About Identity Governance
Identity Cloud add-on capability
Contact your ForgeRock representative if you are interested in adding ForgeRock® Identity Governance to your Identity Cloud subscription. Refer to Add-on capabilities.
Identity Governance allows you to centrally administer and manage user access to applications and data across your organization to support regulatory compliance. Identity Governance works with onboarded target applications when reviewing user data. This allows you to review user data for onboarded applications, making Identity Cloud the authoritative source of truth for user data in your organization. In turn, this gives Identity Cloud the ability and authority to decide what access to applications users should have through a certification process.
|Identity Governance only supports the use of the Alpha realm. Even though the use of the Bravo realm appears possible, it will not work.|
With Identity Governance, you can review the access in applications and decide if the access should be kept (certified) or removed (revoked). This is called an access certification.
To review data and approve or deny access you:
Create templates: Create templates to define the data to review, who is responsible for the review, and when the data needs to be reviewed (on a periodic or ad hoc basis). Often, organizations need to review the same data multiple times a year to ensure access is accurate. Templates make this process easier by providing saved templates.
Run campaigns: Campaigns are a process that runs when a template is run. When a campaign runs, it uses an existing template and the configurations of the template.
Certify access: When a campaign runs, tasks are assigned to one or more end users or certifiers. The template defines the tasks the certifier is responsible for. As an end user, review and complete the tasks assigned to you.
|For a user to access Identity Governance administrative-related functions Identity Cloud, they must be a tenant administrator. For more information, refer to Tenant administrator settings.|
When you purchase Identity Governance, new menu item(s) display in the left navigation pane of the Identity Cloud admin UI.
Access certification example
As an example of an access certification process, let’s say you want to know what applications a specific user, Barbara Jenson, has access to. You may want to do this for several reasons; increasing your organization’s security landscape by ensuring users have accurate, appropriate access, or to comply with organizational, industry, or governmental policies. Barbara Jensen has an account and access to an application, called App A.
With Identity Governance, an administrator can perform the following actions:
Configure and assign individuals in your organization to review Barbara’s access to App A. In the system, these individuals are considered certifiers.
Start the process for reviewing of the data through campaigns. Campaigns are the active process that detail items that need reviewing. In this case, it is Barbara’s data. Certifiers are assigned to review the data in a campaign.
Certifiers review Barbara’s data and either certify (allow) or revoke (remove) the access to App A.