35.3 Managing a Review in Live Mode

This section provides the steps required for you to run and complete a review. As the owner of an active review, you can:

  • Start in preview mode and go live, or start the review in live mode, and monitor the review progress

  • View review status in Reviews

  • View Quick Info details about a catalog item

  • Reassign Reviewers within the review, including bulk actions

  • Send a reminder email to a Reviewer using the Nudge option

  • Override a Reviewer’s decisions

  • Change the Review Owner or add more Review Owners

  • Change the Escalation Reviewer or Auditor

  • Resolve access policy violations in the review

  • Complete a partial review

  • Terminate the review before completion

  • Approve Reviewer decisions

  • Run reports against the review

If you assign a new owner to a review, both the previous and new owners can access the review. The previous owner continues to see instances of a review run before the ownership change. The new owner sees only the instances run after the ownership change.

If you assign a new review owner while a review run is in progress, the review definition does not change, and the new review owner is in effect for only that review run. The next review run that starts from the same review definition assigns the review owner specified in the review definition.

For example, a review definition specifies Mary Smith as the review owner. During an instance of the review, or a review run, the global administrator realizes that Mary is on vacation. To keep the review moving, the administrator changes the review owner to Sam Butler, who approves that review run when reviewers have submitted all their final decisions. Both Mary and Sam can see the details of this review run. The next time a review run starts from this review definition, Mary is assigned as the review owner.

For more information, see the following sections:

For more information about running reports, see Running Identity Governance Reports.

35.3.1 Checklist for Managing a Review in Live Mode

Checklist Items

  1. Ensure that you understand the review process. For more information, see Understanding the Review Process for Review Owners.

  1. Start the review run.

    For more information, see Starting a Review Run.

  1. (Optional) Modify the timeframe for the review.

    For more information, see Modifying the Settings of a Review Run.

  1. Check the progress of each Reviewer.

    For more information, see Managing the Progress of Reviewers.

  1. Approve the actions taken by the Reviewers.

    For more information, see Approving the Review.

  1. (Conditional) Check the status of manual fulfillment activities. If the process is automated or uses external workflows, Identity Governance sends the changeset to Identity Manager for processing.

    For more information, see Viewing Fulfillment Status.

  1. (Conditional) Confirm the completion of all fulfillment tasks, if any occurred.

  1. (Conditional) If a review run generated a changeset, collect and publish all identities and the application sources related to the review run.

    You might not have an authorization in Identity Governance that allows you to collect and publish. Someone with the Global Administrator or Data Administrator authorization can perform this action.

  1. (Conditional) Check the status of the review audit.

    For more information, see Managing the Audit Process.

 

  1. (Optional) View run history.

    For more information, see Viewing Run History

35.3.2 Starting a Review Run

In Identity Governance, you can see all review definitions assigned to you, including the date that the Review Administrator specified the review should be run.

  1. In Identity Governance, select Definitions.

  2. In the Actions column, select Start Review on the row of the definition that you want to run.

  3. Select Start and Go Live.

35.3.3 Managing a Review Run

You can view the status of the review runs in progress, send reminder emails, change the assignments for reviewers and the auditor, override reviewer decisions, complete, approve, or terminate the review run, and approve the completed review.

  1. In Identity Governance, select Reviews.

    Identity Governance displays an overview of runs in progress, which indicates progress of completed tasks.

  2. To manage the run, select the review.

  3. To see a status of each of the review items, select Review Items.

  4. Act on individual review items either individually or using the bulk selection options. Actions you can take depend on settings in the review definition and may include:

    • View activity to see review item details

    • (Conditional) Override a Reviewer’s decision to make a decision final and remove it from all reviewer queues

    • Change reviewer to transfer the review item to another reviewer

    • Approve to move the decision to fulfillment while allowing the review to continue

    • View fulfillment status to view status of review requests such as removing permission, or assigning new user.

  5. To complete the review as-is, accepting all final decisions and leaving items without final decisions as No decision, select Complete in the review completion overview at the top of the review.

  6. To move all final decisions to fulfillment while allowing the review to continue, select Approve in the review completion overview at the top of the review.

  7. To cancel the review, select Terminate in the review completion overview at the top of the review.

Why would I override a Reviewer’s action?

As the owner of the software application being reviewed, you might disagree with a Reviewer’s decision that grants a user access to the application. Alternatively, you might see the need for a user to have access where the Reviewer did not. For example, you know that a manager in Human Resources requires administrative permissions to the application.

Why would I complete or approve an in-progress review?

As the owner of a review, you might want to implement decisions that have been made without waiting for all reviewers to complete their tasks. Approving individual review items or the overall review sends final decisions to fulfillment while keeping the review running. Completing an in-progress review accepts final decisions, ends the review, marks items without decisions as No decision, and sends items with decisions to fulfillment.

35.3.4 Modifying the Settings of a Review Run

As the Review Owner, you can edit the review timeframe and escalation timeout; change the Escalation Reviewer, the assigned Auditor, and the Review Owner; and add multiple Review Owners. Depending on your entitlements, you might also be able to modify the full review definition. However, this section explains how to perform the simple modifications.

  1. In Identity Governance, select Reviews > Reviews.

  2. Select the active review run that you want to modify.

  3. To determine whether the number of review tasks can be performed in the specified timeframe, complete the following steps:

    1. Under the review name, select more, and then select the edit icon.

    2. Observe the number of review items that still must be completed.

    3. Compare the estimated number of review items with the date in Review end.

    4. Change the end date for the review if needed.

  4. Change or add review owners if needed.

  5. Modify the appropriate settings, then select Save.

Why would I modify the review’s timeframe?

When Review Administrators create a review, they can estimate the number of users, permissions, accounts, and review items affected by the review. Then they set the timeframe of the review. However, that estimation is based on a snapshot of the catalog at the time that they created the review definitions. Depending on when you run the review, the number of accounts might have increased or decreased considerably. The timeframe might no longer match the current state of the catalog.

Why would I change the Review Owner?

In general, the Review Owner is the owner of the software application with user accounts that the review run affects. However, your authorization in the organization might have changed. You can assign ownership of the review run to an individual more suited to the task. You might also want to assign multiple Review Owners.

Why would I change the Auditor?

If the assigned Auditor is not available to perform the tasks for the review run, you can assign a different individual to the authorization.

35.3.5 Managing the Progress of Reviewers

To ensure that the review run stays on schedule, you can view the progress of each Reviewer. You can also reassign tasks to a different Reviewer and override a Reviewer’s action for a review item. Reviewers can change the reviewer for any items.

  1. Select the active review that you want to manage.

  2. Under Reviewers, select the name of the Reviewer that you want to manage.

  3. Observe the actions taken by the Reviewer.

    You can view the items that have not been completed or all review items. You can send reminder emails, using the Nudge option, for items not yet reviewed. You can also change the sort of the items in various ways based on the selectable column headers.

  4. (Optional) To expand a window that allows you to compose an email, click Nudge to send a reminder email to the reviewer.

  5. (Optional) To assign a review item to a different Reviewer, select Change Reviewer.

    You can also reassign items in a batch.

  6. (Optional) To review a Reviewer’s decision, select View Activity for the task.

Why would I reassign a review item?

If the Reviewer is not able to perform one or more tasks for the review run, you can assign a different individual to the authorization. For example, the Reviewer might be sick or on vacation. Also, some Reviewers might complete tasks faster than others. You might want to reassign items from the slower Reviewers. For more information, see Reviewing Access and Permissions.

What if I have multiple reviewers?

If the reviewer is listed as Multiple Reviewers, then more than one reviewer shares the responsibility making a decision on the review item. You can see who are members of the shared queue and send a reminder emails all of the members or delegates, if mapping exists. When changing reviewer out of a Multiple Reviewers queue, the item is no longer under shared responsibility.

35.3.6 Approving the Review

The approval process allows the Review Owner to confirm the actions taken by all Reviewers.

  1. Select the active review that you want to manage.

  2. Observe the actions taken by the Reviewers.

  3. (Optional) Override actions as needed.

  4. To approve the decisions made in the review run, select Approve.

  5. (Optional) Add a comment.

  6. (Conditional) If the review run included changes to user accounts, ensure that the affected data sources are collected and published.

    After the administrator collects and publishes the data sources, Identity Governance updates the status of the fulfillment items.

35.3.7 Viewing Fulfillment Status

The source of the identities and permissions under review drives how requested changes are fulfilled. The changes can be fulfilled manually, by a help desk service, or sent to Identity Manager, which automatically makes the changes or initiates external workflows. In a manual fulfillment process, the applications catalog specifies the individuals responsible for making the requested changes. For example, your Help Desk group might be assigned to fulfill the changeset.

As the Review Owner, you can View fulfillment status for each review item which was fulfilled manually.

For more information about the fulfillment process, see the following sections:

35.3.8 Managing the Audit Process

Some review definitions require an Auditor to certify the results of the review run. Auditors can see the details and history of the review items. When rejecting a review run, the Auditor must add a comment about the rejection.

35.3.9 Viewing Run History

Identity Governance tracks all the reviews, and maintains a history of previews and review runs associated with a review definition. The run history is searchable and sortable, and displays the start and end date of the run, status including certification percentage, review owner, and list of review items and associated actions including change reviewer and modify actions, and remove comments if any. The run history also displays fulfillment status of review items.

To view run history:

  1. Select Reviews > Definitions.

  2. Search for the review definition and click the review name, or directly click the review name.

  3. Select View run history.

    NOTE:Except for terminated previews, all other previews and reviews will be listed in the run history.