[MUSIC PLAYING] Previously, in previous videos, we created a new business role. We made it requestable. And now we want to have a procedure that actually attests that we can check that the members who have access to the role or who are members of the role actually should be the ones that have it now.
To do this, we will create what we call an attestation policy. On the web UI right now, I'm logged in as one of the superusers. So I will go to Governance Administration. Now I'm going to create a new attestation policy. So I click on Attestation Policy Setting, and then I click on the button New Attestation Policy.
We give this policy a name. Now, the procedure decides what kind of relationship are we going to attest or certify. So I have to click on the assign. And as you can see, you can choose from many things here, but what we are interested in right now are role memberships. And as you remember, the user acceptance tester, there was a business role, so we're going to select Business role membership attestation.
The next thing is that we need to decide what kind of policy that applies to it. So, really, who is going to be the attester. And the available one for this specific use case is attestation by business role membership by role manager. So the manager is going to be the one who decides if the current members are the ones who should have access to the role.
The third option you have to select is how often should this attestation run. And typically, these things runs on every half year, every quarter, or perhaps yearly. And we can select anything here. So I'm going to say yearly. And the final thing we need to select here is what roles are we interested in. So I click on the plus sign down there. And the condition we're going to select is, we can obviously do this for all the roles in the system or for specific employees or roles.
There's a lot of options to choose from, but we're going to select the specific roles because we are just going to attest this new role that we created. So I select specific roles, I drill down into Job Roles, and I select the role user acceptance tester. And down in the right-hand corner, you can see if there are any matching objects because it's very easy to create attestation policy with no matching objects.
And this one, if you click on the link here, you can see that these are the members today that exist right now for this user acceptance tester role. So this makes perfect sense. Now, click on the Create button. As you can see, I now have a new attestation policy called role attestation and it's going to run on a yearly basis.
Now, whenever this campaign or attestation policy run actually starts, the person who is responsible for this, they will actually see that, in this case, this user is the attester of the role because he is the role owner. He can now see in his web UI that he has five pending attestations. And as you remember, there were five members of the role, and these are now listed here.
And you can see more information. You can just select one here and you see on the right-hand side this is the actual identity or the person and this is the business role. And you can take decisions here. You can say that this one should have it, this one should not have this. Perhaps something like this. And in the next screen you will save your decisions and you can also enter some reasons.
Now, I have selected attestation cases to be denied. And it means that you will probably lose more than just a role membership because there are entitlements inside a role. So the user interface will actually give you some more information. And if I click on this link here, I will see that not only do you lose the role itself, you will see that the user actually use some system role access as well because it was part of the business role itself.
So this is very informative for the attester. OK? I said no to something and the user will actually lose even more because it was part of that role. And now the attester saves the decision. And in the background the users will lose their role membership for the ones that I selected denial.
Now we're going to take a look at segregation of duty rules. This is typically something you configure to detect and prevent someone to have toxic combination of something, right? Now, previously, we created a business role call user acceptance tester, but we also have other roles configured already inside the solution.
So we take a look in the Manager tool on our business roles, and we can see that we have the user acceptance tester role, and there are four people are a member of this role. We also have another role which is called software developer with a total of five people who have membership in this role.
What we're going to do now is to configure a segregation of duty rule that detects and also ultimately being able to prevent people to have these two role memberships just as an example. So this is also something we configured from the Manager tool. And that is found under the Identity Audit menu here. And then we just simply click on Rules.
Now, there are a couple of rules already configured here, but we're going to create new rules for this purpose. We give the rule a name. We say testers should not be developers. Now, so when we create a rule, we can allow for exception approval. And we are going to do this for this role. And obviously, we need to select who should be able to approve an exception of the role violation, and that's also the role actually. So I select the standard one there.
Now it's time to define the actual logic. So this is a rule. We are looking at all the identities, all the employees in the solution. And what we're going to look at is that Employees has least one role or organization assignment of the type. As you remember, we are going to detect violations for two business roles. So we are going to say, organizational assignment with business role. And we're going to select the full name for the business role.
Now, I have that copied here. And now I can immediately see if there are any employees-- there are four employees who have this role. And secondly, I'm going to add the condition saying pretty much the same thing. I have a role or organizational assignment of the type business role and the full name of that business role.
And I'm just going to see if there are any members on that one. There are five members of that role. And now, on this line here, on the condition, I can actually click on this little information icon. I can see that actually there are three employees who are violating this rule right now, which makes perfect sense. So I'm happy right now. So I'm going to say Save.
It doesn't really enable the rule. I've just now created a new rule, but I need to enable a working copy. So I just simply select that on the tasks here and it says, do you want to activate this rule? Yes. And now I have a new rule being activated. So now I have enabled the working copy of that rule.
Now, the reason why we have working copies is that rules are segregation due to rules. They are automatically version managed. And I can also see now that I have three rule violations. These are the three identities who actually have these toxic combination. They violate the segregation due to rule.
If you are a security officer, for instance, you will receive an email saying that you have conflicts. And if you log onto the web portal, you will see that you have pending rule violations. So this individual just clicks on the pending rule violation. He will see exactly the individuals who are now violating this segregation of duty rule. Testers should not be developers. If I click on the Rule tab over here, I can see exactly which rule is being violated, so testers should not be developers.
And I can do actually three things. I can, as an exception approver, I can say it's OK that this person violates this rule. But I can also say it's not OK, that this person violates this rule, which means that violation will still be flagged as a violation. But what I also can do, I can click on the Resolve button here to actually take away the membership or the entitlement or whatever is causing the segregation of duty rule violation. So if I click on the Resolve button here, it will actually show me that these are the two business roles that causes the violation. And typically, it's enough to take away one of them.
So I'm just going to say remove the user acceptance tester role for this person. The direct assignment will be deleted. And it will also show me that the person will not only lose that role, it also used the system role application role one, which was part of that business role. And I say OK, and I say my decisions. Now, as a security officer, I've done my job, you could say. We have the rule violations under control.
[MUSIC PLAYING]
11:06