System settings
Users who are assigned to either the governance-administrator or access-request-admin internal authorization role will see the System Settings tab under the Configuration subsection on the side taskbar. Navigating to this screen will allow the user to adjust any of the configuration options within the system.
Network
Server Hostname: This field is used to define the alias for the IDM environment that is running the Identity Governance application. This setting is used in email notifications. For example, to directly link users to a request or an approval task.
Display
User Display Format: This field is used to define the custom display format for a user within the Identity Governance module. The value set in this field is used to dynamically display user names, so any field that leverages this property will automatically update to show the defined format once saved.
To define a display format, simply enter the desired string into the input, using double curly braces to define a user attribute on the managed user object that you want to display. A few examples are defined below:
{{userName}} - jsmith
{{givenName}} {{sn} {{userName}} - John Smith (jsmith)
{{givenName}} {{sn}} - {{jobCode}} - John Smith - AB123
{{sn}}, {{givenName}} - Smith, John
Delegation
Identity Governance allows administrators to enable a property within IDM that will be used to delegate all of a user’s tasks for certifications, violations, and approvals. If delegation is enabled and the user has a relationship to another managed user through the defined property, then delegation will occur for that user when a task is set to be assigned to them. In the event that the defined property is not a relationship property, is not a relationship property to a managed user, or is not defined for a given user, then delegation will be ignored and the user will be assigned tasks as they normally would be. When delegation does occur, it is assigned directly to the new user during task creation and will not be visible to the original intended recipient.
-
Allow User Delegation: If enabled, the system will attempt to leverage the defined User Delegation property to assign tasks.
-
User Delegation Property: Select any property from the managed user schema that should be used to determine a user’s delegate.
Custom Attribute Mapping
In order to display user information throughout the user interface, ForgeRock Access Review relies on the values stored in the out-of-the-box IDM attributes username, givenName, sn, and email. However, to accommodate those implementations that use alternative custom attributes to store this basic information, an administrator can choose to map those attributes to the values available in this setting.
Autonomous Identity Integration
For those implementations that are running ForgeRock Identity Governance in parallel with ForgeRock Autonomous Identity, these settings will be used to allow the application to communicate with AutoID and enable some of the advanced recommendations that it provides.
-
AutoID Enabled: Whether to enable the AutoID integration
-
AutoID URL: Hostname of the AutoID server
-
AutoID User: Username of the user admin or service account to make API calls with
-
AutoID Password: Password of the above user/account
Menu Management
Menu Management allows an administrator to add / remove links to the top-right user dropdown menu for easier navigation to other applications that would be beneficial to the end user.
-
To add links to the menu, select ‘Add’ A new blank row to be filled in will appear.
-
Enter the name of the link in the name field and the URL next to it.
-
You can add multiple links at once by continuing to click the add button to show more blank rows.
-
To reset the links back to their saved value, click the reset button.
-
Once the settings have been saved, users will be able to see the navigation links in the dropdown menu at the top of the page.
Review
-
Allow Bulk Certify: If set to True, certifiers are able to certify all users at once for a specific campaign. If set to False, certifiers will need to certify each user individually.
| It is best practice to set the Allow Bulk Certify option to False as it prevents ‘rubber stamping’ |
Risk Level Management
Risk level Management allows an administrator to adjust levels of risk defined as Low, Medium and High.
Drag tabs to adjust the levels of risk. As tabs move, the adjustment is reflected in the table below the bar. The leftmost tab will set the delimiter between Low risk and Medium risk, where the tab value is the inclusive upper boundary of the Low level of risk. Similarly, the rightmost tab will set the delimiter between Medium and High risk, where the tab value is the inclusive upper boundary of the Medium level of risk.
Request
General
Check Requests Against Policies: Enables the application to leverage policies defined in Access Review when a user attempts to submit a request. If set to true, and a user attempts to submit a request that would violate an existing policy, they will be presented an error message in the Review section of their request explaining what policy is being violated. This will block the user from submitting the request unless it is altered to meet policy conditions.
Max Filename Length: Sets the max allowable size of a submitted filename, in characters. Access Request saves submitted files to the IDM repository within the files table of the database. In order to increase this setting, the size of the column for filename within that table must first be increased to store longer strings of text. The default value of 25 allows Access Request to save files properly using the default value for that column as installed.
Approval Options
Require Comment on Reject: Requires an approver to add a comment to their approval task submission for any item that they choose to reject.
Require Comment on Approval: Requires an approver to add a comment to their approval task submission for any item that they choose to approve.
Enable Approver Reassign: Allows approvers the ability to reassign their own tasks to another user or group.
Enable Auto Approval: If set to true, any time an approver for a task is calculated to be the same user as the one who submitted the request (e.g. a manager submits a request for their requestee, and the item requires manager approval,) that task will be auto-approved and will not require manual approval by the requester. The item will automatically advance to the next approver within its approval chain.
Enable Auto Approval for Group: If set to true, functions the same as the above setting, but applies to any approval tasks that are assigned to a group that the requester belongs to. As an example, there is a requestable item requiring approval from a manager and an admin group, and a member of that admin group submits a request for the item. The approval will go to the manager, and if approved, will then be auto-approved by the admin group that the requester belongs to.`
Days to Complete Approval Task: The number of days allowed for an approval user or group to act on an approval request before the task “expires.” Note that task expiration does not mean that the request is removed or the approval is rejected. In the event that a task is not completed by the ‘Due Date’, it will be automatically reassigned to the group defined below it with the Default Group for Approval setting. That team will then be responsible for determining which user should be given the task for completion, or alternatively cancel it.
Default Group for Approval: The group that will be assigned to handle approval tasks in the following situations:
-
When an approver key is set on a requestable item but can not be found during task creation (e.g. manager is not set on user, entitlementOwner that is not set on object)
-
When a task reaches its expiration date
Default Approvers: This list is applied as the de facto approval chain for any item that is set as requestable but does not have an approvers key defined. It functions the same as the list would if it were defined the exact same way on the requestable item itself.
| The options for enabling auto-approval and default approvers, do not automatically apply to any requestable item using a custom workflow, as they follow their own logic and approval process. However, they can be leveraged within those flows, if desired, by using the API to read the setting values. |
Display
Displayable User Properties: The properties on the managed user schema that will be displayed within the popup page in requests and approval tasks when the user hovers over a user’s userName.
Displayable Item Properties: The keys on the requestable item glossary entry that will be displayed within the popup page in requests and approval tasks when the user hovers over the item’s info icon.
User Search Properties: The properties on the managed user schema that will be used to search against when a user queries for users during request creation or reassignment.
Requestable Item Search Properties: They keys on the requestable item glossary entry that will be used to search against when a user queries for items to add to request.
Requestable Item Display Format: Format used to display requestable items within the user interface. See the user display format in section Managing Policy Violations above for information on syntax.
Requestable Item Bundle Display Format: Format used to display requestable item bundles within the user interface. See the user display format in section Managing Policy Violations above for information on syntax.