The review definition enables you to define and schedule various types of reviews. It contains all of the information required to run a review. You can also modify the definition for subsequent review runs without the need to create additional review definitions. To create a review definition, the catalog must contain published data.
Log in as a Review Administrator.
Select Definitions.
Click + to create a new review definition.
Select the type of objects you want to review, or search based on review type then select type of objects.
Name the review and add description.
(Optional) Add instructions that explains to reviewers what they need to do. For example, please review these items or reassign to someone else if necessary.
Accept the default review item selection criteria and skip to Step 8. Or refine the selection criteria to focus the review based on your security and compliance needs. For example, you can review accounts based on account custodian or last account review date. Alternately, you can review users, business roles, or accounts based on risk.
Selection criteria for your entities or business roles include respective attributes that have been previously enabled as a selection criteria. When you choose the Select option to specify entities or business roles, click + to add conditions for your selection.
NOTE:In addition to default selection criteria for review items such as risk, you can request your Data administrator to add other selection criteria including custom criteria for various reviews.
|
For Review Object: |
For Review type: |
Specify review items by: |
|---|---|---|
|
Account Access Review |
NOTE:Specifying identities or applications first will enable Identity Governance to determine if users mapped to accounts or custodians of accounts will be reviewed. For more information, see Section 21.4.1, Expanding and Restricting Review Items. |
|
Account Review |
NOTE:Specifying identities or applications first will enable Identity Governance to determine if users mapped to accounts or custodians of accounts will be reviewed. For more information, see Section 21.4.1, Expanding and Restricting Review Items. |
|
Business Role Definition Review |
|
|
Direct Reports Review |
|
|
Business Role Membership Review |
|
|
User Access Review |
NOTE:Optionally, you can further expand or restrict your review items to include items that have been authorized by a business role. For more information, see Section 21.4.1, Expanding and Restricting Review Items |
|
User Profile Review |
|
(Optional) Select Estimate Impact to view the approximate number of review items and depending on the selected review type, the approximate number of users, permissions, roles, accounts, or business roles.
NOTE:Identity Governance calculates the approximate number of review targets. Business role authorizations are not included in this calculation. Results in a running review will also vary based on review options and the most recent state of the catalog. Start review in preview mode when authorizations are also calculated, to see all review items.
Based on the number of review targets, you might need to revise the Review period. For example, a review with 15 items might be completed within days, but one with hundreds of items could require weeks to accomplish.
(Optional) For Review Options, select any additional options that apply to this review. For example, you can require comments for certain actions and allow review owners to override decisions. You can also allow or disallow reviewers from changing reviewers and configure self-review policy. For more information about the self-review policy, see Section 21.4.2, Specifying Self-Review Policy.
(Optional) Specify the reviewers you want to participate in the review.
For more information about types of reviewers, see Section 21.8, Specifying Reviewers.
(Optional) To create a serial, multistage review, select Add Reviewer.
This allows you to specify multiple individuals who review the review items in the order listed in the definition. For more information, see Section 21.8.1, Understanding Multistage Reviews.
(Optional) For Monitor Reviews, specify the review owner and auditor.
If you do not specify the review owner, the person who created the review definition becomes the review owner by default. If you do not specify an auditor, the review will not go through the audit acceptance phase.
(Conditional) If the materialized view is enabled, select Cache review item names to cache user, account, permission, and role names to improve performance in large scale reviews.
WARNING:If you enable caching, periodically Refresh cache review items to synchronize the review with changes to the catalog. For more information, see Improving Performance in Large Scale Reviews.
(Optional) For Task Due Date and Escalation, select one of the following options:
When review is scheduled to end
Select this options where you want the reviews to end based on Duration settings.
NOTE:Review administrators or owners can change review end date to a specific date and time when they start the review run.
Specify maximum queue time
Select this option if you want reviewers to have a due date for their items. This due date can trigger notifications and when review items are past their due date show that the items are overdue. Even if this is a multi-stage review, review items will not leave the current reviewer's queue when items reach their due date.
For Maximum time in queue, specify the number of days, weeks, months, or years allowed for the reviewers to complete their tasks. You must use whole numbers for the value. If the review started at the time when the review definition was created, this would be the due date. Secondary reviewer due dates are calculated based on the time the item enters the reviewer's queue.
Specify maximum queue time and escalation reviewer
Select this option when you want review items to escalate if not completed by the due date. In the case of multistage reviews, items will escalate to the next reviewer. In the case of multistage reviews where the review item is in the final reviewer's queue or in the case of single-stage reviews, the review items will escalate to the specified Escalation Reviewer if not completed by the due date.
Specify Maximum time in queue and the Escalation Reviewer. The Escalation Reviewer is the final reviewer in the escalation process. When tasks are past due and no further review stages are defined, all open tasks will move to this reviewer’s queue. The Escalation Reviewer can either be the Review Owner or selected users specified by searching and selecting identities, groups, or business roles.
(Optional) For Duration, set or change any of the following options:
For Review period, specify the length of time allowed for the review run.
For Expiration policy, specify what happens when a review expires without being completed.
For Partial approval policy, specify whether partial approvals are allowed and if so, whether or not partial approvals will occur automatically.
For Validity period, specify the period of time before the certified items need to be reviewed again. For example, specify 6 months if you intend to run the review again after six months from the current review schedule.
NOTE:After completing a review, the review renewal data value might display a different time unit than the validity time period specified in the review definition because as the review approaches its next cycle, the time period changes. For example, a validity period of 2 weeks might display a renewal date of 14 days or less to indicate the number of days before the review starts its next cycle.
(Optional) For Notifications, add notifications based on provided email source templates, view notification description and settings, or remove default review notifications. Customize default notification schedule including recurrence schedule, and add email recipients.
NOTE:Typically, you can specify only one recipient in the To field and multiple recipients in the CC field. You can specify recipients of CC by specifying relationship and identity attribute for the selected relationship. However, the read-only Review terminated notice which is based on the Certification Terminated email source template goes to reviewers, review owners, escalation reviewers, and auditors when a review ends. You cannot change the recipients.
Click Email source preview to preview email HTML source and to specify a recipient for the rendered version of the email. For more information, see Section 21.2.3, Setting Review Notifications.
(Optional) For Schedule, if you want the review runs to begin automatically and repeat automatically, select Active and select the appropriate schedule. Make sure there will be at least a 30-minute gap between runs. Select Start scheduled review in Preview mode requiring manual go live to start a review in preview mode. For additional information about scheduling reviews and 30-minute gap requirement between runs, see Scheduling a Review.
Save the review.
(Optional) After saving the review definition, set the default columns for the current review definition by editing the review definition and specifying Default Reviewer Display Preferences. Otherwise, the default grouping and default sort for the reviewer display will use the Configuration > Review Display Customization settings you had set for each review type as the default display preference.
NOTE:If needed, the reviewer can change the default grouping for their review instance by using the Show All drop-down list, change the sort order by clicking on headings with descending or ascending arrow, and change the column display by using the display options settings menu.
In addition to preselected options for specifying review items and additional options based on your review type, you can modify the preselected options and expand or restrict items being reviewed in a User Access Review, an Account Review, or an Account Access Review. The following table provides a few examples of available options and special conditions if any.
|
If you want to... |
Select |
|---|---|
|
Restricts review items to users as account custodians or mapped accounts |
Users first, select type of accounts, and specify if the selected users are mapped users or account custodians NOTE:The ability to indicate if the selected users are mapped users or account custodians will be available only if you select users first and then accounts. |
|
Restrict review items to items that were not authorized by a business role or to items that were authorized by a business role |
Review only items that have not been authorized by a business role or Review only items that have been authorized by a business role |
NOTE:For an account to be authorized by a business role, the application to which the account belongs to should be added as an authorized resource for the business role. Estimate impact calculations display an approximate number of review targets and do not include additional options such as business role authorizations in the review target calculations. Start the review in preview mode to get an accurate preview of review items based on all review item selection criteria.
Identity Governance enables administrators to specify self-review policy when creating review definition based on the following review types:
User Access Review
User Profile Review
Account Review
Business Role Membership Review
When specifying the self-review policy, you can choose to:
Allow self review in all stages regardless of the specified reviewers
Send all items that will result in a self review to the exception queue
Prevent self review, but allow other reviewers to complete review actions when a review item is assigned to multiple reviewers in a specific review stage
Identity Governance calculates schedule based on specified start time, time interval, and time zone. The time interval can be daily, weekly, monthly, or yearly. For all schedules, the time end date is adjusted automatically based on Java add calendar method. For monthly and yearly schedules, the next review always starts in a month or a year regardless of the number of days in a month or year. The following table provides a few examples of a monthly schedule.
|
Start time |
Next monthly scheduled start time |
|---|---|
|
Tue Jan 01 00:00:00 EST 2019 |
Fri Feb 01 00:00:00 EST 2019 |
|
Wed Jan 30 00:00:00 EST 2019 |
Thu Feb 28 00:00:00 EST 2019 |
|
Sun Mar 31 00:00:00 EDT 2019 |
Tue Apr 30 00:00:00 EDT 2019 |
NOTE:The Identity Governance server needs a 30-minute gap between runs of the same review. For example, if you schedule a review to run at frequent intervals, allow at least 30 minutes to lapse between the runs. Otherwise, the subsequent runs might fail to start and Identity Governance does not notify you of the failure.