This section provides the steps required for you to run and complete a review. As the owner of an active review, you can:
Start in preview mode and go live, or start the review in live mode, and monitor the review progress
View review status in Reviews
View Quick Info details about a catalog item
Reassign Reviewers within the review, including bulk actions
Send a reminder email to a Reviewer using the Nudge option
Override a Reviewer’s decisions
Change the Review Owner or add more Review Owners
Change the Escalation Reviewer or Auditor
Resolve access policy violations in the review
Complete a partial review
Terminate the review before completion
Approve Reviewer decisions
Run reports against the review
If you assign a new owner to a review, both the previous and new owners can access the review. The previous owner continues to see instances of a review run before the ownership change. The new owner sees only the instances run after the ownership change.
If you assign a new review owner while a review run is in progress, the review definition does not change, and the new review owner is in effect for only that review run. The next review run that starts from the same review definition assigns the review owner specified in the review definition.
For example, a review definition specifies Mary Smith as the review owner. During an instance of the review, or a review run, the global administrator realizes that Mary is on vacation. To keep the review moving, the administrator changes the review owner to Sam Butler, who approves that review run when reviewers have submitted all their final decisions. Both Mary and Sam can see the details of this review run. The next time a review run starts from this review definition, Mary is assigned as the review owner.
For more information, see the following sections:
For more information about running reports, see Running Identity Governance Reports.
Checklist Items |
|
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In Identity Governance, you can see all review definitions assigned to you, including the date that the Review Administrator specified the review should be run.
In Identity Governance, select Definitions.
In the Actions column, select Start Review on the row of the definition that you want to run.
Select Start and Go Live.
You can view the status of the review runs in progress, send reminder emails, change the assignments for reviewers and the auditor, override reviewer decisions, complete, approve, or terminate the review run, and approve the completed review.
In Identity Governance, select Reviews.
Identity Governance displays an overview of runs in progress, which indicates progress of completed tasks.
To manage the run, select the review.
To see a status of each of the review items, select Review Items.
Act on individual review items either individually or using the bulk selection options. Actions you can take depend on settings in the review definition and may include:
View activity to see review item details
(Conditional) Override a Reviewer’s decision to make a decision final and remove it from all reviewer queues
Change reviewer to transfer the review item to another reviewer
Approve to move the decision to fulfillment while allowing the review to continue
View fulfillment status to view status of review requests such as removing permission, or assigning new user.
To complete the review as-is, accepting all final decisions and leaving items without final decisions as No decision, select Complete in the review completion overview at the top of the review.
To move all final decisions to fulfillment while allowing the review to continue, select Approve in the review completion overview at the top of the review.
To cancel the review, select Terminate in the review completion overview at the top of the review.
As the owner of the software application being reviewed, you might disagree with a Reviewer’s decision that grants a user access to the application. Alternatively, you might see the need for a user to have access where the Reviewer did not. For example, you know that a manager in Human Resources requires administrative permissions to the application.
As the owner of a review, you might want to implement decisions that have been made without waiting for all reviewers to complete their tasks. Approving individual review items or the overall review sends final decisions to fulfillment while keeping the review running. Completing an in-progress review accepts final decisions, ends the review, marks items without decisions as No decision, and sends items with decisions to fulfillment.
As the Review Owner, you can edit the review timeframe and escalation timeout; change the Escalation Reviewer, the assigned Auditor, and the Review Owner; and add multiple Review Owners. Depending on your entitlements, you might also be able to modify the full review definition. However, this section explains how to perform the simple modifications.
In Identity Governance, select Reviews > Reviews.
Select the active review run that you want to modify.
To determine whether the number of review tasks can be performed in the specified timeframe, complete the following steps:
Under the review name, select more, and then select the edit icon.
Observe the number of review items that still must be completed.
Compare the estimated number of review items with the date in Review end.
Change the end date for the review if needed.
Change or add review owners if needed.
Modify the appropriate settings, then select Save.
When Review Administrators create a review, they can estimate the number of users, permissions, accounts, and review items affected by the review. Then they set the timeframe of the review. However, that estimation is based on a snapshot of the catalog at the time that they created the review definitions. Depending on when you run the review, the number of accounts might have increased or decreased considerably. The timeframe might no longer match the current state of the catalog.
In general, the Review Owner is the owner of the software application with user accounts that the review run affects. However, your authorization in the organization might have changed. You can assign ownership of the review run to an individual more suited to the task. You might also want to assign multiple Review Owners.
If the assigned Auditor is not available to perform the tasks for the review run, you can assign a different individual to the authorization.
To ensure that the review run stays on schedule, you can view the progress of each Reviewer. You can also reassign tasks to a different Reviewer and override a Reviewer’s action for a review item. Reviewers can change the reviewer for any items.
Select the active review that you want to manage.
Under Reviewers, select the name of the Reviewer that you want to manage.
Observe the actions taken by the Reviewer.
You can view the items that have not been completed or all review items. You can send reminder emails, using the Nudge option, for items not yet reviewed. You can also change the sort of the items in various ways based on the selectable column headers.
(Optional) To expand a window that allows you to compose an email, click Nudge to send a reminder email to the reviewer.
(Optional) To assign a review item to a different Reviewer, select Change Reviewer.
You can also reassign items in a batch.
(Optional) To review a Reviewer’s decision, select View Activity for the task.
If the Reviewer is not able to perform one or more tasks for the review run, you can assign a different individual to the authorization. For example, the Reviewer might be sick or on vacation. Also, some Reviewers might complete tasks faster than others. You might want to reassign items from the slower Reviewers. For more information, see Reviewing Access and Permissions.
If the reviewer is listed as Multiple Reviewers, then more than one reviewer shares the responsibility making a decision on the review item. You can see who are members of the shared queue and send a reminder emails all of the members or delegates, if mapping exists. When changing reviewer out of a Multiple Reviewers queue, the item is no longer under shared responsibility.
The approval process allows the Review Owner to confirm the actions taken by all Reviewers.
Select the active review that you want to manage.
Observe the actions taken by the Reviewers.
(Optional) Override actions as needed.
To approve the decisions made in the review run, select Approve.
(Optional) Add a comment.
(Conditional) If the review run included changes to user accounts, ensure that the affected data sources are collected and published.
After the administrator collects and publishes the data sources, Identity Governance updates the status of the fulfillment items.
The source of the identities and permissions under review drives how requested changes are fulfilled. The changes can be fulfilled manually, by a help desk service, or sent to Identity Manager, which automatically makes the changes or initiates external workflows. In a manual fulfillment process, the applications catalog specifies the individuals responsible for making the requested changes. For example, your Help Desk group might be assigned to fulfill the changeset.
As the Review Owner, you can View fulfillment status for each review item which was fulfilled manually.
For more information about the fulfillment process, see the following sections:
Some review definitions require an Auditor to certify the results of the review run. Auditors can see the details and history of the review items. When rejecting a review run, the Auditor must add a comment about the rejection.
Identity Governance tracks all the reviews, and maintains a history of previews and review runs associated with a review definition. The run history is searchable and sortable, and displays the start and end date of the run, status including certification percentage, review owner, and list of review items and associated actions including change reviewer and modify actions, and remove comments if any. The run history also displays fulfillment status of review items.
To view run history:
Select Reviews > Definitions.
Search for the review definition and click the review name, or directly click the review name.
Select View run history.
NOTE:Except for terminated previews, all other previews and reviews will be listed in the run history.