Detections of policies and controls can be triggered by manually running detections, by predefining a schedule, or by specifying events. Authorized administrators can specify collection, publication, and user curation as the events that trigger detections.
Based on the data policy, administrators can define remediations for violations. The number of detections will vary depending on event types and factors such as:
Frequency of the events
For example, when you select user curation, each user curation will trigger a data policy detection. In the case of two curations with very little interval between them, two detections will be started sequentially. This might result in zero violations or a fewer number of violations because the previous detection might have already calculated it as a violation and saved that record to the database.
Remediation status
The Last Detected Items and Open Items columns on the Data Policy Collection or Publication tabs might not present the latest counts when remediation runs automatically after detection. Remediation takes time to process and update counts. For example, if 10 items were detected and remediated automatically after detection, then it will be 10 last detected items and 0 open items after a remediation run. If remediation was not set, then it will be 10 last detected items and 10 open items. If 2 of the detected items were resolved manually, then it will be 10 detected items and 8 open items.
Processing time of Identity Governance calculations
For example, when you manually run a technical-role-changes data policy after adding or removing entity types such as owners or permissions from a technical role, the number of detections might be inaccurate, if the technical role calculations had not completed. However, when you configure the data policy to be triggered automatically by the technical role detection event, the number of data policy detections will be accurate and remediation will run correctly.
Authorized administrators can delay data policy detections and remediation runs that are automatically triggered after User, Permission, or Account curation using com.netiq.iac.datapolicy.detection.trigger.delay.minutes and com.netiq.iac.remediation.run.delay.minutes configuration properties. Note that these properties should be in minutes. To configure these properties, contact your SaaS Operations Administrator. These properties will not impact variations in number of detections caused by calculations in progress such as technical role calculations. You must wait for the calculations to be completed before triggering detections.
We recommend that you periodically refresh your page for more accurate counts of the last detected items and open items on the Data Policy page. You can view all previous detections by editing a policy and clicking Show All Detections. You can also view the most accurate count of all open and resolved items by clicking the data policy name, then clicking Show open and resolved items.