Common interfaces
The following sections detail functionality common throughout the Identity Governance Administrative Screens.
Navigation Sidebar
The navigation sidebar is the main way for users and administrators to navigate Identity Governance. The page is split into four separate sections: one for the end user functionality (My Review Tasks, My Requests, My Approvals) and one section each for the different administrator roles and capabilities: Review Administration, Request Administration, and Configuration.
All administrative screens are available from this location, and only those accessible to a given user based on their administrator privileges will be shown.
Access Review Administration
This section will be available to any user assigned the governance-administrator internal role and includes the following options:
-
Dashboard. Administrative dashboard
-
User Certifications. Manage and create user certification campaigns
-
Object Certifications. Manage and create object certification campaigns
-
Policies. Manage and create policies, scans, and violations
-
User Summary. View individual user certification history and tasks view
-
Notifications. Manage Access Review notification templates
Access Request Administration
This section will be available to any user assigned the access-request-admin internal role and includes the following options:
-
View All Requests. Manage requests for access
-
Bundle Editor. Create and manage request bundles
-
Request Fields. Create and manage custom form fields for requests
Configuration
This section will be available to any user that is assigned any of the three Identity Governance internal roles and includes the following options:
-
Glossary Editor. Create and manage glossary entries
-
System Settings. Configuration options (available to governance-administrators and access-request-admins)
Tables
Throughout the admin controls, information is often stored in tables with a common set of properties, including the following options:
-
Section Tabs. Navigate through the different tabs that the current table view allows
-
Action Buttons. Lists the available actions that can be taken on the table rows. Note that some actions require one or more rows to be selected via the row checkboxes and will remain gray if disabled.
-
Search Filter. Will allow the user to enter in a value to search against the different columns of the table. Note that not all columns in a given table are searchable, please refer to the individual sections of documentation for more information.
-
Sortable Column Names. Clicking the column name will sort the data by that column. Clicking again will reverse the search order.
-
Row Checkboxes. If a table has row checkboxes available, these can be used to select one or more rows to target for the available stage actions.
-
Table Pagination Controls. Rows per page allows you to select the number of results made visible at a specific time within the table. Values may include 10, 25, or 50. Also included are navigation arrows for moving forward and backward between pages.
Comments
Comments appear throughout review screens for certifications, violations, and exceptions, identifying actions taken against these objects. Once one or more actions have occurred, the following information details the history of events leading up to the current state of an object:
-
Date. Time an action was taken
-
Comment. The message entered by the user when performing the action or submitting a general comment
-
By. Display name of the user who submitted the comment
Metadata
Metadata, in the form of glossary entries, can be created for various object and attribute values. Each metadata entry can contain any number of extended attributes, defined independently from other entries. In some cases, this metadata may even substitute the value that is displayed to the certifier. Pictured above is a sample metadata screen that appears when clicking on a certification entitlement. Additional information is detailed in the Identity Glossary section.
Scheduling Events
Events can be scheduled for generating certifications or running policy scans. To determine the duration between actions, the following options are available:
-
Daily. Allows the administrator to generate a certification every specified number of days, starting on a specified day of the month.
-
Weekly. Allows the administrator to generate a certification on specified days of the week.
-
Monthly. Allows the administrator to generate a certification every specified number of months starting on a specified month. Day of the month for the certification generation can also be specified, with ‘Last day of the month’ as an option.
Remediation Tasks
Remediation Tasks complete revocations resulting from certifications or violations via workflows defined in IDM. Identity Governance includes a single remediation workflow to handle basic remediation for both violations and certifications, however, it is recommended that these be modified or replaced to adhere to custom policy:
-
None. Skips automatic remediation to allow manual intervention from an administrator
-
Remove Entitlements. Will take the following actions depending on the type of task being remediated:
-
Certifications. For any revoked entitlement will either remove or alter the attribute depending on the type of attribute as defined in the object schema:
-
Relationship. Relationship between target and entitlement will be deleted
-
Array. Item will be removed from array
-
Other. Attribute will be altered to generic stage or to reflect remediation (e.g. appending “-REMEDIATED” to a string or setting a boolean to false)
-
-
Violation. For every target attribute defined within the given policy’s expression, the same actions listed above for certification will be taken on the target object.
-
Expression Builder
Expression Builder identifies criteria for filters in certification definitions and policy rules. The criteria identify attribute constraints for target users. Depending on the exact expression builder being used (e.g. user target filter, user event based expression, policy expression) the options in the builder may differ. This section covers the basic format and use of a generic expression builder, refer to section Expression Builder for more specific details.
To build an expression, select one of the following options: Each option presents either another tier for additional criteria or identifies an attribute/managed object to serve as a base for the trigger.
-
Every [user/role/etc]. Selects every matching object to the given object type. Does not require any further nested expressions.
-
The [user/role/etc] property. Allows the administrator to specify an attribute and evaluate its value. Depending on the attribute chosen the administrator can specify whether to evaluate a direct equals comparison or a contains comparison. In the instance of event based certifications, users can choose is, was, or changed to compare previous values, current values, or detect any change at all.
-
Any of. Allows the administrator to specify multiple expressions concatenated by ‘OR’ conditions. If any of the contained expressions are true, the entire expression evaluates to true. Selecting ‘+’ appends additional expressions while selecting ‘-’ removes expressions from the end.
-
All of. Allows the administrator to specify multiple expressions concatenated by ‘AND’ conditions. If all of the contained expressions are true the entire expression evaluates to true. Selecting ‘+’ appends additional expressions while selecting ‘-’ removes expressions from the end.
-
None of. Allows the administrator to specify an expression and negate its value. If the contained expression is false, the expression evaluates to true.
-
The user has application. In user target filters for certifications, you can filter users by whether or not they have a link to an externally connected system.