Identity Governance collects information from a variety of identity and application data sources in your environment. This allows your organization to periodically review and verify that users have only the level of access that they need to do their jobs.
In Identity Governance, Review Administrators create review definitions for a particular set of users or accounts that need review. A single instance of a review definition is a review run or review campaign, which has a Review Owner. The Review Owners can see only the review runs that they own.
Reviews can be started either in a preview or a live mode. Review Administrators can set up a review to automatically start in preview mode or they can set up a regular schedule in a review definition so that the review runs start automatically in live mode, according to the schedule.
When the owner initiates a review run in preview mode, or when a review run starts automatically in preview mode, the following activities occur:
Identity Governance generates lists of Reviewers, Review items, and Notifications.
Review Owner previews the review definition for the current run and optionally, changes review owner or auditor, and modifies review options, and schedule.
Review Owner reviews all the review items and assigned reviewers, or searches for specific review items, to decide whether the items should be assigned to another reviewer.
Review Owner also verifies that appropriate notifications are being sent to the correct recipients, and if required, emails notification template for preview.
NOTE:The changes made by the Review Owner are applied to the current run only. If permanent changes need to be made to the review definition, or reviewers need to be changed for all subsequent runs, then the changes must be made by editing the review definition itself.
Optionally, Review Owners, downloads all or select review items as CSV to review it manually.
When the owner initiates a review run in live mode, or when a review run starts by the schedule, the following activities occur:
Identity Governance generates tasks for the assigned Reviewers and notifies them as specified in the review definition.
Reviewers review their assigned set of review items and decide whether the items should be kept, modified, or removed. If a review item is assigned to multiple reviewers, the first reviewer who acts on that item becomes the decision-maker, and the item continues to the next phase of the review. For more information, see Performing a Review.
(Conditional) If the review definition specifies that a permission requires multiple stages of approval, Identity Governance forwards the affected review items to the next assigned reviewer.
For example, the application owner, permission owner, or Review Owner might be required to review the permissions and confirm decisions before action is taken to remove any permissions. Reviewers must complete the review in the assigned order.
(Conditional) If a Reviewer does not complete tasks in the specified timeframe and the review definition specifies an escalation process, Identity Governance forwards the tasks to the assigned Escalation Reviewer or the Review Owner.
For multiple serial reviewers the escalation will forward to the next reviewer before it finally ends up in the escalation reviewer or review owner queue.
The Review Owner approves the changes.
NOTE:Review Owners can override reviewer decisions, if the review definition specifies it as allowed, at any point during a review run. When a Review Owner overrides a decision, the review item is removed from the reviewer’s task list.
Identity Governance initiates the fulfillment process to enable the requested changes.
(Conditional) In a manual fulfillment process, Identity Governance generates tasks that the assigned Fulfillers must complete and notifies them by email.
(Optional) An Auditor might be required to certify the results of the review run.
For more information, see Understanding the Review Process.
Reviewers represent individuals who have the information and authority to determine whether account permissions are correct. You might be assigned to review items in multiple active review runs. Depending on how the review is defined, Identity Governance might send you emails to remind you of incomplete tasks and approaching deadlines.
As a Reviewer, you can:
Filter the list to show only incomplete review items
Sort the review items by many different characteristics, such as by user, permission, account, type, attribute, application, roles (technical and business), or action
Process review items individually or in a batch
Add a comment to a review item with your decision to keep or remove, individually or in a batch
View the details of the review item
View guidance on how the permission was assigned, such as through a direct assignment or authorized by a role
Choose to keep, modify, or remove the items
View activity for a review item
Change Reviewer of a review item, individually or in a batch, if you do not have the information you need to confirm the assigned permissions
Submit decisions for your tasks in the allotted timeframe
If you are an Escalation Reviewer, you must resolve all review items that are not completed on time.
Secondary reviewers in a multi-stage review can confirm the previous decision or they can override the decision.
For more information, see Performing a Review.