Skip to main content
Version: Cloud

Create control policy

Control policies can be defined by master data administrators. In order to create a Control Policy, follow the steps below:

  1. As a master data administrator go to Setup > Master Data > Policies > Control Policies and click New in the top left-hand corner of the screen.

  2. On the New Control Policy page, enter the name, description, and the owner of the created control policy. Both the Name and the Owner fields are mandatory. The Owner of the policy is relevant in a situation when no specific user or a group can be determined from the Resolver reference path to address the policy exceptions.

  3. In the Data object type section, specify the type of data the control data set should contain.

  4. Select the type of the data set in the Data set type field. The data set can be a Data object query or an SQL query.

    • Depending on the chosen type of the data set, select:
      • Data set view for the Data object query, or
      • Data set data source for the SQL query


    note

    on-prem You can create custom data sets by clicking New in the Select view or Select Data source windows. To create a custom Data source, provide a name and an SQL query in the following format:

    <?xml version="1.0" encoding="utf-8"?>
    <dataSource xmlns="http://schemas.omada.net/ois/2013/DataSourceML" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    connection="." commandtimeout="PT5M" cachePeriod="PT5M" authRole="734e28e7-9779-4d93-9d37-4da81ed0258b,97a987f8-5573-4646-951a-4fd0d5b0bcba">
    <sql>
        <![CDATA[
    SELECT do.Id as DATAOBJ_ID
    FROM tblDataObjectVersionPropertyValueText dovpvt
    left join tblProperty p on p.ID = dovpvt.PropertyID
    left join tblDataObjectVersion dov on dov.ID = dovpvt.DataObjectVersionID
    left join tblDataObject do on do.ID = dov.DataObjectID
    where do.DataObjectTypeID = 949
    and p.SystemName = 'FIRSTNAME'
    ]]>
    </sql>
    </dataSource>

    The following column aliases are available:

    ColumnDescription
    DATAOBJ_IDThis translates the content directly to a DataObject-Id (Integer).
    DATAOBJ_UIDThis translates the content directly to a DataObject-Id via the UId (GUID).
    DATAOBJ_KEYThis translates the content directly to a DataObject-Id via the contents of the registered KEY-column for the dataobject-type.
    DATAOBJ_PROP_nameThis translates the content directly to a DataObject-Id via the system-name of a column and its contents.

  5. In the Resolver reference path field, specify who should evaluate and remedy the policy exceptions.

    • For example, if a policy is for Data object type Identity and the Resolver reference path states MANAGER, an exception will be assigned to the user stated in the MANAGER property on the identity data object.

    important

    When resolver reference paths are updated, all existing exception objects are reassigned using the paths.

  6. Select the Schedule for the created policy. This schedule defines the times when the policy is run by the Omada Identity. The Schedule field is only available and required for policies with the Detective mode.

  7. Select the Policy type. The available types are: Unspecified, Identity, Resource, Other Master Data, Sensitive Access, Privileged Access, and Training.

  8. In the Max violations field enter the maximum number of unsolved exceptions that can be created by the Omada Identity. If the value is set to 0 there is no maximum.

  9. Using the Exception description template field, create a template for the description of policy exceptions. By clicking the plus icon, you can select properties for the template.

  10. If the created control policy is a corrective one, add a Corrective action. This action is used to automatically amend the detected policy violations.

  11. Add a survey template in the Survey template field. This survey is used to handle the found policy exceptions. Surveys must be defined for a CTRPOLICYEXCEPTION data object.

Selecting a User group as a control policy owner

To allow the selection of a User group in the Owner field in a control policy:

  1. Open the OWNERREF property from the Properties view.

  2. Click Edit lookup view and add User group to the data object type filter. Now you will be able to create the control policy and select a user group as owner.

  3. When you are finished creating the control policy, undo the change made in step 2 to avoid any unexpected behavior in other places where the OWNERREF property is used.

Edit a control policy

By selecting a control policy from the Control Policies list, or by selecting the check box in the left column and clicking the Edit button, you can open the policy's setting and edit them.

You can edit all settings in the control policy. For the description of the fields in the control policy form, refer to the Create a control policy section.

The Edit Control Policy form also contains four additional buttons allowing you for additional level of control:

  • Exceptions - displays a new window with the currently present policy exceptions. For more information, refer to the Policy exceptions section.
  • History - displays the history of the control policy. The history presents such information as, for example, the date of the creation or modification of the control policy or the actual change in the policy.
  • Run now - allows users to run the control policy. The policy runs in the regular way, the same as it would run according to its schedule.
    • Only Data administrators are able to run control policies.
  • Show data set - displays the data objects contained in the data set used for the policy.

Create a custom survey template on-prem

You can create your own custom survey template to be used with a Control Policy. It’s suggested to base your survey template on the standard control policy template.

The standard survey template is installed with the Enterprise Server and can be found in the C:\Program Files\Omada Identity Suite\Enterprise Server\Survey templates folder. The filename of the template is ManageControlPolicyExceptionsSurvey.xml.

note

You can provide additional workflow steps to the survey but be aware that assignees of the first workflow step are replaced with values entered in the Resolver reference path property of the Control Policy.

The standard survey template uses the UpdateDataObjectSurveyPostActionHandlersurvey post-action handler. This post-action ensures that the exception object is updated with the status, comment, and compensating control selected in the survey. It is recommended to keep using this post action and create a custom post action to perform additional actions.

"Manage control policy exceptions - Specify owner" survey template

The out-of-the-box control policies: All resources must have an owner and All systems must have an owner use the Manage control policy exceptions - Specify owner survey template. This survey allows the assignee to specify an owner for the resource or system.

It is advised to use the same survey for control policies of a similar nature where ownership should be set.

If you wish to customize the survey, the survey template is available in the C:\Program Files\Omada Identity Suite\Enterprise Server\Survey templates folder and is named ControlPolicySpecifyOwnerSurveyTemplate.xml.