The review definition contains all of the information required to run a review. You can also modify the definition for subsequent review runs without the need to create additional review definitions. To create a review definition, the catalog must contain published data.
Log in as a Review Administrator.
Select Definitions.
Select + to create a new review definition.
Select the review type based on the object or objects you want to review. For more information, see Selecting a Review Type.
Name and describe the review.
(Optional) For Review Instructions, provide information that explains to reviewers what they need to do. For example, please review these items or reassign to someone else if necessary.
Specify review items using steps listed below as the options for specifying review items will differ based on the review type. After specifying review items based on review type, skip to Step 14.
(Conditional) For User Access Review items, specify the permissions, authorizations, accounts, applications, users, or a combination of these that you want to review for user access reviews.
Use the following options:
Specifies that you want to review the selected users regardless of assigned permissions.
Indicates that you want to specify the permissions criteria for reviewing users.
Specifies that you want to review the selected users only if their permissions are included in a role in Identity Governance.
Indicates that you want to specify the roles criteria for reviewing users.
Specifies that you want to review the selected users for any application. When you select this option, you then select whether to review the users based on permissions or accounts.
Indicates that you want to specify the application criteria for reviewing users.
Specifies that you want to review every user in the catalog.
Specifies that you want to enter the criteria for users to review. You can specify specific user names, browse for users, as well as define criteria such as users in a particular group.
Applies only when you select Select users.
Specifies the names of the user groups that you want to include in the review.
Applies only when you select Select users.
Indicates that you want to review all users who directly report to the specified manager.
Applies only when you select Select users.
Indicates that you want to review all users within the reporting structure of the specified manager. For example, you might want to review a large department that includes several managers with direct reports. To do so, specify the individual to whom the managers report.
Applies only when you select Select users.
Indicates that you want to review all users with a greater than, less than, or equal to your risk threshold. For example, you might want to review only users with greater than or equal to 50% risk.
Applies only when you select Select users.
In the attribute definition editor of the catalog, you can specify whether an attribute can be used as review criteria. For example, Title, Department, and Job Code. Identity Governance adds these items to the select criteria menu.
HINT:When you specify a boolean attribute in your review criteria and there are null attribute/column values in the database these records will be ignored. You will have to either ensure that there are no null values if you intend to use the attribute as review criteria or add transformation code to convert a null to be true or false or use bulk data update settings to change the null values to true or false. For more information see, Editing Attribute Values in Bulk.
NOTE:When you narrow the review items by specifying criteria rather than selecting all users, permissions, or other types of review items, you have the following options for selecting them:
Start typing the name and select the item you want
Select the magnifying glass icon to browse the items
Select + to add selection criteria
(Conditional) For Unmapped Account Review items, specify the accounts and applications you want to review.
Use the following options:
Specifies that you want to review all unmapped accounts from all applications.
Specifies that you want to enter the criteria for unmapped accounts to review. You can specify specific account names as well as define criteria such as last login, last unmapped account review, or number of logins.
Specifies that you want to review all applications for unmapped accounts. When you select this option, you have an additional option to specify all or selected unmapped accounts.
Specifies that you want to enter the application criteria for reviewing unmapped accounts.
(Conditional) For Account Review items, specify the accounts, identities, and applications you want to review and optionally add permission filter.
Use the following options:
Specifies the combination of mapped and unmapped accounts to review. Selection criteria includes account attributes such as account custodian, account category, last account review date, and so forth.
Specifies that you want to review accounts regardless of users or custodians assigned to the accounts or that you want to review accounts who have specified users or account custodians.
Specifies that you want to review accounts for all applications or select applications.
Specifies that you want to review accounts that hold select permissions or all permissions.
NOTE:Specifying identities or applications first will enable Identity Governance to determine if users mapped to accounts or custodians of accounts will be reviewed. In addition, selecting specific users instead of all users will enable you to indicate whether the users to be reviewed are users mapped to an account, custodians of an account, or either mapped users or account custodians. For more information, see Section 10.5.1, Expanding and Restricting Review Items.
(Conditional) For Business Role Membership Review, specify the business roles you want to review.
Use the following options:
Specifies that you want to review all business roles.
Specifies that you want to enter the criteria for business roles to review. You can specify specific business role names as well as define criteria such as owners or risk.
(Conditional) For User Profile Review, specify attributes you want to review for all users or selected users.
Use the following options:
Specifies that you want to review attributes for every user in the catalog.
Specifies that you want to enter the criteria for users whose attributes you to review. You can specify specific user names, browse for users, as well as define criteria such as users in a particular group.
Applies only when you select Select users.
Specifies the names of the user groups that you want to include in the review.
Applies only when you select Select users.
Indicates that you want to review all users with a greater than, less than, or equal to your risk threshold. For example, you might want to review only users with greater than or equal to 50% risk.
Applies only when you select Select users.
In the attribute definition editor of the catalog, you can specify whether an attribute can be used as review criteria. For example, Title, Department, and Job Code. Identity Governance adds these items to the select criteria menu.
HINT:When you specify a boolean attribute in your review criteria and there are null attribute/column values in the database these records will be ignored. You will have to either ensure that there are no null values if you intend to use the attribute as review criteria or add transformation code to convert a null to be true or false or use bulk data update settings to change the null values to true or false. For more information see, Editing Attribute Values in Bulk.
NOTE:When you narrow the review items by specifying criteria rather than selecting all users, permissions, or other types of review items, you have the following options for selecting them:
Start typing the name and select the item you want
Select the magnifying glass icon to browse the items
Select + to add selection criteria
Specifies which attributes of the user you want to review. For example, Email, Employee Status, and Department.
NOTE:Attributes must have been selected to be Allow to be reviewed under Listable Options in Data Administration > Identity Attributes page to be available here as an option.
(Conditional) For Direct Reports Review specify direct reports or supervisors whose reporting relationship you want to review.
Specifies that you want to review all direct reports or all supervisors in the catalog.
Specifies that you want to enter the criteria for users whose reporting relationship you want to review. You can specify specific user names, browse for users, as well as define criteria such as users in a particular group.
Applies only when you select Select users.
Specifies the names of the user groups that you want to include in the review.
Applies only when you select Select users.
Indicates that you want to review all users with a greater than, less than, or equal to your risk threshold. For example, you might want to review only users with greater than or equal to 50% risk.
Applies only when you select Select users.
In the attribute definition editor of the catalog, you can specify whether an attribute can be used as review criteria. For example, Title, Department, and Job Code. Identity Governance adds these items to the select criteria menu.
HINT:When you specify a boolean attribute in your review criteria and there are null attribute/column values in the database these records will be ignored. You will have to either ensure that there are no null values if you intend to use the attribute as review criteria or add transformation code to convert a null to be true or false or use bulk data update settings to change the null values to true or false. For more information see, Editing Attribute Values in Bulk.
NOTE:When you narrow the review items by specifying criteria rather than selecting all users, permissions, or other types of review items, you have the following options for selecting them:
Start typing the name and select the item you want
Select the magnifying glass icon to browse the items
Select + to add selection criteria
(Optional) Further expand or restrict User Access Review items and Account Review items by selecting additional options. For more information, see Expanding and Restricting Review Items.
(Optional) Select Estimate Impact to view the number of users, permissions, roles, accounts, and review items affected by the review.
NOTE:Identity Governance calculates the approximate number of review targets. Business role authorizations is not included in this calculation. Results in a running review will also vary based on review options and the most recent state of the catalog. Start review in preview mode when authorizations are also calculated, to see all review items.
Based on the number of review targets, you might need to revise the Review period. For example, a review with 15 items might be completed within days, but one with hundreds of items could require weeks to accomplish.
(Optional) For Review Options, select any additional options that apply to this review. For example, you can require comments for certain actions and allow review owners to override decisions.
(Optional) Specify the reviewers you want to participate in the review.
For more information about types of reviewers, see Section 10.9, Specifying Reviewers.
(Optional) To create a serial, multistage review, select Add Reviewer.
This allows you to specify multiple individuals who review the identity’s permissions in the order listed in the definition. For more information, see Section 10.9, Specifying Reviewers.
(Optional) For Monitor Reviews, specify the review owner and auditor.
If you do not specify the review owner, the person who created the review definition becomes the review owner by default. If you do not specify an auditor, the review will not go through the audit acceptance phase.
(Conditional) If materialized view is enabled, select Cache review item names to cache user, account, permission, and role names to improve performance in large scale reviews.
WARNING:If you enable caching, periodically Refresh cache review items to synchronize the review with changes to the catalog. For more information, see Improving Performance in Large Scale Reviews.
(Optional) For Escalation, specify the following options:
Specify the Escalation Reviewer by entering user names or by using the search and selecting identities, groups, or business roles. If you do not specify a value, Identity Governance escalates tasks to the Review Owner.
For Escalation timeout, specify the amount of time allowed for the Reviewers to complete their tasks. You must use whole numbers for the value.
(Optional) For Duration, set or change any of the following options:
For Review period, specify the length of time allowed for the review run.
For Expiration policy, specify what happens when a review expires without being completed.
For Partial approval policy, specify whether partial approvals are allowed and if so, whether or not partial approvals will occur automatically.
For Validity period, specify the length of time that the reviewed data will be valid. For example, if you intend to run the review twice a year, specify 6 months.
(Optional) For Notifications, customize and add recipients or remove default review notifications. Click Email source preview to preview email HTML source and specify a recipient and Send the rendered version of the email. Click Add notification and specify options to add more notifications based on different criteria.
NOTE:You can specify only one recipient in the To field and multiple recipients in the CC field. The read-only Review terminated notice goes to reviewers, review owners, escalation reviewers, and auditors when a review ends. You cannot change the recipients.
(Optional) For Schedule, if you want the review runs to begin automatically and repeat automatically, select Active and select the appropriate schedule. Make sure there will be at least a 30-minute gap between runs. Select Start scheduled review in Preview mode requiring manual go live to start a review in preview mode. For additional information about scheduling reviews and 30-minute gap requirement between runs, see Scheduling a Review.
(Optional) For Default Reviewer Display Preferences, specify the default grouping and default sort for the reviewer display. Specify default reviewer columns by using display columns previously customized for each review type using the Configuration > Review Display Customization menu, or set default columns for the current review definition.
NOTE:If needed, the reviewer can change the default grouping for the current review instance by using the Show All drop-down list, change the sort order by clicking on headings with descending or ascending arrow, and change the column display by using the display options settings menu.
Save the review.
After specifying review items using different selections of users, permissions, accounts, and roles, administrators can further expand or restrict items being reviewed in an User Access Review and an Account Review by selecting additional options. The additional options are based on your initial criteria for review items. The following table provides a few examples of available options and special conditions if any.
When... |
If you want to... |
Select |
---|---|---|
Creating user access review definition |
Enable reviewers to make decisions on accounts that grant specified permissions for the selected set of users |
Additionally review accounts for the selected users and permissions |
Creating account review definition |
Enable reviewers to review both users mapped to the accounts and users who are account custodians when reviewing mapped accounts |
Selected users are either mapped users or account custodians NOTE:This option will be available when you initially specify select users and then specify accounts. |
Account Review |
Restrict review items to only users mapped to the accounts or to users who are account custodians when reviewing mapped accounts or to include account custodians as review items when reviewing unmapped accounts |
Selected users are mapped users to the accounts or Selected users are account custodians of the accounts NOTE:These options will be available when you initially specify users or applications and then specify accounts. |
User Access Review and Account Review |
Restrict review items to items that were not authorized by a business role |
Review only items that have not been authorized by a business role |
NOTE:In order for an account to be authorized by a business role, the application to which the account belongs to should be added as an authorized resource for the business role. Estimate impact calculations display approximate number of review targets and do not include additional options such as business role authorizations in the review target calculations. Start the review in preview mode to get an accurate preview of review items based on all review item selection criteria.
Identity Governance calculates schedule based on specified start time, time interval, and time zone. Time interval can be daily, weekly, monthly, or yearly. For all schedules the time period end date is adjusted automatically based on Java add calendar method. For monthly and yearly schedules, the next review always starts in a month or a year regardless of the number of days in a month or year. The following table provides a few examples of a monthly schedule.
Start time |
Next monthly scheduled start time |
---|---|
Tue Jan 01 00:00:00 EST 2019 |
Fri Feb 01 00:00:00 EST 2019 |
Wed Jan 30 00:00:00 EST 2019 |
Thu Feb 28 00:00:00 EST 2019 |
Sun Mar 31 00:00:00 EDT 2019 |
Tue Apr 30 00:00:00 EDT 2019 |
NOTE:The Identity Governance server needs a 30-minute gap between runs of the same review. For example, if you schedule a review to run at frequent intervals, allow at least 30 minutes to lapse between the runs. Otherwise, the subsequent runs might fail to start and Identity Governance does not notify you of the failure.