Defining a compliance job can be a complex process. We will show you the mechanics of how to define a job in the Configuring Compliance Guide. As far as the feature is concerned, defining a compliance job entails many decisions and feature configurations to consider. Below image depicts a job of type System which evaluates all users, accounts and entitlements of a given system. Below figure shows a part of the job creation UI which depicts the resource type and CoT Selection and individual sections are explained in detail below. The recertification specific configurations of job are explained in the certification section.
The table below outlines all of the functionality built into a Fischer compliance job:
This combo box allows Compliance Administrators to define the type of job to be executed.
Watch your computing resource consumption. Compliance assessments can be rather large
You'll also have the option to set the Maximum Parallel Process property. This links directly to the number of database connections the Compliance job will have available to it for processing. Note that assessments can consume a significant amount of system resources given the processing that is occurring. This is why it is important to execute smaller, more consistent compliance assessments against smaller user populations as opposed to a semi-annual or annual assessment where the processing load would be heavy. Whatever value is set in the Maximum Parallel Process property is one-to-one. This means one if the number is 10, the Compliance assessment process will consume 10 database connections. The maximum that can be set is 100.
This step in the definition of the Compliance job is where administrators will select the type of objects (called resources in the UI) will be assessed. Note the "Select All" option that displays. When checking this box, administrators do not need to click "Add" to add resources. That option is reserved for organizations that want to execute more granular assessments and/or re-certifications.
The following resource types are available in the combo box:
As you build a compliance job, the next step after selecting the type of job. You will now select the objects to be assessed. We use the term objects since the object will be different depending on the job type selected. If a policy job is selected, clicking "Add" will display a list of policies to select for the assessment (job), if a resource (or group) job is select it will display a list of resources (or groups) to be selected, the same will hold true for a system job as shown above.
What exactly am I selecting?
It's important to note that you are selecting the objects that will actually be assessed and/or certified. The list of objects to select from will be within the context of the Resource Type defined. The important item to take away is that each job type is mutually exclusive at assessment time. This means you cannot select multiple object types to be assessed within the same job. You need to understand that this means, in order to assess all potential configurations employed, and ultimately make sure that all potential methods of obtainment are assessed. This an important concept to understand. For example, if a policy job is defined and all related access is assessed in the context of Fischer's policy engine, it will exclude any access that may have been obtained via self-service via an access request.
The next option available for configuration is setting the defined Chain of Trust (if applicable). Remember that a CoT is mandatory only if the job type is "Assessment and Re-Certification" since the re-certification campaign will require a defined chain of trust to present exceptions to, so that access and any flagged exceptions can be certified via the defined certifiers and get remediated. An unassigned COT selection will only available for System type job and need to be used only if we need to certify HPAM or unassigned accounts and entitlements.
If an unassigned COT is selected, we provide an option for user to perform certification only for entitlements by providing a checkbox. In this case Accounts of entitlements need not be certified.
Note : This setting is not required if Compliance administrators are only executing an assessment only job. If COT is provided, it will be used to scope down the users who will be assessed as part of teh campaign.
This selection provides Compliance administrators with the ability to perform a more granular assessment beyond just assessing the access itself. It provides for the ability to assess data elements that may be relevant. When selecting one or both of these available options the following attributes will also be assessed.
While Fischer does provide for governance over relevant business information to be assessed during a compliance job, these attributes are not presented to certifiers. The goal of providing for an attribute-level assessment is to provide oversight into how the technical definition of a resource (that most business personnel would not understand) can have the gap bridged for business users. Executing a detailed assessment should absolutely be considered as a part of any assessment OR create a specific assessment to review these values. It is important that the technical team always keep in the front of their minds that those reviewing access requests via self-service and those requesting the access should be provided with a functional description of what access is provided. Often times this information is skipped over for the sake of expediency and/or just because the majority of personnel deploying an IGA solution do not consider the business user. Fischer creates these fields to help organizations build a relevant and transparent resource (i.e. account and entitlement) catalog that is understood by both technical and non-technical Identities. The information assessed in the context of a detailed assessment helps organizations to ensure technical processes that are exposed to business users properly bridge the communication gap, therefore, Fischer highly recommends performing a detailed assessment to make sure both parties are aligned.
The following attributes are assessed during the execution of a compliance job:
You'll notice that the "Account Attribute List" and the "Entitlement Attribute List" "Add" and "Remove" buttons are initially disabled. These options will only become available once a compliance administrator elects to build a detailed assessment job. Once you've selected one or both of the detailed options, the buttons will become enabled and compliance administrators can then select which of the above attributes they want to assess in more detail.
Please sign in to leave a comment.