21.2 Understanding the Review Process

You can run a review once or multiple times either by starting the review manually or by scheduling it to start at the specified time or interval. Each review is based on a review definition that is based on a specific type of review object and defines all parameters for that particular review. Review Administrators or Global Administrators create review definitions using the provided default review definitions with preselected criteria. These definitions enable you to select what you want to review. For example, you can select review objects such as User profiles, Technical role assigned to users, Accounts and their permissions, or Business roles assigned to users. These review objects are specific to a review type (review template). Each review type provides selection criteria that help review administrators to focus their reviews based on varying combinations of identity, application, account, permission, permission assignment, or business role attributes. For example, you can focus the User profiles review by specifying that reviewers should review users with risk greater than 80. Identity Governance provides a default list of attributes for selection when creating review definitions. Review administrators can request Global or Data administrators to add other attributes as selection criteria. Items that do not meet the specified criteria in a review definition are filtered out of the review.

Review definitions also assign reviewers based on their relationship to the review items. Often, administrators use review definitions to split up responsibility for reviewing items to prevent bottlenecks and overloading reviewers. Review definitions can also be referenced in certification policies to enable a comprehensive view of your organization's compliance with specific certification controls such as Sarbanes-Oxley Act (SOX) or Health Insurance Portability and Accountability Act (HIPAA).

In addition to the default selection criteria, Identity Governance provides the ability to enable other attributes including custom attributes as selection criteria. In the attribute definition editor of the catalog, an administrator with Data or Global Administrator authorization can specify whether an attribute can be used as a review criteria by selecting an attribute in the Data Administration > Attributes pages and specifying Display in review item selection criteria. For example, in the Identity Attributes page, a Data Administrator can enable Job Code as selection criteria and then a Review administrator can create a review of users based on Job Code value. In the Permission Assignments page, a Data Administrator can enable Assignment Type and then a Review administrator can create a review of permissions based on assignment type.

Email notifications let reviewers, escalation reviewers, owners, and others know when a review is at various stages of a review run. The Notifications area of a review definition allows you to set up several standard notifications to go to whomever you specify during the various phases of a review. Standard notifications include Reviewer start, Review end, Reviewer task past due and so forth. Review the details of the email notification and update it as needed.

You can click an email name to view who will receive the email, why they will receive it, when they will receive it, and how often they will receive it. You can either accept the default settings or change the settings and add other recipients based on relationships. You can view the name of the email source, preview the email, and email the notification to a specified email address. If you change the default settings, we recommend that you also change the description of the notification. For example, if you change who receives the notification, change the recipient name in the description.

Regarding notifications received by escalation reviewers, when a review item is escalated, Identity Governance sends the reminder notification to the escalation reviewer as it would to any other next reviewer. By default, the escalation reviewer will not receive the Reviewer task past due notifications as these are typically emailed to the reviewer and reviewer’s supervisor when overdue tasks remain in the reviewer queue. However, you can add an escalation reviewer as a recipient in the CC field if needed.

In addition to changing the settings when defining a review, you can also remove a default notification, customize the template of a default notification, and add new notifications by selecting an email template provided by Identity Governance. For information about customizing the templates, see Section 3.1, Customizing the Email Notification Templates. For information about disabling email notifications such as notification when a running review is terminated or notification when permissions are revoked, see Disabling Review Email Notifications.

Review definitions contain an expiration policy. Review administrators and owners specify the actions that Identity Governance takes when a review expires without being completed:

For Identity Governance 2.0 and later, review definitions have the default expiration policy set to complete the review. For review definitions migrated from earlier versions of Identity Governance, review definitions have the default expiration policy set to terminate the review and discard any decisions.

Administrators can start a review run, or review instance, in preview mode or live mode. In preview mode, administrators can:

When a review run or review instance is live, the server generates review items based on the criteria. Assigned reviewers decide what action to take on each review item and submit their decisions. If allowed, by the review definition, reviewers might reassign items to a different reviewer instead of making a decision.

In a review with multiple reviewers for each review item, Identity Governance shows decisions made when the first reviewer submits actions for any of the review items. When any reviewer has submitted a decision for a review item, the other reviewers cannot take any action on that item unless the reviewer has authorization as an administrator. Review items with no actions remain in each reviewer’s list until someone submits actions for them.

In a review with multiple stages, reviewers must act on review items in the order that the stages are defined in the review definition. For more information about multistage reviews, see Section 21.8.1, Understanding Multistage Reviews.

Identity Governance enables you to download all or a filtered list of review items assigned to you as reviewers. In addition, review administrators and owners can download list of all reviewers, a list of review items in a specific reviewer’s queue, and a list of all review items. You can download these lists as a CSV file for manual review and comparison.

The list of reviewers includes rows for each reviewer by queue type. For example, if a reviewer is a supervisor and also an exception reviewer, you will see two rows for the user in the downloaded file. When review items are assigned to multiple reviewers, for example when a reviewer is a group, you will see a row for each reviewer with the same number of review items. In all the scenarios, each row will include columns of all the user attributes that were enabled to display in the quick info view in the Data Administration > User menu including custom attributes.

The list of review items you download from the Review Items tab will always include all review items. Except for User Profile Review, all other review item lists will include final decisions made on the review items. User Profile Review will include only the original values of the selected attributes.

The list of review items you download from the Your Review Items tab includes rows for review items assigned to the reviewer with columns that you, as an administrator, included in the Configuration > Review Display Customization menu. You can filter the review items and download only the items you want to review manually.

All downloaded files will be saved to a download folder. You can then click the Download icon on the application title bar to access the saved file and download the file to your local machine.

Identity Governance provides escalation options to help Review Owners and Administrators ensure that the review process proceeds in a timely manner. You can set one or more escalation reviewers, and a timeout value to instruct Identity Governance to escalate the process and move pending review items to escalation reviewer queues. If a review definition does not set escalation reviewers, the review owner is the default escalation reviewer and in a multistage review, review items will be escalated to the next reviewer in the queue.

Aside from letting the expiration policy complete the review run, a review run concludes in one of several ways:

After reviewers have made decisions and submitted all review items, the Review Owner approves or terminates the review run and Identity Governance moves the review run details to a list of completed reviews.

A Review Owner has the option to complete an in-progress review even if reviewers have not submitted decisions for all review items. When a Review Owner completes a review, Identity Governance takes the following actions:

A Review Owner also has the option to terminate an in-progress review. When a Review Owner terminates a review, Identity Governance takes the following actions:

The fulfillment process begins when a review run completes or when a review owner approves review items individually. For more information about fulfillment, see Section 14.6, Fulfilling the Changeset for a Review Instance.

The Review Auditor, if specified, accepts or rejects the review run after the review owner approves it. Although a review audit is a legal stamp, accepting a review has no impact on the fulfillment of the requested changes.

A global, review, or data administrator creates certification policies and sets remediation action for violations. Identity Governance calculates violations and after initial setup automatically triggers remediation action. Remediation actions include email notifications, change requests, or micro certification.

For more information about micro certification and certification policies, see Section 21.3, Understanding Micro Certification and Section 23.0, Creating and Managing Certification Policies.