23.1 Creating a Review Definition

The review definition enables you to define and schedule various types of reviews. It contains all of the information required to run a review. You can also modify the definition for subsequent review runs without the need to create additional review definitions. To create a review definition, the catalog must contain published data.

To create a review definition:

  1. Log in as a Review Administrator.

  2. Select Definitions.

  3. Click + to create a new review definition.

  4. Select the type of objects you want to review, or search based on review type then select type of objects.

  5. Name the review and add description.

  6. (Optional) Add instructions that explains to reviewers what they need to do. For example, please review these items or reassign to someone else if necessary.

  7. Accept the default review item selection criteria or refine the selection criteria to focus the review based on your security and compliance needs. For example, you can review accounts based on account custodian or last account review date. Alternately, you can review users, business roles, or accounts based on risk.

    Selection criteria for your entities or business roles include respective attributes that have been previously enabled as a selection criteria. When you choose the Select option to specify entities or business roles, click + to add conditions for your selection.

    NOTE:In addition to default selection criteria for review items such as risk, you can request your Data Administrator to add other selection criteria including custom criteria for various reviews.

  8. (Optional) Select Estimate Impact to view the approximate number of review items and depending on the selected review type, the approximate number of users, permissions, roles, accounts, or business roles. or click the Download review targets as CSV link to download the review items and review them offline.

    NOTE:Identity Governance calculates the approximate number of review targets. Business role authorizations are not included in this calculation. Results in a running review will also vary based on review options and the most recent state of the catalog. Start review in preview mode when authorizations are also calculated, to see all review items.

    Based on the number of review targets, you might need to revise the Review period. For example, a review with 15 items might be completed within days, but one with hundreds of items could require weeks to accomplish.

  9. (Optional) For Review Options, select any additional options that apply to this review. For example, you can require comments for certain actions. When you select this option, a Reviewer or a Review Owner must enter a comment to complete the keep, remove, override or change reviewer actions. You can also allow or disallow reviewers from changing reviewers and configure self-review policy. For more information about the self-review policy, see Section 22.1.6, Specifying Self-Review Policy.

  10. (Optional) Specify the reviewers you want to participate in the review.

    For more information about types of reviewers, see Section 22.1.7, Specifying Reviewers.

  11. (Optional) To create a serial, multistage review, select Add Reviewer.

    This allows you to specify multiple individuals who review the review items in the order listed in the definition. For more information, see Section 22.1.17, Understanding Multistage Reviews.

  12. (Optional) For Monitor Reviews, specify the review owner and auditor.

    If you do not specify the review owner, the person who created the review definition becomes the review owner by default. If you do not specify an auditor, the review will not go through the audit acceptance phase.

    (Conditional) If the materialized view is enabled, select Cache review item names to cache user, account, permission, and role names to improve performance in large scale reviews.

    WARNING:If you enable caching, periodically Refresh cache review items to synchronize the review with changes to the catalog. For more information, see Section 22.3, Improving Performance in Large Scale Reviews.

  13. (Optional) For Task Due Date and Escalation, select one of the following options:

    • When review is scheduled to end

      Select this options where you want the reviews to end based on Duration settings.

      NOTE:Review Administrators or Owners can change review end date to a specific date and time when they start the review run.

    • Specify maximum queue time

      Select this option if you want reviewers to have a due date for their items. This due date can trigger notifications and when review items are past their due date show that the items are overdue. Even if this is a multi-stage review, review items will not leave the current reviewer's queue when items reach their due date.

      For Maximum time in queue, specify the number of days, weeks, months, or years allowed for the reviewers to complete their tasks. You must use whole numbers for the value. If the review started at the time when the review definition was created, this would be the due date. Secondary reviewer due dates are calculated based on the time the item enters the reviewer's queue.

    • Specify maximum queue time and escalation reviewer

      Select this option when you want review items to escalate if not completed by the due date. In the case of multistage reviews, items will escalate to the next reviewer. In the case of multistage reviews where the review item is in the final reviewer's queue or in the case of single-stage reviews, the review items will escalate to the specified Escalation Reviewer if not completed by the due date.

      Specify Maximum time in queue and the Escalation Reviewer. The Escalation Reviewer is the final reviewer in the escalation process. When tasks are past due and no further review stages are defined, all open tasks will move to this reviewer’s queue. The Escalation Reviewer can either be the Review Owner or selected users specified by searching and selecting identities, groups, or business roles.

  14. (Optional) For Duration, set or change any of the following options:

    1. For Review period, specify the length of time allowed for the review run.

    2. For Expiration policy, specify what happens when a review expires without being completed.

    3. For Partial approval policy, specify whether partial approvals are allowed and if so, whether or not partial approvals will occur automatically.

      NOTE:You cannot partially approve a policy for Business Role Authorization review, because for this review type multiple authorizations are aggregated into one change request and sent for fulfillment.

    4. For Validity period, specify the period of time before the certified items need to be reviewed again. For example, specify 6 months if you intend to run the review again after six months from the current review schedule.

      NOTE:After completing a review, the review renewal data value might display a different time unit than the validity time period specified in the review definition because as the review approaches its next cycle, the time period changes. For example, a validity period of 2 weeks might display a renewal date of 14 days or less to indicate the number of days before the review starts its next cycle.

  15. (Optional) For Notifications, add notifications based on provided email source templates, view notification description and settings, or remove default review notifications. Customize default notification schedule including recurrence schedule, and add email recipients.

    NOTE:Typically, you can specify only one recipient in the To field and multiple recipients in the CC field. You can specify recipients of CC by specifying relationship and identity attribute for the selected relationship. However, the read-only Review terminated notice which is based on the Certification Terminated email source template goes to reviewers, review owners, escalation reviewers, and auditors when a review ends. You cannot change the recipients.

    Click Email source preview to preview email HTML source and to specify a recipient for the rendered version of the email. For more information, see Section 22.1.9, Setting Review Notifications.

  16. (Optional) For Schedule, if you want the review runs to begin automatically and repeat automatically, select Active and select the appropriate schedule. Make sure there will be at least a 30-minute gap between runs. Select Start scheduled review in Preview mode requiring manual go live to start a review in preview mode. For additional information about scheduling reviews and 30-minute gap requirement between runs, see Section 22.1.10, Scheduling a Review.

  17. Save the review.

  18. (Optional) After saving the review definition, set the default columns for the current review definition by editing the review definition and specifying Default Reviewer Display Preferences. Otherwise, the default grouping and default sort for the reviewer display will use the Configuration > Review Display Customization settings you had set for each review type as the default display preference.

    NOTE:If needed, the reviewer can change the default grouping for their review instance by using the Show All drop-down list, change the sort order by clicking on headings with descending or ascending arrow, and change the column display by using the display options settings menu.