11.1 Understanding Data Policies

Administrator with Customer, Global, or Data administrator authorizations can use data polices to make informed governance decisions. They can use default data policies or specify criteria and create additional data policies to generate collection and publication details or monitor identity life cycle events. Data policies enable administrators to:

  • Detect data with specific conditions such as permissions with permission assignment end date as today or accounts with privileged account status

  • Monitor identity life cycle events such as employees who join or leave the company, as well as those who move to a different department or location, or changes job title or supervisor.

  • Detect anomalies or inconsistencies in the published data such as detect users without supervisors or permissions with risk > 100

  • Generate statistics such as number of groups in collected data or number of permissions without owners

  • Monitor changes to specific attribute values such as cost or risk

  • Monitor whether any attribute was changed

  • Monitor changes to entities such as 25% increase in number of accounts or number of users added to the catalog since last collection or publication

  • Initiate remediation action for anomalies or inconsistencies such as email alerts, micro certification, change request, or workflow process

  • Compare collection and publication details from the same data source at two different full collection or publication times

Scenario 1: To discover accounts that are not being used actively, an administrator can create an account data policy and specify that the policy should detect any accounts that have a last logged in date which is earlier than a desired time period and that an immediate micro certification review should be done for these accounts.

Scenario 2: To detect permissions that are being inherited in applications, an administrator can create a permission assignment data policy and specify that the policy should detect application permission and add condition that the permission assignment type should be inherited. To narrow results they can add other conditions such as permission name, permission unique application ID, or permission risk. Administrators can also trigger change requests for these inherited permissions if needed.

Scenario 3: To detect any changes to user attributes, permission attributes, or account attributes, an administrator can create a publication data policy that includes a condition that specifies whether a user, permission, or account attribute was changed in any way.

Scenario 4: To detect users who have joined the company, left the company, or changed departments, and call a workflow process to remediate the data policy violation, an administrator can use one of the following default data policies, then select an existing Workflow as the Remediation/Action Type to address the detected life cycle event as needed:

  • Deactivated identities in last 24 hours

  • Identities Created in last 24 hours

  • Identities Started in last 24 hours

  • Title, Department, Location, Supervisor changes

NOTE:Only one workflow process runs for each detection. You can view the workflow process in the Detected Items column for the specific data policy on the Publication Data Policies tab.