to enter the roles criteria for reviewing users.
Specifies that you want to review the selected users for any application. When you select this option, you then select whether to review the users based on permissions or accounts.
Indicates that you want to enter the application criteria for reviewing users.
Specifies that you want to review every user in the catalog
Specifies that you want to enter the criteria for users to review. You can enter specific user names, browse for users, as well as define criteria such as users in a particular group.
Applies only when you select Select users.
Specifies the names of the user groups that you want to include in the review.
Applies only when you select Select users.
Indicates that you want to review all users who directly report to the specified manager.
Applies only when you select Select users.
Indicates that you want to review all users within the reporting structure of the specified manager. For example, you might want to review a large department that includes several managers with direct reports. To do so, specify the individual to whom the managers report.
Applies only when you select Select users.
Indicates that you want to review all users with a greater than, less than, or equal to your risk threshold. For example, you might want to review only users with greater than or equal to 50% risk.
Applies only when you select Select users.
In the attribute definition editor of the catalog, you can specify whether an attribute can be used as review criteria. For example, Title, Department, and Job Code. Identity Governance adds these items to the select criteria menu.
HINT:When you specify a boolean attribute in your review criteria and there are null attribute/column values in the database these records will be ignored. You will have to either ensure that there are no null values if you intend to use the attribute as review criteria or add transformation code to convert a null to be true or false or use bulk data update settings to change the null values to true or false. For more information see, Editing Attribute Values in Bulk.
NOTE:When you narrow the review items by specifying criteria rather than selecting all users, permissions, or other types of review items, you have the following options for selecting them:
Start typing the name and select the item you want
Select the magnifying glass icon to browse the items
Select + to add selection criteria
(Conditional) For Unmapped Account Review items, specify the accounts and applications you want to review.
Use the following options:
Specifies to review all unmapped accounts from all applications.
Specifies that you want to enter the criteria for unmapped accounts to review. You can enter specific account names as well as define criteria such as last login, last unmapped account review, or number of logins.
Specifies to review all applications for unmapped accounts. When you select this option, you have an additional option to specify all or selected unmapped accounts.
Specifies that you want to enter the application criteria for reviewing unmapped accounts.
(Conditional) For Account Review items, specify the accounts, identities, and applications you want to review.
Use the following options:
Specifies the combination of mapped and unmapped accounts to review.
Specifies to review all users or select users.
Specifies to review all applications or select applications.
(Conditional) For Business Role Membership Review, specify the business roles you want to review.
Use the following options:
Specifies to review all business roles.
Specifies that you want to enter the criteria for business roles to review. You can enter specific business role names as well as define criteria such as owners or risk.
(Optional) Further expand or restrict User Access Review items and Account Review items by selecting related check boxes. For more information, see Expanding and Restricting Review Items.
(Optional) Select Estimate Impact to view the number of users, permissions, roles, accounts, and review items affected by the review.
Because the information is a snapshot of the current state of the catalog, Identity Governance reports approximate numbers. Depending on when you run the review, the catalog might have changed.
Based on the number of items to be reviewed, you might need to revise the Review period. For example, a review with 15 items might be completed within days, but one with hundreds of items could require weeks to accomplish.
(Optional) For Review Options, select any additional options that apply to this review. For example, you can require comments for certain actions and allow review owners to override decisions.
(Optional) Specify the reviewers you want to participate in the review.
For more information about types of reviewers, see Specifying Reviewers.
(Optional) To create a serial, multistage review, select Add Reviewer.
This allows you to specify multiple individuals who review the identity’s permissions in the order listed in the definition. For more information, see Specifying Reviewers.
(Optional) For Monitor Reviews, specify the review owner and auditor.
If you do not specify the review owner, the person who created the review definition becomes the review owner by default. If you do not specify an auditor, the review will not go through the audit acceptance phase.
(Conditional) If materialized view is enabled, select Cache review item names to cache user, account, permission, and role names to improve performance in large scale reviews.
WARNING:If you enable caching, periodically Refresh cache review items to synchronize the review with changes to the catalog. For more information, see Improving Performance in Large Scale Reviews.
(Optional) For Escalation, specify the following options:
Specify the Escalation Reviewer. If you do not specify a value, Identity Governance escalates tasks to the Review Owner.
For escalation timeout, specify the amount of time allowed for the Reviewers to complete their tasks. You must use whole numbers for the value.
(Optional) For Duration, set or change any of the following options:
For Review period, specify the length of time allowed for the review run.
For Expiration policy, specify what happens when a review expires without being completed.
For Partial approval policy, specify whether partial approvals are allowed and if so, whether or not partial approvals will occur automatically.
For Validity period, specify the length of time that the reviewed data will be valid. For example, if you intend to run the review twice a year, specify 6 months.
(Optional) For Notifications, customize and add recipients or remove default review notifications. Click Email source preview to preview email HTML source and specify a recipient and Send the rendered version of the email. Click Add notification and specify options to add more notifications based on different criteria.
NOTE:You can specify only one recipient in the To field and multiple recipients in the CC field. The read-only Review terminated notice goes to reviewers, review owners, escalation reviewers, and auditors when a review ends. You cannot change the recipients.
(Optional) For Schedule, if you want the review runs to begin automatically and repeat automatically, select Active and select the appropriate schedule. Select Start scheduled review in Preview mode requiring manual go live to start a review in preview mode.
NOTE:The Identity Governance server needs a 30-minute gap between runs of the same review. For example, if you schedule a review to run at frequent intervals, allow at least 30 minutes to lapse between the runs. Otherwise, the subsequent runs might fail to start and Identity Governance does not notify you of the failure.
(Optional) For Default Reviewer Display Preferences, specify the default grouping and default sort for the reviewer display. Specify default reviewer columns by using display columns previously customized for each review type using the Administration > Review Display Customization menu, or set default columns for the current review definition.
NOTE:If needed, the reviewer can change the default grouping for the current review instance by using the Show All drop-down list, change the sort order by clicking on headings with descending or ascending arrow, and change the column display by using the display options settings menu.
Save the review.
In addition to specifying review items using different combinations of users, permissions, accounts, and roles selections, administrators can further expand or restrict items being reviewed in an User Access Review and an Account Review. For example, selecting Additionally review accounts for the selected users and permissions for User Access Review items would enable you to review the accounts that grant the specified permission for the selected set of users and make a decision on it, whereas without selecting this option you will see the account name in the detail information, but will not be able to make a decision about it. You can also select options related to roles, such as to show and review permissions that are part of a technical role or limit review items based on whether the items were authorized or not authorized by a business role.
NOTE:In order for an account to be authorized by a business role, the application to which the account belongs to should be added as an authorized resource for the business role. For more information, see Adding Authorizations to a Business Role.