After you edit and publish the data, you can review particular sets of applications, groups, accounts, roles, or users and permissions. You can focus reviews on selected permissions for all or selected users or accounts, or on the ongoing presence of unmapped accounts, which are accounts in an application without an assigned user.
In addition, Identity Governance allows you to review business role policies and memberships. Business roles organize people by their business function and user based attributes, to solve questions of what users should have access to because of who they are or what they need or might have an option to request without additional approval. For more information, see Section 25.0, Creating and Managing Business Roles.
To run the same review at regular intervals, you create a review definition with an optional schedule to automatically start at the intervals you define. Users with the Review Administrator authorization can create review definitions. For more information, see Section 21.0, Creating and Modifying Review Definitions.
For each review, you assign users to specific Identity Governance roles, such as:
Owner of the review who previews, initiates and completes the review
Users who review the sets of data
(Optional) User who reviews escalated items
(Optional) User who audits the review
When a reviewer or fulfiller marks an item complete, Identity Governance automatically removes the item from the task list.
After you have a review definition, the Review Owner can preview, and initiate a review run or it starts automatically if you set the schedule. The review run generates tasks for reviewers, requesting that they review a set of users and decide whether the current user access should be maintained or revoked. When the Review Owner initiates a review run, Identity Governance automatically generates tasks for assigned Reviewers and notifies them as specified in the review definition. To help Review Owners ensure that the review process proceeds in a timely manner, you can specify the length of the review period, such as three weeks. In addition, you can set the schedule to run in preview mode so that the Review Owner can preview review definition and items, and change review options, review monitors, duration, and reviewers. You can also instruct Identity Governance to escalate the process and move the tasks to Escalation Reviewers, if specified in the review definition, or to the Review Owner if the Reviewer does not complete all tasks. For more information, see Escalating Review Items. For more information about the review process including preview mode, see Section 22.0, Running a Review Instance.
The review process results in a list of changes, or changeset that are then implemented. Identity Governance refers to the implementation process as fulfillment. You can fulfill the changeset in the following ways:
Use a manual process to modify and remove permissions. For more information about manual fulfillment, see Fulfilling the Changeset for a Review Instance.
Use Identity Manager to automatically remove permissions. You can use this option if the permissions were collected from an Identity Manager system.
Use a workflow defined in Identity Manager identity applications to remove permissions.
Identity Governance includes connectors to various service desk products to enable fulfillment integration with your incident management applications. When you connect to an application for fulfillment, you must configure the connector to map the data fields in the change item to the input fields of the application. For more information, see Configuring Service Desk Fulfillment.
For more information, see Configuring Fulfillment.
Review Owners can complete, terminate, review, or partially approve the decisions at any time during a review run. If they want to change the review, all access change requests are sent to fulfillment, which is the step where approved changes are implemented. After approval, a review can be optionally routed to a Review Auditor for legal acceptance.
The review and validation process that begins with data collection and publishing concludes with change request reconciliation. Identity Governance can track the status of change requests fulfilled manually or through automatic or workflow-based provisioning.
For more information, see Section 22.0, Running a Review Instance.