Configuration
Here, you can learn about an alternative SoD process setup and acknowledge the configurable customer settings and customizations that may be implemented by the organization.
Configuration of the object
The process may be adapted via the SoD process configuration configuration object, validated against the SoDConfigurationML schema.
You can configure the Evaluate Identity Violations process in different ways, including changing the assignees for each activity, copy and another step, configuring which columns are shown in the grid, and whether to evaluate on individual assignments or assigned role level. You can do it by editing the SoD process configuration.
Configure the assignees
It is possible to configure the assignees for each activity in the process template. An activity can be assigned to users starting from the Identity object. The default assignee is the Effective manager for the Evaluate activity and the group Security Officers for the Approve violations activity.
You can use an assignee expression that is a reference path, virtual reference property, or a user group. The reference path and a virtual reference property must begin with the Identity object.
The startObjectType can only be Identity and Constraint and it has been defined in sod xsd:
<xs:simpleType name="startObjectType">
<xs:restriction base="xs:string">
<xs:enumeration value="Identity" />
<xs:enumeration value="Constraint" />
</xs:restriction>
</xs:simpleType>
Examples:
-
Virtual reference property:
/$EffectiveManager -
ReferencePath:
/OURREF/C_SODEVALUATOR -
Group:
Group: Security Officers
Add constraint owners as evaluators or approvers
It is possible to assign the steps of the Evaluate identity violations process to Constraint owners as either evaluators or approvers. It is possible to add one or multiple users or user groups as Constraint owners. To modify the process so that one or both steps of the process are sent to a Constraint owner, you need to modify the following in the SoD process configuration:
StartObject="Constraint"
expression="/CONSTRAINTOWNER"
In a situation where no owner is assigned to a constraint, the process will work as it did before in a situation where the assignee expression could not be resolved:
-
If the assignee of the 1st activity is set to Constraint owner, the first task/activity (Evaluate identity violations) for this specific constraint will be instead assigned to the manager of the identity whose violations are evaluated (or to a system administrator if the identity has no manager).
-
If the assignee of the 2nd activity is set to a Constraint owner, the second task/activity (Review evaluation of violations) will be instead assigned to the system administrator.
Add another step to a process
-
Go to the Process templates view and create a copy of the Evaluate Identity Violation process.
-
Open the newly created copy and right-click on the screen (while pressing the Ctrl key) and select the Form data uid.
-
Click on Designer and repeat the step 2, with all actions and steps of the process, to find and save the Form data uid of each.
-
Now, go to Setup > Administration > Configuration objects and open the SoD process configuration object.
-
Save the original XML in a file apart, for backup purposes.
-
Now, paste the Form data uids saved in the XML in all required places (activities and actions):
-
Now, go back to Process templates, open the copy created and click Designer.
-
Add a new Activity and insert it between the existing activities, with transitions.
-
Open the activity and collect its Form data uid.
-
Go back to Configuration objects view and, in the XML of the SoD process configuration object, insert the new activity in between existing activities, with its own Form data uid. Make sure you change the AssigneeExpression to a new group.
-
Click OK to save.
Audit Trail Report actor role
Each decision in each activity is saved in Audit Trail Reports. The value used in the audit trail report indicating the actor of a decision in the audit trail report is set by the actor role setting, for example, the actorRole="SecurityOfficer".
By default, a Manager role is set for the first activity and a Security officer role is set for the second.
If both activities are executed by the same user and the actorRole is the same for both activities, only one decision is recorded in the report. In case there are two different users assigned for the activities, only one user can make a decision of one task.
Configure the grid
The configuration contains all columns possible to show in the assigned resources grid in the evaluation process. The columns are displayed in the same order in which they are listed in the configuration file. The resource will always be present in the grid.
To remove a column, you should comment the line out instead of removing it.
Skip compensating control
This setting allows the organization to choose whether to require a compensating control when allowing a violation for an identity. The setting is set to false by default.
<?xml version="1.0" encoding="utf-8"?>
<SoDConfiguration evaluationProcessTemplateUId="717c87fb-d13c-4cdf-a78a-22483cdf72f8" xmlns="http://schemas.omada.net/ois/2021/SoDConfigurationML" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AssignedResourcesGridColumns>
<AssignedResourcesGridColumn name="accountName" />
<AssignedResourcesGridColumn name="resourceType" />
<AssignedResourcesGridColumn name="system" />
<AssignedResourcesGridColumn name="attributes" />
<AssignedResourcesGridColumn name="validFrom" />
<AssignedResourcesGridColumn name="validTo" />
<AssignedResourcesGridColumn name="complianceStatus" />
<AssignedResourcesGridColumn name="reasons" />
</AssignedResourcesGridColumns>
<Activities>
<Activity templateUId="b103aa19-a783-413e-8eb7-734dd86677d5" actorRole="Manager">
<AssigneeExpression startObject="Identity" expression="/$EffectiveManager"/>
</Activity>
<Activity templateUId="f0b5ae5d-73b9-4479-b060-d0ed20b9fb24" actorRole="SecurityOfficer" rejectTransitionUId="eaef47c8-63ca-410a-8808-eff8c2a8ea56" approveTransitionUId="d46d3942-9860-477d-80ed-7b797467af4e" >
<AssigneeExpression startObject="Identity" expression="Group:Security officers"/>
</Activity>
</Activities>
<Settings requireCompensatingControl="true"/>
</SoDConfiguration>
Customer settings
The following customer settings are available for the configuration of SoD features:
| Common name | System name | Description |
|---|---|---|
SoDEvaluationExpiryDays | SoDEvalExpDays | The default validity period for a violation evaluation |
SoDReEvaluationClear Reason | SoDReEvaluationClear Reason | SoD re-evaluation processes clear the reason text. This can be prevented with this setting. |
SoDReEvaluationClear CompControl | SoDReEvaluationClear CompControl | SoD re-evaluation processes clear the compensating control. This can be prevented with this setting. |
EnableRAExpirAction | EnableRAExpirAction | It is set to True by default and it makes the Expire button visible in an Evaluate violation task. |
Customizations on-prem
Organizations can customize some parts of the SoD process if this is relevant.
Extension points in OIM_SoDReview.js
You can extend the Violation evaluation form with these available extension points in the OIM_SoDReview.js class. For more information, refer to the:
-
API documentation.
-
Role and Policy Engine documentation for information about the RoPE extension model that includes extensions related to SoD.
| Setting | Description |
|---|---|
| omada.sodReview.GetColModel() | Modify the colModel for the grid. |
| omada.sodReview.AddResourceAssignment ToGrid() | Allows you to not show a row in the grid. |
| omada.sodReview.GetAdditionalInfo() | Add or modify the row data, for example adding data to an additional column. |
| omada.sodReview.ValidateCommit() | Custom validation of the input. |
| omada.sodReview.AddAdditionalCommit Info() | Add additional information to the Commit info popup screen. |
| omada.sodReview.ProcessUserDecisions() | Post processing of the user’s decisions. |
| omada.sodReview.AddReasonInfo() | Add additional information to the dialog box where you must specify a reason. |