Working with Policy Violations
The users responsible for reviewing and mitigating policy violations use the Policy Violations page to see any violations awaiting their review and action.
Accessing the Policy Violations Page
Policy violation can be accessed from the menu bar using MyWork > Policy Violations. Depending on how your system is configured, you can also access the Policy Violations page from the QuickLinks menu > My Tasks > Policy Violations or from a Home page QuickLink card.
Most users will see the same list of policy violation from the menus and the QuickLinks card. Users with System Administrator or Policy Administrator capabilities will see different results based on how they access the page:
-
The QuickLinks menu and card show System Administrators and Policy Administrators only the violations for which they are themselves are responsible.
-
The My Work > Policy Violations menu shows System Administrators and Policy Administrators all policy violations in the system, not just the ones they are responsible for.
Overview of the Policy Violations Page
The Policy Violations page lists policy violations that are marked as active and violations owned by you or one of the workgroups to which you belong. When a policy is defined, an owner to a policy violation can be defined. The policy violation owner is a chosen identity, manager of the person who violated the policy, or an identity created by running a rule. You cannot take action on your own violations.
Based on how your system is configured the Policy Violations page can have these tabs and actions. The number on the tab indicates the number of items listed on the associated tab page.
-
Open Tab – from this tab you can:
-
Allow or Revoke a violation
-
Make Bulk Decisions on multiple violations
-
View Details about a violation from the menu icon for the violation
-
Launch a certification of items, using the Certify option (in the Bulk Decisions menu)
-
-
Complete Tab – from this tab you can:
-
Launch a certification of items, using the Certify button
-
Edit Decision from the 3-line menu icon for the violation
-
View Decision for a revoked violation from the 3-line menu icon
-
View Details about a violation from the 3-line menu icon for the violation
-
Display Options
Use the Filter button to limit what is displayed on the Policy Violations Page. You can filter violations by user name, (including first name and last name), policy type, status, and policy violation ID, using any combination of filters and values. To apply your filter criteria, click Apply.
When filtering is applied, the Filter button in the Policy Violations turns green, to alert you that you are seeing a filtered subset of all your items. To clear filtering, click Filter again, then click Clear.
You can sort the information in the table in ascending or descending order by clicking on any of the column headings.
Policy Violations Open Tab
The Open tab lists policy violations awaiting your attention. The Open tab includes:
| Column | Description |
|---|---|
| Identity | First and last name of the user who is in violation of the policy. |
| Policy Name | Name of policy that is violated. |
| Rule | Specific rule in the policy that is in violation. |
| Owner | The person responsible for acting on the violation. If the creation of work items is enabled in the policy configuration, this is also the person who receives the work item triggered by the violation. |
| Description | Description of the violation from the Policy Configuration page. |
| Decisions | The available decisions you can make on this violation. |
| Details | Click the 3-line menu icon for the option to view details about the item. |
| Bulk Decisions | Depending on how the policy was configured, you may have the option to select multiple items and process them in bulk. The Bulk Decisions menu is also where the option to Certify the item is located. |
Violation Decisions and Actions
Note
You cannot take action on your own violations.
Depending on how your system is configured the following decision options can be available:
| Decision | Description |
|---|---|
| Allow | Select the Allow icon to open the Allow Violations dialog. When you allow, or mitigate, a violation you are setting a time period in which the identity is allowed to work in violation of the policy without affecting compliance or risk. The date field shows the end date of this period, when the violation will reappear in this list and in certifications. Whether or not you can edit the date field depends on how your system administrator has configured your system's Compliance Manager settings. Add any comments necessary to explain this mitigation decision. |
| Revoke | Select the Revoke icon to display the detailed view of the violation and make a revocation decision based on the items displayed. You must revoke one complete set of offending roles or the violation remains. The Revocations can be done automatically, if your provisioning provider is configured for automatic revocation, by generating a help ticket, if your implementation is configured to work with a help desk solution, or manually using a work request assigned to a IdentityIQ user. You cannot perform bulk violation revocations, and only Separation of Duties violations can be corrected. |
| Delegate | This option is available only when the Enable Line Item Delegation option is enabled in your system's Compliance Manager global settings. Select Delegate Violation to display the delegate violation panel. Use the fields to associate a work item with the selected policy violations and assign it to the appropriate user for corrective action. The owner of a policy, or a compliance officer who is tracking violations, may not be the same person who can make the decision as to how to correct the violation. On the delegate violation panel, enter the full name of the person to whom you assigning this work item. Entering the first few letters of a name displays a pop-up menu of IdentityIQ users with names containing that letter string. You can also select a recipient from the Manually Select Recipient dropdown list. Enter a description and comments as needed to assist the recipient. |
| Bulk Decisions | Select multiple violations and use this option to take bulk actions, such as Allow and Certify. |
| Certify | The Certify option is under the Bulk Decisions menu. Select items in your list, then click Certify to open the Schedule Certification page, to set up a certification. From this page you can schedule full certifications for the identities appearing on the policy violations list. You can use this option to provide another way to monitor identities that might be at risk within your enterprise. |
| Comments | If this option is enabled, you can add comments. In some instances, you may be required to add comments. |
| Details | Select this option to view detailed information. |
These are the available options for specific policy types:
| Policy Type | Available Policy Violation Options |
|---|---|
| Account | Allow, Certify |
| Advanced Entitlement Policy | Allow, Certify, Revoke |
| Advanced Policy | Allow, Certify |
| Entitlement Policy | Allow, Certify, Revoke |
| Activity Policy | Allow, Certify |
| Risk Policy | Allow, Certify |
| SOD Policy | Allow, Certify, Revoke |
After you have made your decisions, click Save.
Policy Violations Complete Tab
The Complete tab lists the items you have made a decision on and saved. The Complete tab contains information about the Identity, Policy Name, Rule, Owner, Description, and Decisions for each policy violation in the list.
Based on how your system is configured, the Complete tab can include these options:
| Options | Description |
|---|---|
| Certify | You can select items in your list and click Certify to open the Schedule Certification page and set up a certification. From this page you can schedule full certifications for the identities appearing on the policy violations list. You can use this option to provide another way to monitor identities that might be at risk within your enterprise. |
| Edit Decision | Click Edit to make changes to the decision |
| Details | Select this option to view detailed information. |