Governance Risk dashboard allows administrators to gain better insights into currently
open violations and also enables them to remediate the violations taking quick actions using an
interactive dashboard.
Overview
The Governance Risk Dashboard provides the administrators with interactive tools to view the
count for all violations, risky users, and risky applications. In addition, it also enables the
administrators to perform quick remediation actions with a single click, directly through the
dashboard.
The dashboard has graphics (donut charts, bar graphs) that help in quick visualization of the
violations and risks in the system, categorized into High, Medium, and Low risks. Each graphic has a
legend that explains the contents. The graphics are scalable, and can be zoomed in or out for better
visibility.
In case of some violations, the graphic has a "recommended action" section that the
administrators can use to perform the remediation actions specific to the violation.
As an administrator, you can see more detailed information about the violations by clicking the
View more link. You are directed to a policy list page that displays all the
violated policies with the risk score and number of violations. You can filter the violations based
on risk score filter.
Search option enables you to search for any specific policy.
When you click the policy name, the violation list page is displayed. It shows the details of the
user, account, application, entitlement and risk score along with the risk severity. The violation
list has its own donut chart. Similar to the policy list, you can also filter the violations list
and use the search option.
For risky applications, clicking the View more link takes you to the top
risky applications page. It shows the risky applications along with violation details. The
violations are updated as per the changes made in the policy editor.
Using the dashboard
Table 1. Governance Risk
Dashboard
| Violation |
Cause of violation |
Remediation actions for violation |
| Account is orphan |
- After service reconciliation, the account is not adopted
- In Manage users → Manage account, the account is selected as Orphan
|
Mitigation options in the dashboard:
- Delete account
- Suspend account
Other remediation actions:
- Go to Delete person and clear the Delete account check box
- Delete the account
- Delete the service
- Delete the person
- Assign account to a person
- Go to Adoption Policy and create user- recon service
|
| Person is suspended, but has one or more active account(s) |
- In Mange users → Suspend person, the check box for Delete accounts is clear.
- The Person is already suspended, but in Accounts, the Restore accounts check box is
selected.
- User is suspended and the account is inactive , but only account is restored.
- In the HR feed person service, Use workflow is not selected, but the existing person is modified
and suspended.
|
- Make the account as inactive
- Delete Person
- Delete account
- Delete Service
- Restore the person
- Make the account as Orphan (manually)
- Change the owner of the active account from inactive user to active user in the system
- Change the end point and run a recon
|
| Recertification was approved by self |
- Campaign recertification for user entitlement was approved by self for role based access
- Campaign recertification for user entitlement was approved by self for group based access
- Campaign recertification for user entitlement was approved by self for parent-child access
- Campaign recertification for user entitlement was approved by self for custom parent-child
access
- User manager is reviewer, and the recertification request for user manager was approved by the
same user manager
|
- Delete the service
- Delete access
- Remove access
- Delete account
- Initiate the campaign and approve by user manager for same accesses
- Delete user
- Remove role membership for user
|
| Recertification was approved by someone that no longer exists |
Recertification was approved by a user that no longer exists in the system
- Campaign recertification for user entitlement was approved by approver who got deleted for
role-based access.
- Campaign recertification for user entitlement was approved by approver who got deleted for
group-based access
- Campaign recertification for user entitlement was approved by approver who got deleted for
parent-child access
- Campaign recertification for user entitlement was approved by approver who got deleted for
custom parent-child access
- User manager is reviewer, and the recertification request for user was approved by the user
manager and got deleted or no longer exist.
|
- Remove role membership
- Remove access from account
- Another user approves the recertification request
- Delete account
- Delete user
- Delete service
|
| Account is non-compliant |
- Provisioning policy is set as automatic
- Person is modified
- Policy is modified
- Account is modified
|
Mitigation options in Dashboard:
- Delete account
- Suspend account
Other remediation actions:
- Take the corrective action taken on account to make it compliant ( for example, add the
mandatory accesses)
- Delete service
- Delete account
- Sake the required changes to the endpoint and run a recon
- Modify the policy to remove mandatory access
|
| Recertification is overdue |
Access is not certified for 3 months. This is applicable for campaign with 3 months or more
duration. |
- Another campaign runs for same service and they are re-certified
- Delete account
- Delete service
- Delete person
- Remove role
- Remove access
|
| Account is dormant |
- User does not login for more than 90 days to endpoint using service-based accounts
- User does not login for more than 90 days to console/ISC using itim account
|
Mitigation options in Dashboard:
- Delete account
- Suspend account
Other remediation actions:
- Log in as the user to endpoint
- Log in as the user to console or ISC
- Change lastaccessdate value in LDAP
- Delete account
- Delete service
- Delete user
|
| Account has sensitive access |
- Account has one sensitive access (one violation is flagged)
- Account has multiple sensitive accesses (2 violations are flagged)
- User with sensitive access is added to risky user
- Entitlements are added to risky entitlements
- If an orphan account has sensitive access and it is then adopted by a person, it is flagged as
sensitive
- Risky applications are flagged as risky violations
|
- Remove sensitive access from account from ISC
- Remove account from sensitive access from console
- Assign mitigation
When you click the Assign mitigation link, the
already assigned mitigation is de-selected.
Note that you can assign multiple mitigations
using the Risky user pop-up window.
- Delete user
- Delete account
Delete Service
|
| Separation of Duty |
Access violates SoD constraints |
- Remove access from account
- Assign mitigation
When you click the Assign mitigation link, the
already assigned mitigation is de-selected.
Note that you can assign multiple mitigations
using the Risky user pop-up window.
- Delete user
- Delete account
Delete Service
|