Professional Documents
Culture Documents
Student Guide
Authors Steve Friedberg David Goldsmith Technical Contributors and Reviewers Neil Gandhi David Goldsmith Stephan Hausmann Stephen Man Lee Harsh Patwardhan Editors Vijayalakshmi Narasimhan PJ Schemenaur Graphic Designer Satish Bettegowda Publishers Syed Ali Sumesh Koshy
Copyright 2010, Oracle and/or its affiliates. All rights reserved. Disclaimer This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Contents
Introducing Oracle Identity Analytics 11gR1 Objectives 1-2 Organizational Pressures 1-3 Controlling System Access 1-4 Achieving Compliance 1-6 Manual Processing 1-7 Problems with This Approach 1-8 Roles 1-9 Role Benefits 1-10 Enterprise Roles 1-12 Enterprise Role Management 1-14 Enterprise Role Management Categories 1-15 Oracle Identity Analytics 1-17 Oracle Identity Analytics Features 1-18 Architecture 1-20 Sample Deployment 1-21 Integration with Provisioning Systems 1-23 Functionality Matrix 1-24 Implementation Methodology 1-26 Oracle Identity Management 1-27 Available Documentation 1-29 Summary 1-30 Practice 1 Overview: Installing the Software 1-31 Building the Identity Warehouse Objectives 2-2 Terms Used in Oracle Identity Analytics 2-3 Identity Warehouse 2-5 Identity Warehouse Contents 2-7 Business Structures 2-8 Users 2-9 Roles 2-11 Role Hierarchy 2-13 Audit Policies 2-14 Segregation of Duties (SoD) 2-15 SoD Matrix 2-16
iii
Applications 2-17 Resources 2-18 Attributes 2-19 Populating the Identity Warehouse 2-20 Populating Data Manually 2-21 Adding Additional Data Elements 2-22 Importing Data (Bulk Load of Data) 2-23 Configuring a Provisioning Server 2-24 Provisioning Server Parameters 2-25 Importing from File Processing 2-27 Importing from File: Rules 2-29 Debugging Import Errors 2-30 Debugging Import Errors Exception 2-31 Job Scheduling 2-32 Job Scheduling Through the GUI 2-33 Job Scheduling Through Direct Edit 2-34 Database Entries for Job Scheduling 2-37 Summary 2-39 Practice 2 Overview: Importing and Setting Up Identity Warehousing 2-40 3 Configuring Security Objectives 3-2 Oracle Identity Analytics Users (OIA Users) 3-3 Oracle Identity Analytics Roles (OIA Roles) 3-5 OIA Role Creation 3-7 OIA Role Visibility 3-8 OIA Users/Roles Database Tables 3-9 Proxy Assignments 3-10 Alternate Credential Store 3-11 Summary 3-12 Practice 3 Overview: Configuring Security 3-13 Configuring Identity Certification Objectives 4-2 Security Challenges 4-3 Identity Certification 4-4 Automated Certification: Benefits 4-5 Certification Environment 4-6 Certification Process 4-8 Phase 1: Preparation 4-9 Phase 2: Pilot 4-13
iv
Phase 3: Validation 4-14 Phase 4: Certification 4-15 Phase 5: Remediation 4-17 Certification Dashboard 4-19 Closed-Loop Remediation 4-21 Best Practices 4-22 Metrics 4-24 Return on Investment 4-25 Summary 4-26 Practice 4 Overview: Configuring Identity Certification 4-27 5 Configuring Auditing Objectives 5-2 Identity Auditing 5-3 Product Capabilities 5-4 Audit Rules 5-5 Audit Policy 5-6 Actors 5-7 Policy Violations 5-8 Audit Scans 5-10 Dashboard: Overview 5-11 Dashboard 5-12 Policy Violation States 5-13 Audit Policy Actions 5-14 Job Scheduling 5-15 Event Listeners 5-16 Summary 5-17 Practice 5 Overview: Configuring Auditing 5-18 Performing Role Mining Objectives 6-2 Role Management 6-3 Role Mining (Role Discovery) 6-4 Approaches to Role Mining 6-5 The Wave Methodology 6-7 The Wave Methodology (Step 1 of 7) The Wave Methodology (Step 2 of 7) The Wave Methodology (Step 3 of 7) The Wave Methodology (Step 4 of 7) The Wave Methodology (Step 5 of 7) The Wave Methodology (Step 6 of 7)
The Wave Methodology (Step 7 of 7) 6-19 Accessing Role Mining 6-21 Performing Role Mining 6-22 Role Mining: Minable Attributes 6-23 Role Mining: General Information 6-25 Role Mining: User Selection 6-26 Role Mining: Basic Parameters 6-27 Role Mining: Advanced Parameters 6-28 Role Mining: Preview 6-30 Role Mining: Execution 6-31 Role Mining: Users In Roles 6-32 Role Mining: Classification Rules 6-33 Role Mining: Mining Statistics 6-34 Role Mining: Roles 6-35 Role Mining: Role Mining Reports 6-37 Entitlements Discovery 6-38 Accessing Entitlements Discovery 6-39 Performing Entitlements Discovery 6-40 Entitlements Discovery: Strategy 6-41 Entitlements Discovery: Role/Users 6-42 Entitlements Discovery: Entitlements 6-43 Entitlements Discovery: Verification 6-45 Best Practices 6-46 Summary 6-47 Practice 6 Overview: Role Engineering 6-48 7 Performing Role Lifecycle Management Objectives 7-2 Role Management Activities 7-3 Role Lifecycle Management 7-4 Role Engineering (Definition) 7-5 Role Maintenance (Refinement) 7-6 Examples of Change Events 7-7 Role Certification (Verification) 7-8 Workflows 7-9 Default Workflows 7-10 Editing Workflows 7-11 Custom Role Modification Workflow 7-13 Processing Role Changes 7-14 Role Modification 7-15 Workflow Status 7-16
vi
Pending Requests 7-17 Modification Details 7-18 Role Versions 7-19 Role History 7-20 Best Practices 7-21 Summary 7-22 Practice 7 Overview: Performing Lifecycle Management 7-23 8 Generating Reports Objectives 8-2 Reports 8-3 Reporting Categories 8-4 Accessing Reports 8-5 Report Dashboard 8-6 Business Structure Reports 8-7 Business Structure Roles Report 8-8 Creating Custom Reports 8-9 Executing Custom Reports 8-11 Summary 8-12 Practice 8 Overview: Generating Reports 8-13
vii
Objectives
After completing this lesson, you should be able to: Identify the business drivers for role management Describe methods for meeting compliance Describe how a role management solution streamlines the process Describe the features and components of Oracle Identity Analytics Describe an Oracle Identity Analytics implementation
Objectives
Discussion: The following questions are relevant to understanding the topics covered in this lesson: How are regulatory compliance mandates affecting companies today? How are companies dealing with compliance? What is a role and how can role-based access control solutions help achieve compliance? What is the difference between a role management solution and a user provisioning solution?
Organizational Pressures
Companies are faced with: A growing number of applications A constantly changing user population The need to prevent or detect inside threats The need to meet regulatory compliance
Security: Minimize Risk
Reduce Costs
Sarbanes -Oxley
GrammLeachBliley Act
The Enterprise
How can you achieve an acceptable balance between functionality, risk, and cost?
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Organizational Pressures
Companies face multiple, multifaceted business challenges in which the management of employees and partners access to enterprise resources is vital. Foremost among these is the challenge of complying with an ever-growing number of regulations that govern the integrity and privacy of enterprise data. With the need to protect data comes the need to closely manage access to it. This involves knowing at all times who has access to corporate resources and whether their access is appropriate. Companies then need to provide documentation of this information in the event of an audit. Compliance is not the only challenge in todays enterprise. Even more critical is the need to operate an agile business that can respond quickly and competitively to business opportunities and competitive threats. Operating such a business while remaining compliant is a tall order. A major concern is how to achieve a balance between implementing new functionality while managing risk and still keep costs under control. Companies are looking to spend just enough to pass an audit and lower their risk. Companies want to reduce existing costs associated with audits while still making the process more efficient, accurate, and repeatable, thereby balancing their efforts.
Regulatory pressures
The Sarbanes-Oxley Act of 2002 The Graham-Leach-Bliley Act The Health Insurance Portability and Accountability Act The Payment Card Industry Data Security Standard
In addition to insider threats, companies are forced to comply with one or more regulations that require a review of access and access control processes. In essence, companies are being forced into compliance. Regardless of whether a company must adhere to SOX/Cobit, PCI, HIPAA, GLBA, or Basel II, it needs to understand the current access held by individuals inside and outside the company, and the current access control process. It also needs to be able to rapidly generate the evidence and related artifacts to determine user access and pass an audit.
Achieving Compliance
A common theme behind compliance involves identification and management of user access rights.
What resources does a user have an account on? Does the user require an account on that system? What are the users capabilities on that resource? Who authorized or created the users account? Does the users presence violate any business or security policies?
Achieving Compliance
A common theme behind a companys ability to achieve compliance involves its ability to ascertain all the systems that a user has access to, what capabilities or access rights the user has on those systems, and who authorized or created the account on that system. Additionally, a company needs to determine whether the user actually requires access to those systems to perform his or her job and whether his or her presence on one or more of those systems violates any business or security policies. So how do companies determine this information today? The next few pages show one such solution.
Manual Processing
Use spreadsheets to store roles and entitlements. Interview managers and business owners. Dump the systems (accounts and entitlements). Manually correlate accounts. Compare accounts and entitlements to standards. Identify violations. Periodically review role definitions.
Manual Processing
Historically, companies have implemented manual processes for achieving compliance. These companies share several traits, as shown in this slide.
Continuous monitoring of exceptions impossible Difficult to manage user access rights Performing defined versus actual analysis impossible
Roles
Abstraction layer: Provides access rights grouping mechanism Contains systems and privileges Makes assignments based on job function Provides mechanism for detecting violations
Branch Manager Bank Teller
Role 1
Role 2
Roles
A role is a grouping of entitlements across a set of resources. This grouping mechanism enables you to associate access rights to computing resources based on a users job function. In a financial institution, for example, roles might correspond to job functions such as bank teller, loan officer, branch manager, clerk, accountant, or administrative assistant. Persons in these job functions require access to a specific set of resources to perform their jobs, and their privileges on these resources might differ based on their job function as well. Roles can be shared among users as necessary. In this slide, the Branch Manager has access to the systems defined within two different roles (Role 1 and Role 2). The Bank Teller, however, has access only to the systems defined in Role 2. Assignment of multiple roles to a user is acceptable as long as that assignment does not violate any corporate business or security policies.
Role Benefits
Provide an understandable model for access Provide an efficient definition of processes and policies Reduce auditing efforts Provide a common language between business and information technology Provide consistent, known controls for defining access Facilitate access requests more easily
Role Benefits
A role-based access control (RBAC) model provides a structure that can be used to address compliance. By coupling access requirements to users based on organizational information (such as job title, employee code, or business unit), roles enable business managers to provide users with the access they need without violating business or security policies. Roles provide the following benefits. Roles: Define the model for access. Access requirements are often difficult to understand. Managers simply do not know which groups within Active Directory their employees need to perform their duties, and employees do not know what level of access to request. Define the structure for access. A role can encapsulate access requirements for a particular job function (Business Role), an application function such as create vendor (IT Role), or a temporary project membership (Auxiliary Role). In all cases, when the role content is agreed upon by the business, the business owners can also define the friendly description, the owner, and even the population who can have or request the role. All these items make it easier to understand access. Are efficient. Defined roles can be utilized throughout a companys identity and access management program. Roles make all operations easier to develop, maintain, and understand.
Enterprise Roles
IT Ops & Security Business Managers Audit & Compliance
Managing access control across the enterprise Enforcing and proving compliance
Mapping control objectives into security and access policies Lacking IT knowledge to automate critical access controls
Enterprise Roles
Utilization of roles across the enterprise provides benefits across multiple lines of business. Information Technology (IT) The IT department can use roles during the provisioning process to ensure that users have access to the correct resources. During provisioning, an automated or manual process can assign access based on roles. This makes access assignment logic easier to develop and maintain, and makes self service requests for access by employees easy to understand. Additionally, IT departments can control access to systems based on role definitions. During policy evaluations for real-time access management, being able to define policies based on roles is more efficient than policies based on fine-grained attributes. Finally, roles reduce the risk associated with access control. IT is often responsible for the risk associated with access control. With well-defined roles, access control increases, and risk decreases.
HP
IBM
Identity Compliance
Access Certification Dashboard/Analytics Policy Enforcement Activity Monitoring
Identity Warehouse BU Model | App Metadata | Glossary Users, Entitlements, Roles, Policies Identity & Access Mgmt Integration Extract, Transform, & Load (ETL)
IAM Systems
Application Infrastructure
Architecture
Architecture
Oracle Identity Analytics is a Java 2 Platform, Enterprise Edition (J2EE platform) Web application. As such, it is deployed to the Web container of an existing application server. Access to the Oracle Identity Analytics user interface is made through a standard Web browser that uses the HTTP protocol over a particular port (in this case, port 80). Oracle Identity Analytics data (business structures, users, roles, policies, applications, and resources) is contained in its Identity Warehouse. The Identity Warehouse is an RDBMS that is not included with the Oracle Identity Analytics product. Oracle Identity Analytics does not provide any database services such as replication, backups, and so on. Instead, the database administrator uses the native database tools for this purpose. The Oracle Identity Analytics software enables you to interface with some resources (such as databases, flat files, and directory servers) through an adapter. Adapters are written in the Java programming language and implement protocols such as Java Database Connectivity (JDBC) and Lightweight Directory Access Protocol (LDAP). Additionally, Oracle Identity Analytics can interface directly with flat files by using Java Naming and Directory Interface (JNDI), and can communicate with user provisioning systems through the Service Provisioning Markup Language (SPML).
Sample Deployment
Application Server
Web Interfaces
Connected Systems
Nonconnected Systems
Managed Resources
Identity Whse
Identity Mgr Instances
Sample Deployment
This slide demonstrates a sample Oracle Identity Analytics deployment that includes both connected and nonconnected resources. Connected resources include those systems that Oracle Identity Analytics can communicate with directly, which includes relational databases and directory servers. Nonconnected resources are those systems that Oracle Identity Analytics cannot communicate with directly and require that data dumps be taken on a periodic basis and consumed by Oracle Identity Analytics. This example also demonstrates integration with a user provisioning solution such as Sun Identity Manager. In the context of Oracle Identity Analytics, this is called a Provisioning Server. The Provisioning Server can be used as an authoritative source of user identities when populating the Identity Warehouse with users. Oracle Identity Analytics can also instruct the Provisioning Server to disable or delete user accounts that are found to be in violation of corporate or security policies through a process called closed-loop remediation. In this example, there are two instances of Oracle Identity Analytics in a highly available configuration. These instances can be clustered, or you can place a load balancer or network failover device in front of the instances as necessary.
Oracle Identity Analytics Role Life Cycle Mgmt Detective Identity Compliance
Oracle Identity Manager Identity Life Cycle Mgmt Preventative Identity Compliance
Functionality Matrix
Role Life Cycle Mgmt User Life Cycle Mgmt End User Self Service Identity Compliance
Reporting
* *
*
* *
Functionality Matrix
The Oracle Identity Manager and Oracle Identity Analytics products provide an integrated solution for establishing roles and managing access across the enterprise. Oracle Identity Analytics is primarily a tool for achieving compliance. It is the authoritative source for role definitions and role-to-user relationships, and provides out-of-the-box features for managing the overall role life cycle. This includes features such as notifications, approvals, and versioning when a role change occurs. The Oracle Identity Analytics software provides audit scans to identify violations against existing policies. As such, Oracle Identity Analytics is primarily a reactive tool that reacts to policy violations and takes an appropriate action. One such action might be to simply notify an owner who must then mitigate the violation manually. Alternately, Oracle Identity Analytics can interface with the Provisioning Server and request that the users account should be deleted or disabled in order to conform to corporate policies, and therefore, close the violation automatically.
Implementation Methodology
The Wave Methodology for Role Definition
Analyze & Prioritize. Prioritize divisions. Prioritize applications. Build Entitlement Warehouse. Import data. Collect and correlate entitlements to identities. Form business units. Finalize Candidate Roles. Incorporate suggested changes. Submit roles to role owners for approval. Perform Role Discovery. Define role membership. Define role entitlements. Analyze/Review Role Exceptions. Handle exceptions via auxiliary roles or ad hoc access requests.
Review Candidate Roles. Review and approve roles. Review and approve entitlements.
Finalize Role Exceptions and Certify Roles. Incorporate any remaining changes. Finalize role definitions.
Implementation Methodology
Managing access based on users roles is an efficient, effective alternative to attempting to do the same on a user-by-user basis, which can be virtually impossible when dealing with large numbers of dynamic users. To assist organizations in creating a role-based model for access control, Oracle has developed a wave methodology that breaks users into manageable chunks, or waves, for the purpose of defining roles. The Sun wave methodology breaks large numbers of users into more manageable chunks, or waves, for the purpose of defining roles. This is accomplished by first dividing users into business units, which are groupings of people based on their managers, departments, divisions, or other commonalities. These business units are then grouped into different waves (usually four to six business units per wave) that can be prioritized based on the needs of the business. Each wave requires a seven-step process for role definition as shown in the slide. Note: You can obtain more information about Wave Methodology in the lesson titled Performing Role Mining. The Wave Methodology white paper can be found at http://www.sun.com/offers/details/wave_methodology.xml.
Directory Services
Identity Manager
Available Documentation
All Audiences
Oracle Identity Analytics 11gR1 Release Notes
Business Users
Business Administrators Guide Users Guide
System Integrators
System Integrators Guide API Guide
Available Documentation
Oracle provides extensive documentation on the Oracle Identity Analytics product that is applicable to different audiences. This slide provides an overview of the documents that are available on the Oracle Identity Analytics 11gR1 Documentation Home (Wiki) at http://wikis.sun.com/display/OIA11gDocs/Home.
Summary
In this lesson, you should have learned to: Identify the business drivers for role management Describe methods for meeting compliance Describe how a role management solution streamlines the process Describe the features and components of Oracle Identity Analytics Describe an Oracle Identity Analytics implementation
Objectives
After completing this lesson, you should be able to describe the following: Oracle Identity Analytics terminology Identity Warehouse Methods for importing data Job scheduling
Objectives
Discussion: The following questions are relevant to understanding the topics covered in this lesson: What type of information does Oracle Identity Analytics store and where is this information maintained? How can you import data (users, roles, business units, and so on) from existing sources? What functionality does Oracle Identity Analytics provide for job scheduling?
Identity Warehouse
Is a data-rich repository of Business Structures, Users, Roles, Policies, Applications, and Resources Is a relational database Provides a logical view of the company for management Enables implicit grouping of people for role mining purposes Contains all entitlement data:
Consists of data imported from organizational resources Is updated on a regular or scheduled basis
Identity Warehouse
Oracle Identity Analytics utilizes a data-rich repository called the Identity Warehouse that contains all important entitlement data for your organization (Business Structures, Users, Roles, Policies, Applications, and Resources). The Identity Warehouse is a relational database (MySQL, SQL Server, Oracle, or DB2) that stores identity information (profiles and entitlements) for all users across the enterprise. This includes the access rights held across all systems and applications. The Extract-TransformLoad (ETL) functionality in Oracle Identity Analytics and the direct interfaces to most provisioning systems (Sun, IBM, Oracle, CA, BMC, and so on) allow for the import of user identity and account information quickly and securely. The hierarchical nature of the warehouse means that organizations can capture detailed granular data from all applications. The scheduler built within Oracle Identity Analytics ensures repeatability of the import process at a predetermined time. Oracle Identity Analytics also captures the glossary description of each entitlement, which can be sent as a separate feed to the repository.
Consists of the following objects: Business Structures Users Roles Policies Applications Resources
Business Structures
Are hierarchical structures composed of Business Units Provide scope to Oracle Identity Analytics operations Can contain Business Units of any organizational grouping Impose no limitations on the number of Business Units
Example Corporation
Operations
Marketing
Client Services
Human Resources
Information Technology
Product Mgmt
Professiona l Services
Business Structures
Oracle Identity Analytics performs operations such as role certifications and policy violation scans within organizational groupings called business structures. A business structure provides the scope of these operations and can consist of multiple business units to create a hierarchical model of the organization. A business unit can represent entities such as departments, teams, geographic locations, or any other type of organizational unit. Organizations can be segregated into as many business structures with as many levels of hierarchy as are required to represent teams and subteams within the organization. There is no limit to the number of users who can be assigned to a business structure.
Users
A persons identity in Oracle Identity Analytics Comprehensive representation of the person:
Necessary for correlation Necessary for attestation First Name, Last Name, Address, Phone, Email, Title, Description, Employee ID, Manager, Location, and so on
Users
A user is a global identity to which various accounts are associated. A user can have multiple accounts, but all the accounts are associated with a single global identity in Oracle Identity Analytics. This global identity is defined under the Users View, which shows the entire list of users who belong to the organization. A user is a discrete, identifiable entity that has a business need to access or modify enterprise information assets. Typically a user is an individual, but a user can also be a program, a process, or a piece of computer hardware. Users are associated with business structures in various ways. A user can be assigned to several business structures based on access level and other details within an organization. A business user has a manager or an application approver who is tasked with carrying out various user-management and role-management functions on the user. A naming convention for all users needs to be established. A common naming convention is a combination of a users name in lowercase letters and a set of numbers. For example, John Smiths username might be josmit01. Usernames must be unique.
Users (continued)
The user store is the central platform, database, or directory where user records are stored. Oracle Identity Analytics uses the user to populate identities within the Identity Warehouse. Commonly used user stores include Active Directory, Exchange, ORACLE, SAP, UNIX, and RDBMS Tables. Initially, an organization in Oracle Identity Analytics is populated with users by using a feed from an HR system. The HR system is used to create all the global identities in Oracle Identity Analytics. Alternatively, the global identities can be created from a provisioning system such as Oracle Waveset (formerly Sun Identity Manager). Note: Oracle Identity Analytics is a data-heavy model and consists of several data elements associated with a user. This is in contrast to Oracle Waveset, which maintains only enough data to accurately identify and correlate users (a data-sparse model). Oracle Identity Analytics can consist of hundreds of data elements, whereas Oracle Waveset consists of less than 10, by default.
Roles
Oracle Identity Analytics supports a role-based access control model.
Roles consists of applications and entitlements. Access to assets is provided through role assignment.
Roles change based on organizational needs. Role definitions can be created based on:
A top-down approach A bottom-up approach A combination of both
Similar roles can be consolidated as appropriate. Roles can include other roles (role hierarchy).
Roles
Oracle Identity Analytics administers role-based access controls. Roles make it easier to assign access levels to users and to audit those assignments on an ongoing basis. Rather than assigning access levels to users directly, access levels are assigned to a role, the role is assigned to individual users, and a users access level is determined by the roles assigned to that user. Management of individual user rights becomes a simple matter of assigning one or more roles to the user. Role-based administration typically grows and expands as new situations occur. The main advantage of using this approach is ease of implementation. Role-based administration can be established in a centralized fashion, distributed throughout your network, or can consist of a combination of both. Oracle Identity Analytics can be configured to match the unique structure and needs of your organization. Roles can be defined in a hierarchical format, and segregation of duties (SoD) can be administered through a role. Roles typically represent a job function and can contain policies that describe the access that individuals have within the organization. For example, a person can function as a manager, a developer, and a trainer. In this case, three roles represent each job function because each requires different privileges and access to different resources.
Roles (continued)
Roles provide the flexibility and power to enforce enterprise standards so that you can accomplish the following: Manage users who perform the same tasks the same way no matter where they are located in the enterprise Perform less work when managing users because you do not have to manually specify privileges every time a change is made to a persons job function A role can be nested within another role. Role hierarchy can be defined for any level required in an organization. Roles have a life of their own and change as the organization changes. The role management features within Oracle Identity Analytics enable organizations to maintain the life cycle of a role. This includes comprehensive workflows for adding, modifying, and decommissioning of roles, and provides the following features: Role consolidation allows for the comparison of roles based on underlying entitlements or similarity in users. Role versioning ensures that all historical data is maintained for each role. Role certification ensures that the owner of the role can validate the content of each role. Role versus Actual analysis ensures that all access that the user has beyond that provided by the role is monitored. Note: Refer to the lesson titled Performing Role Lifecycle Management for more information about role lifecycle management.
Role Hierarchy
Consists of the following types of roles:
Enterprise roles (highest level) Functional roles (based on job function) Auxiliary roles (can have a time limit)
Role Hierarchy
Similar to a business unit hierarchy, roles can exist in an n-level hierarchy, where top-level roles assign more global entitlements and lower-level (child) roles assign more specific entitlements. The highest level in the hierarchy consists of enterprise roles that define the resources and entitlements that all users in a specific category obtain simply because they are who they are. These might include an email account, access to the local area network (LAN), or a nondigital asset such as an employee phone. Enterprise roles are typically assigned automatically based on programmatic logic (rules). Functional roles are more granular and provide entitlements based on the users job function within the organization. For example, a manager can access the HR application to manage employee data, or a project manager can have an account on the project server. Functional roles can be assigned programmatically, or you can provide a process for users to request access to such roles. Approximately 80 percent of all users can be associated with the appropriate roles through enterprise and functional roles. The remaining 20 percent of access is associated through an auxiliary role. Auxiliary roles are more focused and are typically associated with a specific resource or set of resources. Users request access to auxiliary roles and are typically granted access for a limited duration. Oracle Identity Analytics can associate an expiration date on auxiliary roles. After the roles end date has been reached, a users access to the entitlements associated with the role causes a violation.
Audit Policies
Are rules that specify segregation of duty violations
A user with responsibility for accounts payable cannot also be responsible for accounts receivable.
Can span multiple resources Can be associated with multiple roles Can be evaluated to determine if any violations currently exist Can cause a remediator to take action when the violation is found
Audit Policies
An audit policy is a collection of audit rules that together enforce business policies that are associated with segregation of duties. Suppose that you are responsible for both accounts payable and accounts receivable and must implement procedures to prevent a potentially risky aggregation of responsibilities in employees working in the accounting department. You might create an audit policy that ensures that personnel with responsibility for accounts payable are not responsible for accounts receivable. Audit policies contain the following: A set of rules in which each rule specifies a condition that constitutes a policy violation A workflow that launches remediation tasks A group of designated administrators, or remediators, with permission to view and respond to policy violations created by the preceding rules Oracle Identity Analytics scans resources searching for policy violations. After a policy violation is detected (in this scenario, users with too much authority), the associated workflow can launch specific remediation-related tasks, including automatically notifying select remediators.
SoD Matrix
SoD Matrix
This slide demonstrates an SoD matrix of the roles that can be associated with a user and those that cannot be combined. Imagine having to maintain matrixes like this and attempting to find violations manually for the entire enterprise. Oracle Identity Analytics does this for you out-of-the-box.
Applications
Include a group of entitlements for reporting purposes Use business-level verbiage Can span multiple resources
Communications
Directory Server
Email Server
Calendar Server
Applications
Applications provide a method of grouping entitlements across one or more resources for auditing purposes. Applications can consist of any combination of resources, entitlements, group memberships, and so on. This enables application owners to use language that is more attuned to business during the certification process instead of using more cryptic, technical language. The example in this slide demonstrates how three different resources (Directory Server, Email Server, and Calendar Server) are combined under a single Communications application. The owner of the Communications application can certify users associated with that application more easily than attempting to certify each resource or entitlement individually.
Resources
Resources are systems and enterprise information assets. Each is an instance of a resource type. Each is an authoritative source for user entitlements. Each has an owner who certifies user entitlements.
Resource Types
Directories
Databases
Mainframes
Operating Systems
Custom Application s
Non-digital Assets
Resources
Resources are the systems and enterprise information assets that users require in order to perform their jobs. In Oracle Identity Analytics, a resource is an instance of a resource type, which is a grouping of similar resources. For example, multiple Oracle database instances may compose a resource type named Oracle, where each individual database instance is a resource. Common resource types include platforms (Windows 2000, UNIX, or an RACF mainframe) or business applications (such as billing and accounts payable applications). User entitlements are collected from resources and stored in the Identity Warehouse. Resource owners run reports against their resources and certify that the appropriate users have the proper entitlements. Note: In the previous releases of Sun Role Manager, the term endpoint was used to denote a resource, whereas the term namespace was used to denote a resource type.
Attributes
Resources contain attributes.
User-based (uid, gid, cn, sn) Policy-based (groups)
Attributes
Resources consist of data elements that pertain to user and policy information. For example, a user account on a UNIX system would include attributes such as uid, gid, gecos, and shell. A user object in a directory server would include attributes such as cn (common name), sn (surname or last name), and quite possibly the groups that the user belongs to. Oracle Identity Analytics evaluates this information to determine if the users presence on the resource or his or her capabilities on the resource violates any business policies. You can group similar types of attributes to form an attribute category that can be used for data mining purposes. When defining resources, you can create attribute categories and specify the attributes within those categories. You can also specify other characteristics such as whether the attribute is used in the role mining process (Minable) or the certification process (Certifiable). Note: Before you start a role mining job, you must specify the attributes that are minable. Attempting to run role mining without any attributes set as minable will result in an error. See the lesson titled Performing Role Mining for more information.
However, this is not an efficient process when processing large amounts of data.
Before performing a bulk load of data, you must configure a provisioning server.
The contents of the schema files are not case-sensitive. Contents of data files are case-sensitive.
Review files in the drop locations error directory. Review the rbacx.log file.
Description
File: businessstructure.csv, line no.1, doesn't match businessstructure.rbx schema, found [Schema File,Data File,Database Table] File: businessstructure.csv, line no.2, doesn't match businessstructure.rbx schema, found [businessstructure.rbx,businessstr ucture.csv,businessUnits] File: businessstructure.csv, line no.3, doesn't match businessstructure.rbx schema, found [,,] Aborting BusinessUnit import, file: businessstructure.csv Unsuccessful business structure import, file: businessstructure.csv
12/01/2009 12:00:01
ERROR
12/01/2009 12:00:01
ERROR
ERROR ERROR
Job Scheduling
Oracle Identity Analytics includes a scheduler application (Quartz Scheduler). Data imports and exports can be scheduled to run on a periodic basis. A preconfigured set of jobs is included. Methods for scheduling jobs include:
Graphical user interface Direct edit of configuration files
Job Scheduling
Oracle Identity Analytics provides a scheduler that enables you to set a specific time for imports and exports. You can schedule import and export jobs by using the scheduler in the graphical user interface, or you can schedule jobs by manually editing configuration files. The following jobs are included with Oracle Identity Analytics: Accounts Maintenance Glossary Import Roles Import Policies Import Rule Based Role Assignment Note: Before you can import data into Oracle Identity Analytics, you need to configure a Provisioning Server.
<!--ref bean="usersImportJob"/--> <!--ref bean="accountsImportJob"/--> <!--ref bean="rolesImportJob"/--> <!--ref bean="glossaryImportJob"/--> <!--ref bean="policiesImportJob"/--> <!--ref bean="certificationReminderJob"/--> <!--ref bean="reportReminderJob"/--> <!--ref bean="stableFolderCleanUpJob"/--> <!--ref bean="accountsMaintenanceJob"/--> <!--ref bean="roleMembershipRuleJob"/--> <ref bean="fullTextIndexMaintenancedJob"/> <ref bean="workflowStepSLAJob"/> <ref bean="roleMembershipJob"/> </list> </property> For example, if you want to import users on a periodic basis, you can replace the line containing usersImportJob <!--ref bean="usersImportJob"/--> with the following: <ref bean="usersImportJob"/> 2. Locate usersImportJob and usersImportTrigger in the jobs.xml file and configure the schedule as follows: <bean id="usersImportTrigger" class="org.springframework.scheduling.quartz.CronTriggerBean"> <property name="jobDetail"> <ref bean="usersImportJob"/> </property> <property name="cronExpression"> <value>0 0/5 * * * ?</value> </property> </bean> <bean id="usersImportJob" class="org.springframework.scheduling.quartz.JobDetailBean"> <property name="name"> <value>Users Import</value> </property> <property name="description"> <value>Users import Job</value> </property> <property name="jobClass">
These tables are updated when jobs are configured from either the GUI or edited manually. Jobs can be disabled but there is no interface in Oracle Identity Analytics to delete them.
After you have configured a job, you can disable it, but there is no direct interface for deleting it. If you want to remove a particular event from these tables, you must directly edit the database tables.
Summary
In this lesson, you should have learned to describe the following: Oracle Identity Analytics terminology Identity Warehouse Methods for importing data Job scheduling
Configuring Security
Objectives
After completing this lesson, you should be able to: Describe the Oracle Identity Analytics authorization model Manage Oracle Identity Analytics Users (OIA Users) Manage Oracle Identity Analytics Roles (OIA Roles) Describe proxy assignments Configure Oracle Identity Analytics to authenticate against alternate credential stores
Objectives
Discussion: The following questions are relevant to understanding the topics covered in this lesson: How can you create a delegated administrative environment within Oracle Identity Analytics? Can you assign different rights to different administrators in Oracle Identity Analytics? How can you configure Oracle Identity Analytics to authenticate administrators against a directory server?
OIA Roles consist of one or more system privileges. System privileges specify:
What an OIA User can see (visibility) What an OIA User can do (capability)
Any OIA Role with business privileges becomes a Business Role. Administrators can create and edit OIA Roles.
The OIA Users interface depends on the OIA Role. Dashboard Tabs Privileges
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
Proxy Assignments
OIA Users can delegate certification-related duties. Proxy assignment can be made to another OIA User. Delegations cannot be set for more than 30 days.
Proxy Assignments
If an OIA User is on leave or vacation, critical tasks such as Certifications or Role Approvals will be placed on hold and may have an impact on the overall business. In such instances, an OIA User can delegate his or her tasks to another OIA User to act on his or her behalf. This is called proxy assignment. OIA Users can set proxy assignment for a maximum of 30 days. Attempting to go beyond that time frame will result in an error in the user interface.
The username attribute for the OIA User must exist in the target system.
rbx_user Username Target System NetBIOSDomain\sAMAccountName
(where username = sAMAccountName) Users should be correlated based on the email attribute.
Summary
In this lesson, you should have learned to: Describe the Oracle Identity Analytics authorization model Manage Oracle Identity Analytics Users (OIA Users) Manage Oracle Identity Analytics Roles (OIA Roles) Describe proxy assignments Configure Oracle Identity Analytics to authenticate against alternate credential stores
Objectives
After completing this lesson, you should be able to: Describe security challenges faced by organizations Describe the benefits of an automated certification process Establish a certification environment Configure the Oracle Identity Analytics Glossary Describe the identity certification process Perform an identity certification
Objectives
Discussion: The following questions are relevant to understanding the topics covered in this lesson: How can an identity certification process address security challenges? What are the steps involved in identity certification? How can certification be automated and how can it be managed? How can the Oracle Identity Analytics Glossary provide context to identity certification?
Security Challenges
Outside threats:
Identity theft Breaches Lost or stolen data
Inside threats:
Complex organizational structure Expanding geographical footprint Multiple areas of business
Security Challenges
The explosive global growth within organizations across verticals has created unprecedented security challenges. Even as companies battle security threats from the outside, complex organizational structures, an expanding geographical footprint, and multiple areas of business are paving the way for ever-increasing threats from the inside. Compliance laws such as Sarbanes-Oxley, HIPAA, and Model Audit Rule (MAR) are forcing companies to streamline their access-control review processes. Organizations need to strike a balance: tighten information security without jeopardizing the business agility of the enterprise and achieve the nirvana state of least privilege for employees.
Identity Certification
Is the process of reviewing employees entitlements to access applications and/or data Is performed by managers who are responsible for authorizing or revoking access Can be scheduled on a regular basis to meet compliance requirements Ensures that access is aligned with need Is a necessary step in meeting compliance Should be automated
Identity Certification
To address security challenges, companies must control access to system resources and thus prevent unauthorized personnel from accessing or compromising these systems. This involves a proactive approach during the account creation process, but also involves verification or a reactive approach. To ensure that users have appropriate access rights across the organization, companies must consistently monitor mission-critical systems and certify any accounts found. Certification (or attestation) is the process of evaluating user entitlements across system applications or data to ensure that users have access to only those systems required to perform their jobs. A well-followed certification process addresses the security challenges faced by todays organizations and provides the tools necessary to meet regulatory compliance. Managing and auditing enterprisewide attestations is a major challenge, however, for companies with a large number of employees. Because individual users can have access to a multitude of platforms, systems, and applications, organizations need an easy-to-use tool that managers can use to review user entitlements on a regular basis. Moreover, federal requirements require time-based certifications, granular entitlements, and so on. To meet these challenges, companies are moving away from cumbersome, manual access control processes and embracing an automated mechanism that effectively monitors the fundamental security challenge: who has access to what, and who has approved the access.
Certification Environment
Establish a certification environment before attempting to perform certifications. A certification environment consists of the following:
Select participants (actors). Select applications, resources, and attributes. Create labels. Configure email templates.
Certification Environment
There are several things to consider before performing an identity certification. Certification Participants (Actors) First, you need to understand who will participate in the certification process. These participants are called actors. The following table describes the types of actors that are typically involved in the identity certification process and a brief description of each actor. Actor Name Certifier User Manager Access Reviewer Application Owner Role Owner Description A generic term that signifies a person who is responsible for reviewing and completing any kind of certification A manager with direct reports. Users report to a user manager. Designated personnel responsible for reviewing user access Designated personnel responsible for reviewing user access on a particular target system Designated personnel responsible for reviewing a role and its content
Certification Administrator
Applications, Resources, and Attributes Second, you need to select the applications, resources, and attributes that will be considered during the certification process. It is best to focus on those systems that are considered critical and limit the process only to those applications. This will reduce the time required to perform the certification and provide a quick win. Certification Labels (Glossary) Business managers are expected to certify that a user has the correct entitlements on the appropriate systems, but when reviewing reports, they see references that are cryptic and have no apparent meaning. The third thing that you need to do is to define the certification labels that associate cryptic access permissions into business-friendly terms. This information is contained in the Oracle Identity Analytics Glossary and can be defined on a per-resource basis. Email Templates Notifications are sent to certifiers, indicating that they need to take action on a particular certification. The last thing that you need to do is to create the templates for those emails.
Certification Process
Certification involves five distinct phases: 1. Preparation 2. Pilot 3. Validation 4. Certification 5. Remediation
Certification Process
This slide provides an overview of the phases involved in an identity certification deployment.
Phase 1: Preparation
In the preparation phase, you perform the following activities: 1. Create a certification governance team. 2. Build the Identity Warehouse. 3. Select the correct certification. 4. Determine the certification process cycle.
Phase 1: Preparation
During the preparation phase, you perform the following steps: 1. Create a certification governance team. 2. Build the Identity Warehouse. 3. Select the correct certification. 4. Determine the certification process cycle. Create a Certification Governance Team One of the first steps in identity certification deployment is to create a certification management or certification governance team. This team is responsible for managing the certification process and communicating information to key stakeholders and users affected by the changes. The team must do the following: Understand the certification management tool. Manage the life cycle of certifications. Steer the communication strategy.
Determine the Certification Process Cycle Before you start your certification process, you should determine the frequency of the certifications. Use the incremental certification feature, a setting that allows user managers to certify only the changes that have taken place since the last-created certification. Enable this setting to avoid repetition of access evaluation for previously certified users.
Phase 2: Pilot
In the pilot phase, you perform the following activities: 1. Form a user acceptance testing team. 2. Create pilot certifications. 3. Configure remediation settings.
Phase 2: Pilot
Before performing any certifications, you should test the configuration. This is a critical step to ensuring success. A pilot phase gives you the opportunity to detect any outstanding issues and address them before performing the actual certification. In the pilot phase, you will perform the following activities: 1. Form a user acceptance testing (UAT) team and include team members in the process. This team should participate in two different roles: testing the administrative functions and serving as end users or requestors. The team will gain greater understanding of how to manage its own access and support end users who may require assistance. 2. Create pilot certifications. Launch a pilot certification for a predetermined set of users. Include a mix of systemsavvy and non-IT users in the pilot to ensure a complete system run. Monitor the pilot certification process and progress. Refine your certification configuration based on the results of the pilot run. 3. Configure remediation settings (include managed and nonmanaged applications). Oracle Identity Analytics enables you to automatically remediate accounts that have been revoked during the certification process. The actions taken during remediation can be as simple as sending an email to the appropriate owner or as extensive as automatically removing the users entitlements from the system where a violation has occurred. You should configure the remediation settings because this will expedite the post-revocation activity.
Phase 3: Validation
Ensure the following before launching certifications: Certification meets organizational requirements. Issues found during the pilot have been addressed. Email templates are relevant. High-profile users are excluded from the certification. Administrators are blind copied on all notifications. The system can handle increased traffic.
Phase 3: Validation
Before launching any certifications, you should recheck your settings to ensure the following: All the identity certification configurations are in line with your organizations requirements. Issues encountered during the pilot process have been addressed. Email templates have been created and contain relevant content. The escalation workflow has been developed and dates are set for reminders to managers. A list of high-profile users (senior vice presidents and above) has been created. This groups daily administrative activities are performed by their respective executive assistants or designated proxies. You should turn off the escalation emails for this set of users. Administrators have been blind copied (bcc) on all certification notifications. Configuration changes on the server have been made to accommodate increased traffic to the tool.
Phase 4: Certification
Best practices for launching certifications are as follows: Launch the certification in batches. Stay within predefined time lines. Handle certifications for high-profile users.
Phase 4: Certification
After you have validated the certification settings, you are now ready to launch an identity certification. The success or failure of the certification depends on the previous phases. Best practices for launching an identity certification include the following: Launch the certification in batches. To facilitate the success of the certification process, you should launch certifications in increments of 50. This is a manageable number and enables you to address any issues that arise during the certification process without impacting the organization as a whole. Stay within predefined time lines. A certification campaign is an enterprisewide activity and involves various business units and a broad range of participants. This includes business line managers, application owners, and data owners. As such, an identity certification can drag on for weeks (if not months) if not managed properly. The certification process should not take more than four weeks in total, and managers must complete their certifications within two weeks. Managers should be onboard if you have effectively executed the communication plan created in Phase 1. If not, Oracle Identity Analytics provides notifications, escalations, and monitoring by administrative personnel to aid in this process.
After the certification has been launched, there are two distinct participants that become part of the certification cycle: certifiers and certification administrators. Certifiers are responsible for completing their certifications on time. This includes verifying the following information as part of the process: All users (employees, contractors, and so on) who report to them are included in the certification. All applications pertinent to their business unit are included in the certification. A users presence or entitlement on a particular application does not create a violation. Certifiers review each user and must attest the users access rights. After the certification is completed, the certifier should print the certification report for reference and distribute it to interested parties. If any users or applications were omitted during the certification process, the certifier must have the appropriate administrator add them for the next certification. Certification administrators ensure that certification deadlines are being met within the fourweek cycle. To do this, they must monitor the number of certifications that have been completed and are currently in progress. Additionally, certification administrators must monitor notifications to ensure that they are being addressed in a timely manner. In cases where a notification is not being addressed, the certification administrator can escalate or reassign the certification to a proxy user. Certification administrators monitor obsolete or revoked users on a regular basis and coordinate with management as to how to clean up these types of users.
Phase 5: Remediation
In the remediation phase, you perform the following activities: 1. Review certification reports. 2. Address violations found on:
Managed resources Unmanaged resources
Phase 5: Remediation
Remediation is the last phase in the certification process and involves taking action on any violations that may have been found. To accomplish this, certification administrators need to review reports generated during the certification process. The following table provides a description of some of the types of reports that are available during this phase. Certification Reports Report: Description: Action: Report: Description: Action: Consolidated certified access report Compiles evidence of certifiers responses Should be stored in a noneditable format Consolidated revoked access certification report Includes all revoked accounts, roles, and entitlements across the organization Must be shared with application owners and the user administration team for remediation action
Note: Refer to the Oracle Identity Analytics 11gR1 Users Guide (http://wikis.sun.com/display/OIA11gDocs/User%27s+Guide) for a complete list of reports. The information contained in these reports can be used to communicate the status of the certification and to determine the steps for addressing any violations found. The next steps performed depend on whether the violation was found on a managed or nonmanaged resource. For managed resources, if Oracle Identity Analytics is integrated with Oracle Waveset, the software directly revokes the account in the provisioning solution and updates information in the Identity Warehouse. For nonmanaged resources, the certification administrator must work with the application owners to ensure that the revoked accounts are deprovisioned. Certification administrators can achieve continuous monitoring by generating remediation reports on a regular basis.
Certification Dashboard
Summarizes status information for certifications in progress:
Certifications by Status Summary User Accounts Certification Status Notifications Issued in Last Week Statistics User Roles Certification Status
Certification Dashboard
The identity certification dashboard summarizes status information for certifications in progress. The information presented is customized based on your user access. For example, if you are logged in as an administrator with global access, the dashboard presents certification data for the entire organization. If you are logged in as a manager, however, the dashboard presents information that is relevant only to your particular business units. The identity certification dashboard presents the information found in the following table. Dashboard Panel Certifications by Status Description This bar graph compares certification statuses (new, in progress, complete, and expired) for each of the four certification types (user, role, resource, and data owner). Summary provides the total number of users, accounts, resource types, and resources that are defined in Oracle Identity Analytics for your organization. This pie chart shows how many user accounts are marked as certified, revoked, and incomplete.
Summary
Statistics
To open the identity certification dashboard, select Identity Certification > Dashboard from the main menu.
Closed-Loop Remediation
The certification process is tightly coupled with the provisioning process. Roles and entitlements are revoked in the provisioning solution as a result of them being revoked in the certification process. This feature is available to implementations that utilized Oracle Identity Manager as the provisioning solution.
Closed-Loop Remediation
Closed-loop remediation is a feature that enables you to directly revoke roles and entitlements from the provisioning solution as a result of roles and entitlements that were revoked during the certification process. This feature is applicable only if the provisioning solution is Oracle Waveset and only pertains to those applications being managed by the Oracle Waveset software. For nonmanaged applications, you can manually revoke roles and entitlements by using the information stored in the remediation configuration module. It is the responsibility of the certification administrator to work with individual application or data owners to ensure that this task has been completed.
Best Practices
Do not rush through precertification or prelaunch. Limit the number of applications. Use a four-week certification cycle as a foundation. Communicate, communicate, communicate. Provide training to certifiers. Take immediate action on revocation reports.
Best Practices
When deploying an identity certification solution, follow these best practices to provide the best foundation for success. Do not rush through the precertification or prelaunch phases. Plan to communicate, pilot, remediate changes from the pilot, communicate again, and then launch your first batch of certifications. Overlooking this process creates the risk that governance, training, and communication have not occurred to the proper degree to ensure sustainable success. Limit the number of applications considered during the certification process. Selecting too many applications that may not be critical to your business increases risk. The secret to saving time and minimizing business risk lies in the choice of applications. Organizations often make the mistake of either selecting too many applications, which do not pose a potential security threat, or not including all data-sensitive applications in the review process. Therefore, a team comprising a business analyst and a technical expert must be consulted before short-listing target applications. Also, include your internal audit team in this discussion because it is best able to differentiate between applications that are compliance-critical and those that can be included in the certification process.
Metrics
Reduction in the number of dormant or terminated accounts Reduction in the number of sensitive or high-privilege accounts and entitlements Number of accounts and entitlements remediated Remediation count of incorrect user-to-manager reporting relationships
Metrics
This slide provides an overview of some of the key metrics that will interest your management team, as well as internal and external auditors. Following these best practices will make the certification process more successful. You can leverage this success by communicating these metrics throughout the organization.
Return on Investment
Reduction in time Minimization of errors Reduction in manpower costs Enhanced user experience
Return on Investment
Additionally, you can calculate return on investment (ROI) on the criteria shown in this slide. Whereas many of these items have a direct impact on the bottom line, others are more objective. Reduction in time: There is significant reduction in turnaround time versus manual certification and in comparing a complete certification versus incremental certifications. Minimization of errors: With monitoring ease, an automated certification module eliminates manual errors. Reduction in manpower costs: Fewer people are involved in the process. Enhanced user experience: Certifiers now do not loathe the process.
Summary
In this lesson, you should have learned to: Describe security challenges faced by organizations Describe the benefits of an automated certification process Establish a certification environment Configure the Oracle Identity Analytics Glossary Describe the identity certification process Perform an identity certification
Configuring Auditing
Objectives
After completing this lesson, you should be able to: Describe identity auditing Configure audit rules and audit policies Perform audit scans and detect policy violations Schedule audit scan jobs Configure event listeners
Objectives
Discussion: The following questions are relevant to understanding the topics covered in this lesson: What is an identity audit and how does it compare to identity certification? How does Oracle Identity Analytics detect separation of duties violations? Who are the key actors in an identity audit process and what are their responsibilities? How can the identity audit process be automated?
Identity Auditing
Identity auditing is the process of scanning for access violations. Violations are flagged against audit policies. Audit policies consist of audit rules.
Audit Rule Violation Audit Rule Audit Policy
Identity Auditing
Identity auditing is the process of scanning resources for access violations. In Oracle Identity Analytics, audit rules define violations. The intent of an audit rule is to determine if any user has been granted access that he or she should not have based on business or security policies, and includes detection of segregation of duties violations. Note: A segregation of duties (SoD) violation is a violation in which a user account, a user attribute, or a role has been assigned two entitlements that should not be held in combination. Audit rules are combined to create an audit policy. User accounts and business units are then scanned for audit policy violations. User accounts, user attributes, and roles that violate an audit policy are flagged and tracked until the violation is resolved.
Product Capabilities
Monitors users actual access to resources Detects segregation of duties (SoD) violations Creates and tracks audit rules, audit policies, and audit policy violations throughout the audit life cycle Captures violations on a continuous basis and maintains a history of audit scans
Product Capabilities
Oracle Identity Analytics has a detection mechanism that monitors users actual access to resources and captures any violations on a continuous basis. Note: This is different than the identity certification capabilities described in the lesson titled Configuring Identity Certification. Identity certification enables managers to certify or revoke access of users on a periodic basis (when certifications are performed) and might lead to the creation, deletion, or modification of audit policies. Identity auditing monitors for violations against policies on a continual basis and provides notifications in real time. The software can be programmed to conform to audit policies and report exceptions when they are found. An identity audit provides a summary of all exceptions, which can help security analysts, executives, or auditors to determine if they want to accept the exception or mitigate it. Note: Violations can be applicable during the identity certification process. If a user has any open violations, the certifier sees a link on the certification page where he or she can obtain additional details about the violation. The certifier can then elect to certify the user or not. Oracle Identity Analytics provides mechanisms for creating and tracking audit rules, audit policies, and audit policy violations throughout the life cycle of an audit. The software also maintains a history of all audit scans and the actions taken by various participants in the process.
Audit Rules
Identity Audit Rule Definitions
Rule condition Metadata such as name, description, create and update dates
Three states
Active Inactive Decommissioned
Audit Rules
An identity audit rule consists of a rule condition and some metadata associated with the rule (name, description, create/update dates). Following is an example of an identity audit rule: Rule Condition : ( Resource Type::Windows Active Directory.adGroups contains 'CN=BankSoft_User,OU=Applications,OU=Corporate,DC=identric, DC=com' AND Business Structure.Business Structure Name equals 'Services' ) This rule defines a violation for users in the Services business unit who also have the BankSoft_User application group in Active Directory. An audit rule currently can exist in three states: Active, Inactive, and Decommissioned. Note: You cannot delete audit rules from Oracle Identity Analytics. This would introduce gaps in the audit history and impact an auditors ability to review information from previous violations. This could impact a companys ability to meet regulatory compliance.
Audit Policy
A collection of rules that together enforce a business policy in the enterprise environment Audit Policy Definition
Name, description Severity Create date, update data, owner Default remediator* information (* The person responsible for addressing policy violations)
Audit Policy
An audit policy consists of one or more audit rules that together enforce a business policy in the enterprise environment. The policy consists of other metadata such as name, description, severity, create and update dates, owner, and the default remediator information. The remediator is the person responsible for addressing any violations found against the audit policy. The severity of the policy (high, medium, or low) associates a level of criticality to any violations against this policy.
Actors
Audit policies have designated remediators who are responsible for taking action when violations are discovered. The following actors can be remediators: Oracle Identity Analytics administrator Policy owner Remediator (defined in the audit policy)
Actors
Audit policies have designated remediators who are responsible for taking action when violations are discovered. The following actors can be remediators: Oracle Identity Analytics administrator (by default, rbacxadmin) Policy owner Remediator (designated person assigned during policy creation)
Remediators of audit policies receive automated emails from Oracle Identity Analytics informing them of audit violations. Remediators can then log in and perform remediation actions.
Policy Violations
Users and business units are scanned against existing audit policies. Audit scans detect SoD violations associated with:
User HR attributes Role assignments Business structure memberships
The remediator is responsible for addressing the violation. Policy violations can be assigned only to other OIA Users. Oracle Identity Analytics tracks the violation until it is resolved.
Policy Violations
An audit policy violation enables an enterprise to track SoD violations and pursue their resolution. Policy violations occur when one or more rules associated with a policy are broken by a user account, a user attribute, or a user role. Oracle Identity Analytics maintains comprehensive details for each violation: Cause of the violation Policy being violated Severity Create date Update date Number of reminders sent Date of the last reminder Number of times this violation was detected
Audit Scans
Are performed on a set of users Search for violations to existing identity audit policies Consist of two types:
Scan Creates or updates violations; sends email Scan Preview Performs a scan but takes no action
Audit Scans
An audit scan is the process of checking if a particular set of users is violating one or more audit policies. Scans are run as jobs in the background, and the status or results are displayed in the graphical user interface. There are two types of scans: Scan: When a typical audit scan is run, it creates new violations or updates existing violations and sends email notifications to the remediator of the identity audit policy. Scan Preview: The typical scan is performed, but no action is taken to resolve the violations or email notifications. It provides a preview of what the result of an actual scan looks like.
Dashboard: Overview
Audit policy violation information is summarized. It provides a graphical depiction of:
Policy Violations Policy Violations By State Violation By Priority Policy Violations By Updated Date
Dashboard: Overview
The audit dashboard summarizes audit policy violation status information. It displays graphs that enumerate the number of violations, and lists violations by state, priority, and date-of-lastupdate. The following graphs are displayed: Identity Audit Policy Violations Identity Audit Policy Violations By State Identity Audit Violation By Priority Identity Audit Policy Violations By Updated Date To open the audit dashboard, select Identity Audit > Dashboard from the main menu.
Dashboard
Dashboard
This slide demonstrates the graphical dashboard for Identity Audit. You can select the type of graph that you would like to see at the lower-right corner of each graph. This enables you to see alternate views of the data. You can change the time period that the dashboard displays by selecting from the Period dropdown list at the bottom-right of the screen. The dashboard contains information pertaining to violations against audit policies as follows: Open violations: Displays all violations that are not yet fixed by the remediator. You can view the open violations by clicking them. Closed violations: Displays all violations that have been addressed by a remediator and closed
Created
Policy Owner
Assigned
Policy Owner or Assignee
Closed Fixed
Policy Owner, Assignee, or System
Closed
Update Violations
Authorized users or system Reassign Remediate (that is, if taken to close state)
Closed
By authorized user or system scan All causes associated with violation resolved
Job Scheduling
Jobs can (and should) be scheduled to run on a periodic basis. Reminder & Escalation Job:
Reviews each unresolved violation Sends out an escalation or reminder email as appropriate
Job Scheduling
Identity audit jobs can be scheduled to run on a periodic basis. Oracle Identity Analytics contains two default jobs that pertain to identity auditing: Reminder & Escalation Job This job reviews each unresolved violation and sends out an escalation or reminder email as appropriate. Administrators of Oracle Identity Analytics should monitor for violations that have been open for too long and escalate as appropriate. The Reminder & Escalation Job is identified by the identityAuditViolationReminderJob bean in the jobs.xml configuration file. You should consider scheduling this job on a frequent basis (such as every 30 minutes) in order to resolve open violations. Continuous SoD Scan Job This job performs scans on all active users in the Identity Warehouse and searches for violations of any audit policies. Any previously closed violations are reopened if the violation is still in effect. The Continuous SoD Scan Job is identified by the identityAuditContinuousViolationScanTrigger bean in the jobs.xml configuration file. You should consider scheduling this job to run on a daily basis in order to detect violations in a near real-time manner.
Event Listeners
Monitor for system events (such as user changes) Take action when an event is detected Consist of:
Event definition Action to take
Event Listeners
The Event Listener mechanism enables an administrator to create listeners to business events that are occurring in the system and take action when those events are detected. An example of a business event is a user update, which occurs when one or more of the users attributes are updated. A listener, when created, defines the events to examine based on a condition, and also defines the actions that are to be executed by the system in response to those events.
Summary
In this lesson, you should have learned to: Describe identity auditing Configure audit rules and audit policies Perform audit scans and detect policy violations Schedule audit scan jobs Configure event listeners
Objectives
After completing this lesson, you should be able to: Describe the best practices for role definition Perform role mining for a business unit Review and analyze the role mining results Perform role entitlement discovery
Objectives
Discussion: The following questions are relevant to understanding the topics covered in this lesson: What are the approaches to defining roles within an organization? Can the role creation process be automated and if so, how? What is the best approach for performing role mining and how can I implement a role mining methodology in my organization? How can existing roles be updated after they have been created?
Role Management
Role management is a process that involves:
Defining roles that are appropriate for an organization Assigning those roles to individuals according to their needs Managing users access according to the roles
Role management is an efficient and effective way to manage the large and constantly changing universe of users. Creation and management of roles is the most challenging aspect of role management.
Role Management
Role management is the process of defining and assigning roles to individuals who require access to organizational resources, and then managing their access according to those roles. Creating roles based on usage and enterprise policies enables greater visibility into access and makes access more manageable. This enables you to provide access control based on a limited number of roles rather than on an infinite number of individuals. Role management is therefore an efficient and effective way to address the challenges of access control for a large and constantly changing universe of users. Even though using roles as the basis for access control can make the process more efficient, there remains the challenge of defining roles for this purpose. In organizations that have a considerable numbers of users with access spread across multiple applications, role definition can be a monumental task.
Bottom-Up Approach
Oracle Identity Analytics creates roles by analyzing users account permissions.
Hybrid Approach
The Top-Down and Bottom-Up approaches are combined.
No matter which method is used for role discovery, there is consensus that the traditional method of using spreadsheets for defining roles is ineffective, time consuming, and very expensive. Oracle Identity Analytics provides automation for all three approaches and offers an end-to-end solution to discover and define roles based on existing user entitlements. Roles can be generated using the softwares role mining module, which uses sophisticated algorithms to create new roles based on user entitlements. Role mining reduces the role definition time by about 50 percent. Multiple rules and a combination of attributes (such as job codes, department, and location) can be used to assign role-based access to new and existing users.
Review Candidate Roles Review and approve roles. Review and approve entitlements.
Finalize Role Exceptions and Certify Roles. Incorporate any remaining changes. Finalize role definitions.
Prioritize the project based on divisions. Prioritize the project based on applications.
Target subset of user population. Consider only mission-critical applications. Include remaining applications. Finalize the set of entitlements.
Role Management consists of the following objects: Role Mining Rule Discovery Role Consolidation Rules Entitlements Discovery
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
It is important to specify attributes that are critical in terms of defining access to a particular application or target system and set them as minable before initiating the role-mining process. This gives the role engineer the flexibility to include only relevant applications and relevant attributes for best data-mining results and ensures that the appropriate applications and input data are accounted for while the role-mining algorithm is running. Irrelevant attributes can thus be discarded from the role-mining exercise. Performing role mining without any attributes set as minable will result in an error. Note: Including attributes that are not important will affect the accuracy of the role-mining effort.
Description: The best threshold value is 300%. Parameter: Min. standard deviation
Description: This is used by the role-mining algorithm to size the amount of user detail to capture. Use values between -2, -1, 0, 1, and 2. Larger numbers (positive or negative) return more outliers.
Description: Displays the specific resource within the resource type Column: Attribute name
Description: Displays the name of the minable attribute associated with the resource Column: Attribute Value
Description: Displays the percentage of users that have access to the selected attribute Column: No. of Users
Description: Displays the number of users that correlate to the attribute listed in the role You can use the cutoff slider to select the desired risk percentage. All attributes above the cutoff percentage will be set to a primary or parent role policy, and all those below the cutoff percentage will be set to a secondary policy for child roles.
Entitlements Discovery
Analyzes existing legacy roles Allows you to modify the entitlements within these roles as follows:
Define new roles. Re-evaluate existing roles. Refine existing roles.
Entitlements Discovery
After roles are defined for critical applications, you might not want to add new roles or change the makeup of an existing role. Instead, you might want to introduce a larger domain of application entitlements into these roles. You can accomplish this by increasing the relevant minable attributes for applications and running entitlements discovery on existing roles. The entitlements discovery process analyzes legacy roles to define, reevaluate, and refine the content of these roles. Entitlements discovery can also be used for role consolidation if you need to include more applications in the role entitlement mix.
Consists of the following objects: Role Mining Role Consolidation Entitlements Discovery
Best Practices
Get executive sponsorship for the project. Do not try to become completely role based. Utilize a knowledgeable implementation partner. Use a phased approach to the implementation. Define measurable milestones. Implement an identity management program and not just a provisioning project.
Best Practices
Avoid pitfalls by obtaining executive sponsorship for the project. Implementing a role based access solution requires inclusion of all business units across the enterprise. Do not try to become completely role based. Implementing a role solution that covers 80 percent of the user population will provide true return on investment. Utilize a knowledgeable implementation partner who is both experienced with the process as well as the tool. This can be critical to the overall success of your project. Use a phased approach to the implementation. Prioritize applications and business units and implement in several waves. Associate measurable milestones with each wave, and evaluate success at the end of each phase. Determine the amount of time saved and the costs that have been reduced by implementing the program, and evangelize the success to the organization. Implement role management as an overall identity management program along with provisioning. Role definition must be run in parallel with an identity management solution so that the roles can be used in a proactive manner during the provisioning process.
Summary
In this lesson, you should have learned to: Describe the best practices for role definition Perform role mining for a business unit Review and analyze the role-mining results Perform role entitlement discovery
Objectives
After completing this lesson, you should be able to: Describe the phases of a roles life cycle Configure role workflows and approvals Perform role versioning Describe the best practices for managing roles
Objectives
Discussion: The following questions are relevant to understanding the topics covered in this lesson: How are roles maintained over time? What are the phases of role lifecycle management? What types of activities do you perform in each phase of role lifecycle management? How can you maintain control over role versions?
On-request activities:
VERIFY
Impact analysis to change events Role consolidation Role decommission Entitlements discovery
Workflows
Include a specific sequence of actions or tasks related to a business process Are used during role and policy creation and modification Involve various actors:
Initiate the workflow. Receive notifications. Perform approvals or rejections.
Workflows
A workflow is a specific sequence of actions or tasks related to a business process. In Oracle Identity Analytics, workflows enumerate each step involved in the various processes, such as role and policy creation, role and policy modification, and so on. A workflow lists all the actors, who play a pivotal role in the management of roles and policies, and their function. Oracle Identity Analytics has a robust and easy-to-configure workflow engine. Workflows can be configured to any environment because they are based on the open-source Open Symphony workflow engine. Each workflow can be customized to support diverse requirements such as role approval paths, policy approval paths, and email integration, and to expose Web services to communicate with third-party applications, and so on. You can make the following changes to a workflow: Add a step Delete a step Edit workflow action details
Default Workflows
Default Workflows
There are nine default workflows in Oracle Identity Analytics as described in the following table: Workflow Role creation Role modification Role membership Role membership activation Description Runs when a role is created Runs when a role is modified (for example, when a policy is added) Runs when users are added or removed from the role Runs to activate memberships that are pending activation. This workflow is automatically triggered by Oracle Identity Analytics. Runs when many roles are created or modified Runs when a policy is created Runs when a policy is modified Runs when a role provisioning rule is created Runs when a role provisioning rule is modified
Mass modification Policy creation Policy modification Role membership rule creation Role membership rule modification
You can edit an existing workflow by selecting the link for that workflow as shown in this slide.
Editing Workflows
Editing Workflows
The Edit Workflow page displays the name, description, and various steps involved in the completion of the task in Oracle Identity Analytics. A diagrammatic representation of the workflow is displayed to the right of the page. The following data is displayed to the left of the page: Name: Displays the name of the workflow Description: Displays the workflow description Steps: Displays a table explaining each step. See the following table for details. The following table provides an overview of the data contained in the Steps section.
Assignee Operation
Yes
No
Role Owner works with the Business and IS Team to refine the role. No
Yes Review proposed roles to ensure consistency with company guidelines. Approves the Roles Yes Email notification
Email notification
Role Modification
Role Modification
The Identity Warehouse maintains information about any changes made to a role. You can see this by accessing Identity Warehouse > Roles from the graphical user interface. The top-left section of the page contains all roles that are currently configured in the Identity Warehouse. The bottom-left section of the page contains any outstanding versions of a particular role. This slide shows that version 2 of the Customer Service Representative role was created on 11/29/2009 and is currently pending. Select the outstanding version by clicking it. Information pertaining to that version of the role, including the role history, versions, and the status of any workflows pertaining to that role, can be seen on the right side of the page. Clicking the General tab shows the details of the role, including the version status. This slide shows that the Customer Service Representative role is currently in a status of Composing (it has not yet been submitted for approval). If you click the Workflow tab at this point, you can see that the Role Modification workflow has not been initiated. Click Send for Approval to initiate the workflow process.
Workflow Status
Workflow Status
Oracle Identity Analytics includes a default workflow named Role Modification. This workflow has the following steps: 1. Start Workflow: This step is performed after a role is created or modified, or when a member is added or removed. 2. Policy Owner Approval: If a policy owner approves the request, the workflow proceeds to the next step. Otherwise, the role is rejected. 3. Role Owner Approval: If a role owner approves the request, the workflow proceeds to the next step. Otherwise, the role is rejected. 4. Finish: The role is created or modified. This slide shows that the first two steps have been performed and that the workflow is halted, pending action in Step 3.
Pending Requests
Pending Requests
Approvers specified in the Role Modification workflow receive an email notification that they have an approval pending. The body of the email requests that they log in to the Oracle Identity Analytics interface to respond to the outstanding request. This slide shows the pending request for the Customer Service Representative role modification. This page provides information about who initiated the request, the date of the request, the request being made, and the type of object that the action is being applied to. Approvers select the option button next to the pending request and click either Approve or Reject to act on the request. Additionally, they can click View to obtain more information about the request.
Modification Details
Modification Details
Clicking View on the previous screen provides more details about the changes being requested. This slide shows the information provided on the Policy Modifications tab. Click either Approve or Reject to act on the request.
Role Versions
Role Versions
After a role is acted upon (approved or rejected), you can return to the Roles section of the Identity Warehouse (Identity Warehouse > Roles) to see that the new version is no longer pending. This slide demonstrates both versions of the Customer Service Representative role. Version 2 of the role was approved by rbacxadmin on 11/30/2009 and is currently active. You can compare the differences between roles by selecting the check box for those versions and clicking Compare Versions. Additionally, you can select a particular version and revert back to that version by clicking Revert to Version.
Role History
Role History
The History tab provides a detailed view of the changes made to a role over time. This slide demonstrates the policy changes made to the Customer Service Representative role between the previous version (Version 1) and the current version (Version 2).
Best Practices
Use Oracle Identity Analytics as the authoritative source for roles, policies, role owners, and policy owners. Role owners and policy owners are validated on a periodic basis. Role history and versioning are critical. Use two levels of approvalsrole owner and application owners. Impact analysis should be performed before role creation or modification for various conflicts, for example SoD. Role consolidation should be performed before role creation or modification.
Best Practices
This slide shows the best practices to use when performing role management.
Summary
In this lesson, you should have learned to: Describe the phases of a roles lifecycle Configure role workflows and approvals Perform role versioning Describe the best practices for managing roles
Generating Reports
Objectives
After completing this lesson, you should be able to create: Default reports Custom reports
Objectives
Discussion: The following questions are relevant to understanding the topics covered in this lesson: What types of reports are available and how can I use them to achieve compliance? How can I create my own custom reports?
Reports
Reports are critical components toward achieving compliance. Oracle Identity Analytics provides the following report functionality:
Default (out-of-the-box) reports Customizable reports
Reports can be run manually or scheduled. Reports can be viewed online or can be downloaded directly to PDF or CSV. Reports viewed online can be exported to other formats or printed.
Reports
Reports are valuable tools for evaluating, analyzing, and achieving overall compliance within an organization. Reports are used extensively when performing role discovery, entitlements discovery, certifications, or simply trying to review access rights. As such, reports are critical components and Oracle Identity Analytics provides extensive default reporting capabilities. If default reports do not meet your needs, Oracle Identity Analytics provides capabilities to extend reporting by enabling you to add your own custom reports. Reports can be viewed online or downloaded to the desktop as PDF or CSV files. If you review a report online, you have the option of exporting it to various formats (PDF, XLS, CSV, HTML, XML) or printing the report.
Reporting Categories
Business Structure Reports System Reports
User reports Role reports Policy reports Exception reports Forecast reports
Reporting Categories
Oracle Identity Analytics provides reporting capabilities by default with several predefined reports. This information can be classified into four broad categories: Business Structure Reports, System Reports, Identity Audit Reports, and Custom Reports. Business Structure Reports are run against selected business structures and provide information pertinent to those business structures. This includes reports such as the Business Structure Users Report, which provides the user identifier, first and last names, and email addresses of all users associated with a particular business structure. Note: All child business structures are included in reports when its parent business structure is selected. System Reports can further be broken down into user reports, role reports, policy reports, exception reports, and forecast reports. Information contained in these reports is global to the entire system and provides granularity based on the type of system report being run. Audit Reports provide audit-related exceptions and include information pertaining to segregation of duties, assigned versus actual rights violations, and terminated user reports. If one of the default reports does not meet your needs, you can create your own custom reports by using the open-source Jasper product. Details on how to accomplish this are provided later in this lesson. Note: Oracle Identity Analytics also has reports that are specific to the certification process. These are called Certification Reports and are accessible during Certification processing. See the lesson titled Configuring Identity Certification for more information.
Accessing Reports
OIA Users access reports from the Reports tab.
Dashboard Sign off Reports Ad Hoc Reports Schedule Reports Custom Reports
Accessing Reports
The Reports tab in the graphical user interface provides access to the following reporting features: Dashboard: The dashboard page provides a graphical overview of executed Business Structure Reports and pending Certification Reports. Sign off Reports: The Sign off reports page provides access to pending reports and completed reports. The user is able to act on pending reports and view completed reports. Ad Hoc Reports: The Ad Hoc Reports page provides access to Business Structure Reports, System Reports, Identity Audit Reports, and Custom Reports. Schedule Reports: The Schedule Reports page provides access to any previously scheduled report jobs and enables you to schedule a new report job as desired. Whether the OIA User sees the tab or sees all these features depends on the system privileges assigned in their OIA Role.
Report Dashboard
Constraints by date:
Report Dashboard
Selecting the Dashboard option on the Reports tab takes you to the Reports Dashboard page. The Reports Dashboard page summarizes status information for reports and contains the following graphs: Reports by Business Structure Reports that are pending, accepted, or rejected by the managers
Can be imported through the user interface Reports > Custom Reports > New Custom Report Appear as Ad Hoc Reports Reports > Ad Hoc Reports > Custom Reports
Custom reports will appear as Ad Hoc reports under the Custom Reports option. 3. Run or schedule the report as needed. Note: JasperForge (http://www.jasperforge.org) is the open-source development site for iReport and JasperReports. From this site, you can download the iReport software from JasperForge, learn how to create Jasper Report XML files, and interact with the JasperForge community.
Summary
In this lesson, you should have learned to create: Default reports Custom reports