Reviews provide a way to monitor access to your business systems. Many users take part in the overall review process:
Review administrators create review definitions, preview review definitions, and manage reviews.
Review owners preview, monitor, complete, and terminate reviews.
Reviewers, such as supervisors and application owners, act on review items.
Fulfillers manage change requests.
Auditors accept or reject completed reviews.
NOTE:The Identity Governance server needs a 30-minute gap between runs of the same review. For example, you terminate a scheduled review that is in progress. To schedule that review to run again, allow at least 30 minutes to lapse after terminating the previous run. Otherwise, the second run fails to start and Identity Governance does not notify you of the failure.
For multistage reviews, if at any stage in the review an exception occurs, Identity Governance moves the items to the exception queue at the start of the review. The exception queue is handled by the escalation reviewer, if any, or if not, the review owner.
You can run a review once or multiple times either by starting the review manually or by scheduling it to start at the specified time or interval. Each review is based on a review definition that defines all parameters for that particular review process. Review Administrators or Global Administrators create review definitions that focus on specific types of access or access to specific systems. Review definitions assign reviewers based on their relationship to the review items. Often, administrators use review definitions to split up responsibility for reviewing items to prevent bottlenecks and overloading reviewers. Review definitions can also be referenced in certification policies to enable a comprehensive view of your organization's compliance with specific certification controls such as Sarbanes-Oxley Act (SOX) or Health Insurance Portability and Accountability Act (HIPAA).
HINT:For information about certification policies, see Section 28.0, Creating and Managing Certification Policies. Once a review definition is referenced in an active certification policy, it cannot be deleted.
Administrators can start a review run, or review instance, in preview mode or in live mode. In preview mode, administrators can:
Preview review definition version, assigned reviewers, review items, and notification emails
Change review properties such as review owner, auditor, review options, or duration properties
If needed, change reviewers per review item or in bulk
Preview recipients of notifications
Export review items to CSV
Track details of review assignment changes
Go live
NOTE:Review property and reviewer changes made in preview mode will only be applicable to the current review instance. Only changes made in the Reviews > Definitions itself, will reflect in future review run instances.
When a review run, or review instance, is live, the server generates review items based on the criteria in the review definition. Assigned reviewers decide what action to take on each review item and submit their decisions. If allowed, by the review definition, reviewers might reassign items to a different reviewer instead of making a decision.
In a multistage review, reviewers must act on review items in the order that the stages are defined in the review definition.
In a review with multiple reviewers for each review item, Identity Governance shows decisions made when the first reviewer submits actions for any of the review items. When any reviewer has submitted a decision for a review item, the other reviewers cannot take any action on that item unless the reviewer has authorization as an administrator. Review items with no actions made remain in each reviewer’s list until someone submits actions for them.
NOTE:When Identity Governance cannot determine an identity associated with an account or functional assignment, such as supervisor, to assign a review item to a specific person, the review owner becomes the assignee for the review item. All review items assigned in this way show in an exceptions section in the list of reviewers on the review owner view.
For multistage reviews, if at any stage in the review an exception occurs, Identity Governance moves the items to the escalation reviewer, if any, or if not, the review owner exception queue at the start of the review.
Email notifications let reviewers, escalation reviewers, owners, and others know when a review is at various stages of a review run. The Notifications area of a review definition allows you to set up several standard notifications to go to whomever you specify during the course of a review. You can click on an email name to view who will receive the email, why they will receive it, and when they will receive it. You can either accept the defaults or customize it. You can also view the name of the email source, preview the email, and email the notification to specified email address. In addition, you can remove a default notification and add new notifications by selecting an email template provided by Identity Governance. For information about customizing the templates, see Customizing the Email Notification Templates. For information about disabling email notifications such as notification when a running review is terminated or notification when permissions are revoked, see Disabling Review Email Notifications.
Identity Governance provides escalation options to help Review Owners and Administrators ensure that the review process proceeds in a timely manner. You can set one or more escalation reviewers and a timeout value to instruct Identity Governance to escalate the process and move pending review items to escalation reviewer queues. If a review definition does not set escalation reviewers, the review owner becomes the default escalation reviewer.
NOTE:If a review definition specifies a group as the reviewers and a member of the group is the person being reviewed, Identity Governance sends the review item to the escalation reviewer instead of to the members of group. To prevent this, enable Allow self review in all stages, and Identity Governance then sends the review to the members of the group instead of to the escalation reviewer.
Review definitions contain an expiration policy. Review administrators and owners specify the actions that Identity Governance takes when a review expires without being completed:
complete the review with any final decisions that have been made and send these to fulfillment and the auditor, if these are defined, and leave all other items with no decision
complete the review with any final decisions that have been made and send these to fulfillment and the auditor, if these are defined, and keep all other items with assigned accounts, permissions, or roles
complete the review with any final decisions that have been made, assign remove decision to all other items, and send all to fulfillment and the auditor, if these are defined
extend the review for a grace period that will continue to renew each time the review expires without being completed or terminated
terminate the review and discard all decisions
For Identity Governance 2.0 and later, review definitions have the default expiration policy set to complete the review. For review definitions migrated from earlier versions of Identity Governance, review definitions have the default expiration policy set to terminate the review and discard any decisions.
Aside from letting the expiration policy complete the review run, a review run concludes in one of several ways:
All specified reviewers submit actions for their review items, and the Review Owner approves or terminates the review run.
Reviewers do not submit actions for all their review items, and the Review Owner completes the review run.
Reviewers do not submit actions for all their review items, and the Review Owner terminates the review run.
After reviewers have made decisions and submitted all review items, the Review Owner approves or terminates the review run and Identity Governance moves the review run details to a list of completed reviews.
A Review Owner has the option to complete an in-progress review even if reviewers have not submitted decisions for all review items. When a Review Owner completes a review, Identity Governance takes the following actions:
Forwards any final decisions that reviewers have made to fulfillment (when all multi-stage reviewers of a review item have submitted their decisions, the review item has a final decision made)
Marks the remaining review items Keep, Remove, or as no decision made based on the review definition expiration policy
Shows the review status as a percentage of completion in review history
A Review Owner also has the option to terminate an in-progress review. When a Review Owner terminates a review, Identity Governance takes the following actions:
Does not forward anything to fulfillment
Marks the review run as terminated
The fulfillment process begins when a review run completes or when a review owner approves review items individually. For more information about fulfillment, see Fulfilling the Changeset for a Review Instance.
The Review Auditor, if specified, accepts or rejects the review run after the review owner approves it. Although a review audit is a legal stamp, accepting a review has no impact on the fulfillment of the requested changes.