Access Governance
Security breaches cost organizations millions of dollars each year. The strength of security is only as strong as the weakest link. You must comply with regulatory requirements while safeguarding customer information. The key to enforcing compliance is to gain visibility into security information such as the type of access allowed throughout your infrastructure. You must also review access information periodically to ensure that the right people have the right level of access to the right resources. To achieve this, automate related tasks and make it easy for your organization to make security-related decisions.
As enterprises grow and move into a multi-cloud environment, maintaining the right security posture becomes a bigger challenge. As the number of systems on-premises and across the cloud grow, governing identities and access to systems becomes more complex. Manual control no longer works effectively. Automated and intelligent solutions using artificial intelligence (AI) and machine learning (ML) are required for effective governance. This applies to a number of security related tasks such as user provisioning and de-provisioning, workflow-based access control, and visibility into who has access, access reviews, and certifications.
When identities are ungoverned, it can pose several issues and risks to the enterprise. The following information summarizes these challenges:
- There is lack of visibility into who has access to what, increasing risk.
- When left unchecked, access privileges accumulate.
- Overly permissive and generalized policies grant permissions that are broad or unrestricted.
- Multi-cloud and hybrid environments cause duplication of identities and inconsistency across systems.
- Managing and governing identities and access manually leads to complexity and scalability issues.
- Aggregation, correlation, and orchestration of identity and access rights data is distributed throughout your IT ecosystem, leading to inconsistencies.
- Lack of real-time analytics leads to decision making based on stale identity and access information.
To address these challenges, implement solutions based on advanced identity governance and administration (IGA) capabilities that provide intelligent, real-time abilities (such as prescriptive analytics) to identify anomalies and mitigate security risks effectively.
Identity Governance and Administration
Gartner defines IGA as an enterprise solution to manage digital identity life cycle and govern user access across on-premises and cloud environments. To accomplish this, IGA tools aggregate and correlate disparate identity and access rights data that's distributed throughout the IT landscape to enhance control over human and machine access.
IGA is a set of policies and technologies that help you manage digital identities and access rights. IGA takes a broad approach to managing digital identities and access rights. The goal of IGA is to ensure that only authorized users have access to the resources they need to do their jobs, improve compliance, and streamline business processes. IGA solutions typically include features for identity lifecycle management, access governance, and reporting and analytics. The following information describes IGA:
- Identity lifecycle management: The processes involved in creating, managing, and retiring user identities. This includes tasks such as onboarding new employees, offboarding terminated employees, and managing changes to user roles and permissions.
- Access governance: The practice of ensuring that users only have access to the resources they need to do their jobs. This includes tasks such as assigning permissions, enforcing least privilege, and auditing access activity.
- Reporting and analytics: Provides you with insights into your identity and access data. This information can be used to identify potential risks, improve compliance, and make better decisions about identity management.
IGA is an important part of your overall security posture. By implementing IGA solutions, the benefits include:
- Reduced security risks: IGA can help you reduce security risks by ensuring that only authorized users have access to sensitive data. This can be done by implementing features such as least privilege, role-based access control, intelligent insights, and segregation of duties.
- Improved compliance: IGA can help you improve compliance with regulations such as Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley, Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR). This can be done by providing features for managing access to sensitive data, tracking user activity, and generating reports.
- Simplified self-service: IGA can help you streamline business processes by automating identity management tasks such as onboarding and offboarding users and assigning permissions. This can free up IT staff to focus on other tasks and improve the efficiency of the organization.
- Cost savings: IGA can help you save costs and save time through efficient, user-friendly dashboards, code-less workflows, and wizard-based application onboarding.
The purpose of IGA is to manage the complex array of access rights and identity repositories within organizations, both on-premises and in the cloud. It ensures appropriate access to resources across highly connected IT environments.
Some of the key capabilities for a complete IGA suite to meet a typical organization's needs are:
- Identity life cycle management
- Entitlement management
- Support for access requests
- Workflow orchestration
- Access certification
- Provisioning by way of automated connectors
- Analytics and reporting
- Policy and role management
- Password management
- Segregation of duty
Some of these capabilities are more essential to an IGA solution than others. This list describes the capabilities generally expected in an IGA solution.
Oracle Access Governance
Oracle Access Governance is a cloud-native solution that helps meet access governance and compliance requirements across many applications, workloads, infrastructures, and identity platforms. It continuously discovers identities, monitors their privileges, learns usage patterns, and automates access review and compliance processes with prescriptive recommendations to provide greater visibility into access across an organization's entire cloud and on-premises environment. Access Governance simplifies certification campaigns for compliance and intelligently suggests actions to reduce risk across the organization.
Access Governance provides a comprehensive governance solution that runs with other identity solutions in a hybrid deployment model. Organizations that opt for a hybrid model can take advantage of advanced capabilities available from cloud native services, while retaining parts of their on-premises IAM Suite for compliance or data residency requirements. The service enables ad-hoc, periodic, and automated event-based micro-certifications such as an access review triggered by a job code or manager change. It can perform near real-time access reviews and provides detailed recommendations along with options for reviewers to accept or review an entitlement based on the identified risk level.
For more information about the details and use of Access Governance, see:
Access Governance is needed to manage access to multiple capabilities for users in an organization. In a complex environment where a user has access to multiple applications running in an on-premises, cloud, or hybrid environment, it's important to ensure that the user has the right amount of access to perform their work without granting them excessive access that can be misused.
Organizations need to have visibility into who has access to what and the ability to define various violations to prevent dangerous combinations of access. Access Governance helps you document access and gain insights into access usage to detect and prevent any potential misuse.
Oracle Access Governance offers an intelligent and intuitive platform that enables discovery of identities, monitoring of access, and mitigation of risks across both multi-cloud and on premise resources by leveraging AI and machine learning. It automates remedial actions and enforces compliance to corporate policies, reducing the burden on IT and security teams.
Access Governance Architecture
The following diagram shows the high-level functional architecture of Oracle Access Governance. At the core, it provides a number of functional IGA capabilities, including identity orchestration, analytics and insights, access and policy review campaigns, access control, audit, and compliance. It provides connectors to integrate with a number of on-premises systems, cloud services, and software as a service (SaaS) applications.
Organizations generally have multiple applications, Oracle e-Business Employee Reconciliation (HRMS), and identity management systems. These different systems can be included in Access Governance, which in turn, correlates the identities. Access Governance helps identify how they got the access, what access they have, and how they're using it. Based on this, identity risk can be controlled. In the Cloud services and On-Premises areas on the right-hand side of the diagram, there are multiple cloud services and on-premises systems with access that needs to be controlled for these identities.
Access Governance Capabilities
The core functional areas of Oracle Access Governance are:
- Identity orchestration
- Access control
- Governance and compliance
- Identity intelligence
The following diagram shows the key capabilities in each of these functional areas.
Identity Orchestration
Identity orchestration integrates an organization's multiple identity systems across clouds and on-premises identity systems. It enables consistent identity and access to applications regardless of where they run and their identity provider. It's an essential capability for complex multi-cloud and hybrid environments where a single user might have multiple identities in disparate systems.
The key capabilities related to identity orchestration are:
- Connected systems
- Codeless integration
- Custom identity attributes
- Identity marking
Connected Systems
Oracle Access Governance can be integrated with target identity systems by defining a connected system. A connected system allows you to load data from a remote target identity system into Oracle Access Governance. The connected system will define parameters, such as connection details, that are required to access remote identity data. Where a direct connection between Oracle Access Governance and the target identity system isn't possible, an agent might be deployed to act as a bridge between the two.
A connected system is the footprint definition for a target identity system that can be integrated with and provide data to Oracle Access Governance. After it's defined, the connected system enables integration and data synchronization between target identity systems and Oracle Access Governance through a direct connection or an agent.
The core component of the access governance cloud service is the access governance instance that provides physical separation of data and configuration for Access Governance. In the On-Premises area of the left-hand side of the diagram, there's an example of on-premises connected systems. Some of these systems might be authoritative sources that manage identity information. Some could be target systems in which you want to manage access to the resources.
Codeless Integration
One of the key design principles of Access Governance is to enable codeless and intuitive integration to connected systems. Most on-premises systems use an agent-based architecture to integrate with Access Governance. For each connected system where no direct connection between AG and the target system is available, an agent is generated when the connected system is configured. The agent must be downloaded and run in order to integrate the connected system with Access Governance. The agent is typically a container image that runs as a microservice. You can have one or more of these systems connected to access governance.
The previous diagram shows the integration of Oracle Identity Governance (OIG) and Access Governance. OIG is integrated to Access Governance through an OIG agent that can be run in the same virtual machine (VM) where OIG runs or a standalone VM instance with a compatible container engine that's either Docker or Podman.
Cloud-based connected systems might also be authoritative sources or target systems. For many of the cloud based connected systems, direct integration is provided. For example, you can integrate with OCI IAM using an API key. The following diagram shows the integration of Oracle OCI with Access Governance.
You can establish a connection between Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) and Oracle Access Governance by entering connection details and configuring your cloud service provider environment. To achieve this, use the Connected Systems option in the Oracle Access Governance Console. This integration is done through an API Key. An API Key is created for the AGCS user and configured in the connected systems page. Once connected, policy reviews can be performed for the OCI policies.
Custom Identity Attributes
Oracle Access Governance automatically fetches core and custom attributes defined in a connected system. Details of attributes are automatically loaded into Access Governance when data is loaded from a connected system. If you create further custom attributes in the target system, following initial data load, you can refresh the custom attributes in the Access Governance schema so that the latest custom attributes are included in the next data load.
You can use these attributes in Oracle Access Governance to perform various functions, such as running access reviews campaigns, choosing identities for identity collections, defining event-based certifications, or applying attribute conditions to enable/disable the available identity data set.
Identity Marking
The identity marking feature lets administrators activate or inactivate identities within the service, and flag identities as workforce or consumer users. It's important to understand the meaning of this terminology in Access Governance.
- Active identities: Identities flagged as active within the Oracle Access Governance service, which enables the main features including access reviews and access control.
- Inactive identities: Identities flagged as inactive within the Oracle Access Governance service which are not governed by Active Governance and not considered for billing.
- Workforce Users: Users who are typically employees that require access to Access Governance and whose identities are actively governed. These users can actively perform review or management activities in AG.
- Consumer Users: Users who have no access to the Access Governance service and their access privileges need to be assigned or managed by others.
One of the first steps in configuring Active Governance is to mark the identities appropriately as workforce or consumer user and activate them within the Active Governance system.
Access Control
Access control provides a centralized way to manage access to resources. It uses a variety of techniques, including role-based access control (RBAC), attribute-based access control (ABAC), and policy-based access control (PBAC) to ensure that users only have access to the resources they need to do their jobs. Organizations use access control to help improve security posture. Access control includes:
- Access requests
- Approval workflows
- Identity collections
- Access bundles
- Roles (RBAC)
- Policies (PBAC)
Access Requests
As an Oracle Access Governance user, you can request access to resources and roles. Requests can be made for yourself or for others. This process creates an access request that's granted without further action or is subject to an approval workflow.
- The process uses a self-service approach with a simplified access catalog.
- Access Governance provides a modernized user experience to raise and track access requests and to approvals.
- The approval workflow is customizable to the needs of the organization.
- Access Governance improves productivity by automating fulfilment for approved access privileges.
Approval Workflows
Every permission or role that needs to be assigned to a user must be processed through an approval workflow. As a resource administrator, you must design the workflow by specifying the required approval level and the number of approvers. You can use these workflows to obtain approvals before assigning or revoking user privileges.
For example, when a user requests access to an access bundle by way of Access Governance, the approval workflow associated with that access or permission triggers a notification through email to the approvers, who then review the request and approve it, reject it, or can request more information. The result of the approval process is updated in the permissions management system.
Workflows provided out of the box with Oracle Access Governance include the following features:
- Reviewers are notified about assigned and pending access reviews.
- Oracle Access Governance supports one-level, two-level, and three-level access review workflows.
- Access reviews can be accepted or revoked.
Workflows in Oracle Access Governance enable:
- Fully configurable workflow creation with no coding.
- Workflows that support multi-stage approvals where the approvers can be configured.
- Ability to configure if all or one of the approvers need to approve the request
- Suggestions for intelligent workflow based-on selected criteria.
- Support for escalation approvers in cases where the approvers didn't take action.
Identity Collections
Attribute-based access control (ABAC) is a method of controlling access to resources based on the attributes of the user and the resource. Attributes can include the user's job function, department, location, and time of day. Access Governance uses identity collections for ABAC.
Identity collections are groups of identities based on shared attributes or named identities. These identities are on boarded from connected systems using identity orchestration.
Identity Collections simplify tasks by letting you configure features for a collection of identities, instead of for each identity. You can use identity collections to:
- Associate identities with appropriate access bundles or roles using policies.
- Delegate Access Review tasks to an Identity Collection.
- Assign as approvers in approval workflows.
Access Bundles
Enterprises have multiple applications and services to which access needs to be controlled. Each of these applications might define multiple permissions that need to be granted based on the role of the user. Sometimes these permissions are coarse grained and sometimes they are fine grained. While it is possible to grant these permissions individually to users, it can be complex and error prone. Typically based on the use case, the users would require a set of permissions to perform their tasks. Granting only part of these permissions would cause issues and delays in performing their duties.
Access bundles are based on using a set of permissions that are always grouped together to perform the responsibilities of the user.
An access bundle is a collection of permissions that package access to resources, application features, and functionality into a requestable unit. A specific access bundle is associated with a single target. Users of a particular resource aren't required to request each permission associated with that resource. Instead they request the access bundle for that resource. This simplifies the process of requesting resource permissions.
For example, you can create an access bundle for developers using the target application Oracle Integration. You could call this bundle Integration Developer Access, and select read, edit, and create permissions required for an integration developer to use the application. When a developer in your organization needs to request developer access to the Oracle Integration application, they only need to request the bundle, not the individual permissions. Access bundles are managed by application owners and are can be requested from the access catalog.
Once you define the access bundle, it can be assigned to roles or used in policies to grant the set of permissions. Roles and policies are typically managed by administrators, which provides a way to separate duties.
Roles
Role-based access control (RBAC) is a method of controlling access to resources based on the roles that users have. Roles are assigned to users based on their job function, department, or other criteria.
In Access Governance, a role is a group of access bundles for one or more applications and services. The access bundles contained within a role can span multiple targets. An example might be a role of database administrator, which groups together the DB Admin for Oracle. DB Admin for DB2, and DB Admin for MySQL access bundles. This lets you create roles that combine the relevant access bundles for performing that role. These roles can then be associated with identities by way of policies. A role doesn't provide access to a resource by default. Access is given to an identity when a role is assigned to that identity by way of a policy or self-service request. Roles are managed by role administrators and can be requested from the access catalog.
Policies
Policy-based access control (PBAC) is a method of controlling access to resources based on policies. Policies are rules that define who can access what resources and under what conditions.
Policies associate resources and permissions with identities by way of roles and access bundles. The following diagram shows how you can maintain policies within the Access Governance service.
Identity collections are a group of user identities defined based on attributes. The users need access to the applications and services, and the permissions are put into access bundles. Roles can group access bundles based on use cases. Policies associate the identity collections with roles or access bundles. PBAC enables birth-right and just-in-time access, and provides a way of centralizing policy management and access reviews that can be managed by internal auditors and compliance administrators.
Governance and Compliance
Access Governance helps ensure governance and compliance by providing a centralized view of all identity and access data, in addition to tools for managing access policies, conducting risk assessments, and auditing compliance.
Governance and compliance are closely related concepts that are important for an organization to protect its data and assets.
- Governance refers to the set of policies, processes, and procedures that an organization uses to manage its IT environment. It focuses on ensuring the organization's IT systems are aligned with business goals and objectives.
- Compliance refers to the act of following rules, laws, and regulations. It focuses on ensuring the organization's IT systems are compliant with the relevant regulations.
Governance and compliance are related concepts. Good governance is essential for ensuring compliance, and compliance is essential for maintaining good governance. The key capabilities are:
- Campaigns
- Access reviews
- Policy reviews
- Event-based reviews
- Delegation
Campaigns
An access review campaign is a systematic process for reviewing and updating user access to resources. Access review campaigns are typically conducted on a regular basis, such as annually or quarterly, to ensure that users only have access to the resources they need to do their jobs.
Access review campaigns typically involve the following steps:
- Create the campaign.
- Define the scope for the campaign by choosing what is including in the review.
- Configure the approval workflow.
- Schedule the campaign as one-time or periodic campaign which eliminates the need for manually keeping track of these campaigns.
- Run the campaign.
The campaign is completed after all the review tasks are completed.
Access review campaigns are an important part of your security posture. By regularly reviewing user access, you can help to mitigate the risk of unauthorized access to sensitive data and systems.
Access review campaigns from Oracle Access Governance are used to review access rights. Access Governance supports the following types of access review campaigns:
- User access review campaigns: Comprises a group of access reviews for members of your enterprise population where individual access to a specific source is checked and either certified or remediated.
- Policy reviews campaigns: Comprises a group of policy reviews that evaluates access control of Identity and Access Management (IAM) policies.
- Event-based access reviews: Access reviews initiated automatically by Oracle Access Governance when one or more predefined event types occur.
- Identity collection review campaigns: One-time or periodic access review campaigns for reviewing identity collections defined in Access Governance or derived from OCI.
Access Reviews
An access review is the review of access and permissions for an entity, typically an end user, that's carried out to confirm if the access and permissions assigned to that entity are still valid.
A campaign administrator can create one-time or periodic access review campaigns in the Oracle Access Governance Console. You can define selection criteria based on users, applications, permissions, and roles. You can also define the approval workflow to select the number of review levels, review duration, and reviewer details.
The previous diagram shows the selection criteria that scopes the access reviews. The following information describes the criteria:
- Who has access: Criteria to filter users based on standard (organization, job, location) or custom attributes.
- What they are accessing: Criteria to filter users based on resources they have access to.
- Which permissions: Criteria to filter users based on individual permissions, such as create, update, terminate, approve, or access bundles.
- Which identity collections: Lets you perform the identity collection review.
Policy Reviews
A campaign administrator can create on-demand policy reviews for OCI by defining the selection criteria based on the policies associated with users. The approval workflow can be created by selecting the number of review levels, review duration, and reviewer details.
The previous diagram shows the selection criteria that scopes the policy reviews. The following information describes the criteria:
- Who has access: Criteria to filter users based on standard (organization, job, location) or custom attributes.
- What they are accessing: Criteria to filter users based on resources they have access to.
- Which tenancies: Criteria to filter users based on the tenancies to be included in the scope.
- Which policies: Choose the policies on which the review will be performed.
- Which roles: Choose roles for which policy reviews are performed.
Event-Based Reviews
Event-based access reviews are access reviews initiated automatically by Oracle Access Governance when one or more predefined event types occur. The following diagram shows how event-based access reviews work.
Whenever events, such as job-code change, location change, and so on occur, the event-based access reviews are initiated. Reviewers can use these to check, certify, or remediate the impacted user or application roles, permissions, or entitlements. Event-based access reviews can be enabled for the core attributes (for example, job code, organization, location, and so on), in addition to custom attributes (for example, cost center, project code, and so on).
You can define the workflow for the review in terms of the number of review levels, duration, and who performs the review. Multi-events occur when Oracle Access Governance receives changes for more than one event-type that is associated with a single identity. A shared workflow is applied when multi-events are identified. Information on event-based access reviews can be analyzed by generating reports using the event-based report capability of Oracle Access Governance.
Delegation
You might want to delegate approvals or access reviews to others for the following reasons:
- Unavailability because of vacation, sickness, or working on other tasks
- Having the most qualified person make decisions
- Developing someone's ability to handle additional assignments
The following diagram shows the concept of delegation.
In Oracle Access Governance, you can set up and manage preferences. Users can delegate tasks and activities using the Oracle Access Governance Console. You can use the My Preferences setting to assign tasks and activities to another user or identity collection. You can choose when to start this delegation process and also specify the duration of the delegation.
In Oracle Access Governance, you can delegate who performs access reviews and who performs approvals on your behalf. A task can be delegated to an individual or an identity collection. The identity collection can have one or more members in it. Duration for delegation can be set to a time range or indefinitely.
Identity Intelligence
Identity intelligence provides organizations with security and risk insights by collecting data from a variety of sources, and then using machine learning and AI to analyze the data and identify patterns and trends. Oracle Access Governance analyzes each identity and its privileges, builds insights into potential high-risk assignment and security violations, and recommends remediations. This lets access reviewers make corrective decisions quickly. This feature enables:
- Assimilation and analysis of identity data and access privileges.
- Recognition of contextual insights and identification of security blind spots.
- Remediation recommendations enable access reviewers to make corrective decisions quickly.
The key capabilities are:
- Prescriptive analytics using AI and machine learning
- Identity insights
- Remediation
- Correlation
Prescriptive Analytics Using AI, Machine Learning, and Identity Insights
Prescriptive analytics is a type of data analytics that goes beyond describing or predicting what has happened or what might happen. It takes the next step of suggesting the best course of action to take in a given situation.
Prescriptive analytics uses a variety of techniques, including machine learning, optimization, and simulation, to analyze data and identify the best possible course of action. This can be used to improve decision-making in a wide range of areas, such as business, healthcare, and government.
Oracle Access Governance uses AI and machine learning based prescriptive analytics to provide intelligent insights and risk management. Deep analytics and high fidelity recommendations make it easy for reviewers to approve or deny the access.
Identity Insights
Oracle Access Governance uses AI and machine learning to provide insights-based access reviews, identity analytics, and intelligence capabilities for businesses.
Some of the ways Oracle Access Governance uses AI and machine learning are:
- Peer group analysis: Oracle Access Governance uses AI to identify peer groups of users with similar access privileges. This information can be used to identify users who might have excessive access privileges.
- Outlier detection: Oracle Access Governance uses machine learning to identify users who have access patterns that are different from the norm. This information can be used to identify users who may be at risk of abusing their access privileges.
- Recommendations: Oracle Access Governance uses AI to generate recommendations for access reviews and remediation actions. This information can help you improve the security of their data.
- Automated workflows: Oracle Access Governance uses machine learning to automate tasks such as access reviews and remediation actions. This can help you improve the efficiency of their access management processes.
Access Governance, with intelligence at its core, fetches identities and gets the policies from various systems which makes it a system that can manage applications and other identity systems. With collected identities and permissions, Access Governance shows who has access to what. With policies, it can also show the intelligence for how the identities got access to permissions. With the information about usage from applications, it can also provide insight into what is happening with provisioning access. This helps you reduce risk and cost by optimizing accesses to the right people, bots, and services.
Access Governance uses a variety of techniques to provide visibility into access permissions:
- Oracle Access Governance can be used to conduct periodic or event-driven access reviews. This helps organizations to ensure that users only have the access they need to perform their jobs.
- Oracle Access Governance can be used to analyze identity data to identify potential risks, such as users with excessive access privileges or users who have left the organization but still have access to sensitive data.
- Oracle Access Governance can be used to generate reports and dashboards that provide insights into access permissions. This information can be used to improve the security of the organization's data.
Three dashboards give you more information on who has access to what, as shown in the following diagram.
The dashboards are:
- My Access
- Users can view details of the application, cloud resources, permissions, and roles assigned to themselves.
- My Directs' Access:
- Managers can view details of the applications, cloud resources, permissions, and roles assigned to their direct reports.
- This feature is available based on your connected system, and not available with all supported connected systems.
- Enterprise-wide Access
- Users with an administrator role can get a 360-degree view of all the resources and assigned permissions for those resources from the Oracle Access Governance Console.
- On the Enterprise-wide Access page, you can view a list of the entire organization's resources and resource types across various systems connected with Oracle Access Governance and fetch which identities are currently assigned to that resource, at what permission level, and how those permissions are assigned or granted.
Remediation
Security remediation is the process of identifying and addressing security vulnerabilities. It's an important part of an organization's security posture because it helps to reduce risk and improve compliance. Access Governance provides the following remediation related capabilities:
- Recommendations: Based on machine learning analytics, Access Governance helps identify and recommend the appropriate action. The remediation action could be accept or revoke as recommended by Access Governance.
- Customizable justification entry: When a reviewer takes action on the remediation, they have the option of providing justification. This is configurable in Access Governance based on the type of recommendation.
- Auto-remediation on campaign completion: When the campaign ends, Access Governance can automatically perform remediation in the Access Governance Console.
Identity Correlation
Identities from different systems are automatically correlated in Access Governance. Correlation is a capability that's the basis for providing a 360-degree view of users.
Access Governance performs the following correlation activities:
- Correlate the identities based on email ID and/or usernames.
- Combine the intelligence based on the unified identity and provide insights based on it.
- Detect unmatched identities for target systems and provide a report for troubleshooting.
Access Governance Best Practices
- Create an Access Governance instance in its own identity domain and compartment using the identity domain administrator. This lets Access Governance be isolated from the rest of the applications and provides the flexibility to add or remove any Access Governance users in a specific OCI identity domain.
- Create a user for the administration of the Access Governance instance, assign the Access Governance administrator role, and have the user perform all Access Governance administration-related tasks. Don't use the tenancy administrator for these tasks.
- For development or testing purposes, create separate Access Governance service instances to isolate data. Each service instance is independent and maintains their own configuration and snapshot data.
- Understand the various Access Governance roles and separate duties based on roles. Ensure that the LOB users can perform necessary functions without IT intervention.
- Identify the roles and responsibilities of users and configure them as workforce users or consumer users appropriately.
- Define and use a consistent naming convention for all Access Governance resources, including instance name, access control resource names, campaign names, and connected systems. Some examples are:
- si_presidents_office_qa
- campaign_ocitenancy_policy_review_oct23
- target_ops_database_dbum
- Govern your OCI identities from the outset using Access Governance by integrating with OCI IAM.