Identity Cloud

Manage policies

Identity Governance enables centralized management of end-user access to resources throughout your organization ensuring regulatory compliance.

Identity Governance implements a principle, known as segregation of duties (SoD), which prevents the granting of privileges to a single individual in situations where conflict of interest could arise. For example, users responsible for requesting or approving financial transactions, like expenditures, should be distinct from those handling the reconciliation or recording of these transactions to prevent fraud.

To oversee compliance, Identity Governance provides a policies feature, consisting of policy rules that outline conditions and permissions for authorizing user access to resources. You can schedule policy scans periodically to identify and breaches of policy and note any exceptions flagged by certifiers. When Identity Governance detects non-compliant access requests, whether due to error or fraudulent activity, it marks them as a violation and displays them on the Violations page. In certain cases, you can temporarily set exemptions on certain violations and displays them on the Exceptions page.

View policies

  • In the Identity Cloud admin UI, click Governance > Compliance. The Policies page appears with a list of policies. If no policies are present, the page displays a New Policy button.

    governance compliance dashboard
    • 1 Click the Compliance link in the left navigation bar.

    • 2 Click the Policies tab to view the list of all policies.

    • 3 Click the Policies Rules tab to view the list of all policy rules.

    • 4 Click the Violations tab to view the list of all policy violations.

    • 5 Click the Exceptions tab to view the list of all policy exceptions.

    • 6 Click the New Policy button to add a new policy.

    • 7 Search policies. Search by policy name, status, or description, case insensitive.

    • 8 Name: Name of the policy. This is a required field.

    • 9 Status: Current status of the policy, either Inactive and Active. You can sort the list in ascending or descending order by clicking the up or down triangles.

    • 10 Ellipsis (). Click to duplicate, edit, or delete the policy.

View policy details

Identity Governance provides another important policies page displaying the policy details, where you can add or edit the policy rules, schedule policy scans, review or forward policy violations, and review any policy exceptions.

  1. In the Identity Cloud admin UI, click Governance > Compliance.

  2. On the Policies page, click the ellipsis () for a policy, and then click Edit. The policy details page appears.

    governance compliance details
    • 1 Click Details to view or edit a policy’s configuration.

    • 2 Click Rules to view or edit the policy rules assigned to the policy.

    • 3 Click Scans to schedule a scan for the policy.

    • 4 Click Violations to view or forward any violations found in the scans.

    • 5 Status: Current status of the policy, either Inactive and Active. Click Activate to make the policy active, or click Deactivate to make the policy inactive.

    • 6 Name: Name of the policy.

    • 7 Description: Optional. Enter a description for the policy.

    • 8 Policy Owner. Select the policy owner(s) for the policy.

Add policies rules

  1. In the Identity Cloud admin UI, click Governance > Compliance.

  2. Click the Policy Rules tab, and then click New Rule.

  3. On the New Policy Rule page, enter the policy rule details, and then click Next:

    Field Description

    Name

    Enter a name for your policy rule. Follow any naming convention established by your company.

    Description

    Optional. Enter a general description for the new policy.

    Owner

    Select a policy owner for this new policy rule.

    Risk Score

    Assign a risk score for this rule. Range is 0–100. For example, a high risk score could be 80–100 for a rule.

    Mitigating Control

    Optional. Enter instructions on what to do if a violation is unavoidable.

    Control URL

    Optional. Enter a URL link to a reference site, such as an internal corporate policy.

    #Correction Advice

    Optional. Enter instructions on how to correct the violations.

  4. On the Violation Condition page, do the following:

    1. Use the filter to set your initial violation conditions:

      Field Description

      Select entitlements if Any or All conditions are met.

      Select either Any or All.

      Select a property

      Values could include the following, depending on your glossary items:

      • Description

      • Display Name

      • Entitlement Owner

      • Requestable

      Connector

      Values include:

      • contains

      • is

      • starts with

      • ends with

      Attribute Value

      Enter an attribute.

    2. Click , and then click Add Rule or Add Group.

    3. Next, enter a condition that cannot conflict with the previous condition:

      Field Description

      Select entitlements if Any or All conditions are met.

      Select either Any or All.

      Select a property

      Values include:

      • Description

      • Display Name

      • Entitlement Owner

      • Requestable

      Connector

      Values include:

      • contains

      • is

      • starts with

      • ends with

      Attribute Value

      Enter an attribute.

    4. Click , and then click Add Rule or Add Group.

    5. Click Next.

  5. On the Applies To page, select the users for whom this policies applies. Values include:

    Field Description

    Applies to

    Options are:

    • All users

    • A single user

    • Users matching a filter. Create a filtered condition to match users.

    1. Click Next.

  6. On the Settings page, select the policy rule settings:

    Field Description

    Violation Owner

    Confirm the violation owner of the policy rule. Select an alternate owner if necessary.

    Decision Options

    Select option to allow or grant a temporary exception to retain access:

    • Click Enable Allow to allow a user to retain their violating access permanently.

    • Click Enable Exception to allow a user to be granted temporary exception to retain access.

    Scan Types

    At least one value must be checked. Values include:

    • Click Preventative to enforce rule during access request and provisioning.

    • Click Detective to enforce rule during compliance scans.

    Violation Lifecycle

    Select the settings for the violation life cycle:

    • When a violation is found: Select a setting if a violation is found. Click Do nothing or Launch Violation Workflow. If you click Launch Violation Workflow, select the workflow to launch when a rule violation is triggered.

    • Violations Expire: Click Never or After a specified time. If you select After a specified time, enter the number of day(s) after which the violations expire.

    • When violation expires: Click Close violation, Create a new violation, or Do nothing.

    1. Click Save.

Edit policy rules

  1. In the Identity Cloud admin UI, click Governance > Compliance.

  2. On the Policies page, click the ellipsis () for a policy, and then click Edit.

  3. Click the Rules tab. Make any of the following changes:

    1. Click Add Rules to add a rule to the policy.

    2. Click ellipsis (), and then click Edit to change any aspect of a policy rule. Click Save to keep your changes.

    3. Click Remove to remove the rule from the policy.

Add policies

  1. In the Identity Cloud admin UI, click Governance > Compliance.

  2. On the Policies page, click New Policy.

  3. On the New Policy modal, enter the following, and when completed, click Next.

    Field Description

    Name

    Enter a name for your policy. Follow any naming convention established by your company.

    Description

    Optional. Enter a general description for the new policy.

    Policy Owner

    Select a policy owner for this new policy.

  4. On the New Policy modal, select the one or more rules to add to this policy.

  5. Click Save. The new policy appears on the Policies page in an Active status.

Edit policies

The Policies tab provides options to duplicate, edit, or delete a policy.

  1. In the Identity Cloud admin UI, click Governance > Compliance.

  2. On the Policies page, click the ellipsis () for a policy, and then click Edit.

  3. Make any changes, and then click Save.

    Field Description

    Status

    Options are:

    • If the status is Active, click Deactivate to disable the policy if needed.

    • If the status is Inctive, click Activate to enable the policy.

    Name

    Change the policy name.

    Description

    Optional. Add or change the description for the policy.

    Policy Owner

    Change the policy owner if necessary.

Schedule policy scans

Administrators schedule scans for the Identity Governance to scan the policies for any possible violations.

  1. In the Identity Cloud admin UI, click Governance > Compliance.

  2. On the Policies page, click the ellipsis () for a policy, and then click Edit.

  3. Click the Scans tab. Set the scan schedule, and then click Save.

    Field Description

    Edit Schedule

    Options are:

    • Enter a number and time values: hour(s), day(s), week(s), or month(s).

    • Click Set a Start Tie, and click the date and time to start a scan.

    Repeat

    Options are:

    • Enter the number of time to run a scan

    • Click Until specific date, and click the end date and time for the scans.

    • Click Indefinitely.

  4. Click Simulate Scan to run a simulation. This feature helps to check if your policy rules are correctly configured.

  5. Click Run Scan to run a scan. The scan reports any violations to the policy.

View violations

Identity Governance Violations page displays the compliance violations found during policy scans. You can filter the search by owner, rule, and date range as well as forward the violation to another user for futher investigation.

  1. In the Identity Cloud admin UI, click Governance > Compliance.

  2. Click the Violations tab to view all violations found during the scans.

governance compliance violations
  • 1 Click the Status to view violations status: In-progress or Completed.

  • 2 Click the filter list icon (filter_list) to search violations by owner, rule, or date range.

  • 3 Displays the violations by user.

  • 4 Displays the rule violation.

  • 5 Displays the date of the violation created.

  • 6 Click Allow or Revoke.

  • 7 Click the ellipsis () to forward the violation to another user or to view its details.

View violations detail

  1. In the Identity Cloud admin UI, click Governance > Compliance.

  2. Click Violations.

  3. On the Violations page, click a violation to view its details.

  4. On the specific violations page, do one of the following:

  • Review the Details page.

    Field Description

    User

    Displays the user associated with the violation.

    Rule Name

    Displays the rule name associated with the violation.

    Rule Description

    Displays the description for the rule.

    Rule Owner

    Displays the rule owner.

    Status

    Displays the status of the violation:

    Conflicts

    Click View Conflicts to view the conflicting entitlements causing the violation.

    Risk Level

    Displays the associated risk level of the violation.

    Mitigating Control

    Review instructions for mitigating the conflict.

    Control Url

    Displays the URL for corporate compliance policies.

    Correction Advice

    Displays any advice to correct the conflicts.

  • Click Activity to view a history of the violation.

  • Click Comments to view any comments related to the violation.

View exceptions

Identity Governance exceptions displays the compliance exceptions to any violations. You can filter the search by user and rule.

  1. In the Identity Cloud admin UI, click Governance > Compliance.

  2. Click the Exceptions tab to view all exceptions.

  3. Click an exception on the list to view the associated violation details.

governance compliance exceptions
  • 1 Click the filter list icon (filter_list) to search exceptions by rule and user.

  • 2 Click the view column icon (view_column) to customize the columns displayed on the page.

  • 3 Displays the violations by user.

  • 4 Displays the rule violation.

  • 5 Displays the date of the initial violation.

  • 6 Displays the date of the latest violation.

  • 7 Displays the expiration date of the violation exception.

Copyright © 2010-2024 ForgeRock, all rights reserved.