Configure and Manage Event-based Access Reviews

You can perform micro certifications in Oracle Access Governance using the Event-Based Access Reviews. You can configure one or more predefined event types, which when triggered, launches the access reviews automatically. You can choose to auto-approve the low-risk items, or reviewers can certify, that is accept or revoke accesses associated with the event.

Configure Change Event Access Review

Configure Change event access reviews from the Event-Based SetupChange page to trigger automatic occurrence of access review whenever a change in identity profile is detected.

Here's how you can configure Change events:
  1. Log on to the Oracle Access Governance Console with a user assigned the Administrator application role.
  2. Select from the Navigation Menu navigation menu.
  3. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  4. On the Event-Based Setup page, select the Change tab. A list of available change events is displayed. Each change event has a status of Enabled or Disabled and an Actions drop-down menu action menu, providing the option to Edit or View details.
  5. Select Edit for the event-type you want to enable.
  6. On the Configure the event type screen:
    1. To enable this event type, in the Enable or disable this event-based access reviews option, select Enable.
    2. If you want to auto-approve low risk task for this event type, select Yes.
  7. Choose an approval workflow for this event type access review. A list of the available workflows is visible. For more details, see Create Approval Workflow and Manage Approval Workflow. Once you have selected your workflow, select the View approval workflow link to see a graphical representation of the selected workflow.
  8. Select the scope of justification required for review decisions. You can select for reviewers to add comments for all the review decisions, for revoke decisions only, or keep the justification field as optional.
  9. Select Save.

Configure Shared Workflow for Multiple Change Events

Shared Workflow or Multi-event access review is considered whenever multiple change events are triggered for a single identity within a short span of time.

. To configure the shared workflow:

  1. Log on to the Oracle Access Governance Console with a user assigned the Administrator application role.
  2. Select from the Navigation Menu navigation menu. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  3. On the Change tab, select Edit shared workflow.
  4. On the How do you want multi-event reviews to proceed? screen:
    1. Confirm if you want to auto-approve low risk task for this event type by selecting Yes or No.
    2. Choose an approval workflow for this event type access review. A list of the available workflows is visible. For more details, see Create Approval Workflow and Manage Approval Workflow. Once you have selected your workflow, select the View approval workflow link to see a graphical representation of the selected workflow.
    3. Select the scope of justification required for access review decisions. You can select for reviewers to add comments for all the review decisions, for revoke decisions only, or keep the justification field as optional.
    4. Select the access review owner for this event type access review. By default, it is assigned to the administrator who configures this event type. Consider Fallback Mechanism in Access Review before adding an owner.
    5. Select Save.

Configure Timeline Event Access Reviews

Configure Timeline event access reviews from the Event-Based SetupTimeline page to trigger automatic occurrence of access review annually on a particular date, such as job anniversary. By default, no automatic timeline event changes are per-configured. You must have at least one date attribute configured to enable this event type.

Here's how you can configure Timeline event:
  1. Log on to the Oracle Access Governance Console with a user assigned the Administrator application role.
  2. Select from the Navigation Menu navigation menu.
  3. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  4. On the Event-Based Setup page, select the Timeline tab.
  5. To create events, select the Create timeline event button.
  6. On the Add a new timeline event configuration screen:
    1. Select date attribute in the Which date attribute should the event be triggered from? list. Date attributes are identity attributes with a Date type, that are enabled for event-based campaigns. For further details on defining attributes, review View and Configure Identity Attributes.
    2. Enter number of days prior to the annual event date when the event should be triggered.
    3. Enter a unique event name in the What do you want to name this event? field.
    4. Choose to Enable or Disable the event-type.
    5. Select Yes to auto-approve low risk review task for this event type, else reviewers can take decision manually from the My Access ReviewsIdentity page.
  7. Select the system for which you want to enable this event type. Based on your selection, a list of applicable applications are visible.
  8. Select the applications you want to include in the timeline event change. By default all applications will be included in the review.
  9. In the Choose your Workflow section,
    1. Choose an approval workflow for this event type access review. Consider Self Certification Guardrails and Fallback Mechanism in Access Review before configuring this workflow. For more details, see Create Approval Workflow and Manage Approval Workflow. Once you have selected your workflow, select the View approval workflow link to see a graphical representation of the selected workflow.
    2. Select the scope of justification required for review decisions. You can select for reviewers to add comments for all the review decisions, for revoke decisions only, or keep the justification field as optional.
    3. Select the access review owner for this event type access review. By default, it is assigned to the user who configures this event type. Consider Fallback Mechanism in Access Review before adding an owner.
  10. Select Save to enable the event type changes.

Configure Unmatched Accounts Access Review

Configure unmatched account event access reviews from the Event-Based SetupUnmatched accounts page to trigger automatic occurrence of access review whenever an orphan account is detected in Oracle Access Governance. Reviewers can review access for the unmatched accounts from the My Access ReviewsOwnership page.

Create an Unmatched Accounts Event

To create unmatched account events, complete the following tasks:
  1. Log on to the Oracle Access Governance Console with a user assigned the Administrator application role.
  2. Select from the Navigation Menu navigation menu. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  3. On the Event-Based Setup page, select the Unmatched accounts tab.
  4. To create an unmatched account event configuration, select the Create an unmatched accounts event button. You are directed to the Add a new unmatched account event configuration page.

Configure an Unmatched Accounts Event

  1. In What do you want to name this event?, add a meaningful name for the unmatched accounts event type.
  2. To enable this event type, in the Enable or disable this event-based access reviews option, select Enable.
  3. If you want the reviewer to take actions on the access reviews for unmatched accounts, in the auto remove unmatched accounts, select No.
  4. To automatically remove all unmatched accounts reported by this event, in the auto remove unmatched accounts option, select Yes. All unmatched accounts will be removed from your environment including Oracle Access Governance and any Managed Systems from which the account was ingested.
  5. Select one or more orchestrated systems for which you want to set up this event. By default, all the orchestrated systems are considered for the unmatched accounts event.
  6. In the Choose your Workflow section,
    1. Choose an approval workflow for this event type access review. For more details, see Create Approval Workflow and Manage Approval Workflow. Once you have selected your workflow, select the View approval workflow link to see a graphical representation of the selected workflow. You can select
      • Application Owner, where access review owner will be assigned as the reviewer or certifier. Consider Self Certification Guardrails and fallback process before configuring this workflow.
      • Custom User, where any active identity available in Oracle Access Governance can be assigned as the reviewer.
    2. Select the scope of justification required for review decisions. You can select for reviewers to add comments for all the review decisions, for revoke decisions only, or keep the justification field as optional.
    3. Select the access review owner for this event type access review. By default, it is assigned to the user who configures this event type. Consider fallback process before adding an owner.
  7. Select Save.

View Event Details

As an Administrator, you can view details on each event-type configured for your application in the Oracle Access Governance Console. You can view the date when the event was enabled, selected rules and systems for the event-type, approval process details, along with campaign owner.

To view event-based settings:

  1. Select from the Navigation Menu navigation menu. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  2. Select View details from the Actions drop-down menu for the event-type you want to view. The Event - <event type name> screen is displayed with the event details.

Edit Event-based Access Reviews

Update the existing event details, as follows:

  1. Select the Navigation Menu navigation menu.
  2. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  3. On the Event-Based Setup page, select the event type: Change, Timeline, or Unmatched accounts tab.
  4. From the actions icon Actions menu, select Edit.
  5. Update the details and select Save.

Delete Event Type for Access Reviews

As an Administrator, you can delete Timeline or Unmatched Accounts events. You can disable the Change event but cannot delete it.

Delete an existing event type, as follows:
  1. Select from the Navigation Menu navigation menu.
  2. Click Access Reviews and then Event-Based Setup. The Event-Based Setup landing page is displayed.
  3. On the Event-Based Setup page, select either Timeline or Unmatched accounts tab.
  4. From the actions icon Actions menu, select Delete.