When it comes to compliance and violations for Identity Management we are trying to get as full an understanding of Risk as is possible. Identity Governance, now part of Identity Suite, started life as a role and compliance manager. It is a powerful tool when it comes to role management in general and certifying what is in place within an organisation. Rules that define business processes and violations allow local reports to be created as well as triggering automatic remediation actions.
The Identity Portal sits in front of Identity Governance and is able to provide a real time overview of risk associated with the items in your shopping cart.
While it is possible to use the risk defined in Identity Governance to calcluate this risk - Configuring Risk in Identity Portal with external source on Virtual Appliance or Identity Suite - taken from a write up I made of a support case - the suggested method is to use Risk rules defined in the portal. Let's talk through the different approaches and the pluses and minuses for each.
Identity Governance allows complex rules with individual values for each violation to be created to give an overview of risk in terms of audit cards and reports - we can identify all our risk but not in real time. Great for clean up and remediation activities, less good for avoiding risk in the first place.
The Identity Portal also allows rules to be defined for risk but displays this risk in real time as access is being ordered. While it can use the violations from Identity Governance as input, the value for risk is taken from the definition in the portal and has nothing to do with any risk values that may be defined in Identity Governance. Therefore it makes more sense to define risk locally in the portal.
Another factor that comes into play here is the rise of the Virtual Appliance as the preferred delivery method for Identity Suite. If Identity Governance is to be used for external violation generation then only the ootb Bank Policy BPR can used to define violation rules - it will not be possible to edit the default.properties file to add any new BPRs as access to this file within the appliance is not possible. As things work today the portal looks at all the BPRs defined in the properties file and then runs the rules for each to identity violations. If any are found the risk value returned in the portal is that associated with the rule defined in the portal - all Identity Governance does is provide a Yes/No answer in effect.
To me it seems risk in Identity Governance and risk in Identity Portal are addressing different aspects of risk. The Portal gives a real time indication if anything that is going to be against company regulations is going to happen and hopefully helps organisations avoid non-compliant configurations in the first place. On the other hand Identity Governance is very good for regular compliance activities and checking that everything is as it should be.
A tension with this is that the risk defined in the Identity Portal and the risk defined in Identity Governance become two separate things and while they ultimately concern the same items are two sources that need to be maintained and kept in sync i.e. changes in one do not automatically propagate to the other.
Should Risk be more tightly coupled between Identity Governance and Identity Portal, or is the current approach sufficient as risk definitions will only be made in one place at a company-wide level and it is "just" a case of making sure they are correctly implemented in all required locations?