Identity Governance collects information from a variety of identity and application data sources in your environment and allows your organization to periodically review and verify not only users’ level of access, and permissions assigned to accounts, but also other items such as business role memberships, business role attribute values, identity attribute values, and supervisor assignments.
In Identity Governance, Review Administrators create review definitions for a particular set of users, accounts, or roles that need review. A single instance of a review definition is a review run or review campaign, which has a Review Owner. The Review Owners can see only the review runs that they own.
Reviews can be started either in a preview mode or a live mode. Review Administrators can set up a review to automatically start in preview mode or they can set up a regular schedule in a review definition so that the review runs start automatically in live mode based on the schedule. Also, live review runs can start automatically when certification or data policy violation remediation is set to micro certification.
When the review owner initiates a review run in preview mode, or when a review run starts automatically in preview mode, the following activities occur:
Identity Governance generates lists of Reviewers, Review items, and Notifications.
The Review Owner previews the review definition for the current run and optionally, changes the review end date, review owner or auditor, and modifies review options and schedule.
The Review Owner reviews all the review items and assigned reviewers, or searches for specific review items, to decide whether the items should be assigned to another reviewer.
The Review Owner also previews the emails notification templates and verifies that appropriate notifications are being sent to the correct recipients.
NOTE:Any changes made by the Review Owner are applied only to the current run. If permanent changes need to be made to the review definition, or reviewers need to be changed for all subsequent runs, the changes must be made by editing the review definition itself.
Optionally, the Review Owner can download all or select review items as a CSV file to review it manually.
When the owner initiates a review run in live mode, or when a review run starts by the schedule, or when a micro certification review is automatically started, the following activities occur:
Identity Governance generates tasks for the assigned Reviewers and notifies them as specified in the review definition.
Reviewers review their assigned set of review items and decide whether the items should be kept, modified, or removed. If a review item is assigned to multiple reviewers, the first reviewer who acts on that item becomes the decision maker, and the item continues to the next phase of the review. For more information, see Section 27.2, Performing a Review.
(Conditional) If the review definition specifies that a permission requires multiple stages of approval, Identity Governance forwards the affected review items to the next assigned reviewer.
For example, the application owner, permission owner, or Review Owner might be required to review the permissions and confirm decisions before action is taken to remove any permissions. Reviewers must complete the review in the assigned order.
(Conditional) If a Reviewer does not complete tasks in the specified time frame and the review definition specifies an escalation process, Identity Governance forwards the tasks to the assigned Escalation Reviewer. The Review Owner is the default Escalation Reviewer when an administrator does not specify the Escalation Reviewer in the review definition.
If there are multiple reviewers, Identity Governance forwards the task to the next reviewer before it finally moves the tasks to the Escalation Reviewer or Review Owner queue.
The Review Owner approves the changes.
NOTE:If specified in the review definition, Review Owners can override reviewer decisions at any point during a review run. When a Review Owner overrides a decision, the review item is locked and can no longer be modified by the reviewer.
Identity Governance initiates the fulfillment process to enable the requested changes.
(Conditional) In a manual fulfillment process, Identity Governance generates tasks that the assigned Fulfillers must complete and notifies them by email.
(Optional) An Auditor might be required to certify the results of the review run.
Reviewers represent individuals who have the information and authority to determine whether assignments such as assigned permissions, reporting relationships, business role memberships, and user attribute values are correct. You might be assigned to review items in multiple active review runs. Depending on how the review is defined, Identity Governance might send you email notifications to remind you of incomplete tasks and approaching deadlines.
As a Reviewer, based on the review definition, you can perform any or all of the following tasks:
Add, remove, or rearrange columns in reviews and review item displays
Download all or a filtered set of your review items as a CSV file
Filter the list to show only incomplete review items
Sort the review items by characteristics such as user, permission, account, account type, attribute, application, roles (technical and business), supervisor, or action
Process review items individually
Group review items, use search filter to filter items, or select multiple items to process review items in batches
Add a comment to a review item with your decision to keep or remove, individually or in a batch
View the details of the review item
View guidance on how the permission was assigned, such as through a direct assignment or authorized by a role
Choose to keep, modify, or remove review items
View activity for a review item
Change the Reviewer of review items, individually or in a batch, if you do not have the information you need to make a decision
Change the supervisor and also change other identity attributes of a user
Change values of business role attributes and also request changes to memberships and authorizations of a business role
Submit decisions for your tasks in the allotted time frame
If you are an Escalation Reviewer you must resolve all review items that are not completed on time.
Secondary reviewers in a multi-stage review can confirm the previous decision or they can override the decision.
For more information, see Section 27.2, Performing a Review.