When defining a review, you assign users and roles to perform the review. Depending on the type of review, you can specify any or more than one of the following options as reviewers.
User Access |
User Profile |
Accounts |
Accounts Access |
Business Role Membership |
Business Role Definition |
Direct Reports |
---|---|---|---|---|---|---|
Supervisor of the individual being reviewed |
Supervisor of the individual being reviewed |
Supervisor of the individual being reviewed |
Owner of the permission being reviewed |
Supervisor of the individual being reviewed |
Business role owner |
Supervisor of direct reports or supervisors |
Owners of the applications being reviewed (not available for role reviews) |
User whose profile is being reviewed, called self review |
Owner of the application being reviewed |
Owner of the application being reviewed |
Business role owner |
Selected users or groups |
Selected users or groups |
Owners of the permissions being reviewed (not available for roles reviews) |
Selected users or groups |
Selected users or groups |
Selected users or groups |
Selected users or groups |
Business role |
Business role |
Holder of the permission or role being reviewed, called self review |
Business role |
Business role |
Business role |
Business role |
|
|
Selected users or groups |
|
Account custodian |
Account custodian |
|
|
|
Coverage map |
|
Coverage map NOTE:To specify coverage map as a reviewer for unmapped accounts, make sure All unmapped accounts is selected as review items and then specify Review by Coverage Map as the reviewer. |
Coverage map |
|
|
|
Business role |
|
|
|
|
|
|
For more information about owners of applications and permissions, see Section 11.2, Understanding Identity, Application, and Permission Management. For more information about coverage maps, see Using Coverage Maps.
For additional verification or approvals, you might specify more than one reviewer stage. If you specify more than one stage for reviews, the reviewer assignment workflow will vary based on the specified stages. For more information about multistage reviews, see Section 23.8.1, Understanding Multistage Reviews.
To ensure a timely review process, you can also specify an Escalation Reviewer. Escalation Reviewer resolves all review tasks that are not completed on time. You can specify users, groups, and business roles as Escalation Reviewers. If you do not specify an Escalation Reviewer, the Review Owner is the default Escalation Reviewer. Escalated review items also appear in the Exceptions stage. If Identity Governance detects any escalations at the start of a review, all of the review items appear in the Exceptions stage.
For more information about authorizations including Escalation Reviewer, see Section 2.1.2, Runtime Authorizations.
If you specify more than one reviewer stage, the reviewers must complete the review in the assigned order. For example, you might want the permission holders to verify that they continue to need the assigned permission, then the individual’s supervisor can approve that ongoing need. As a final step, the permission owners can review the assigned permission. In this case, you would specify Self review, Supervisor, then Permission owners as the reviewers. Each stage shows as a separate group of review items to the review owner. When you select Self Review, users can review their access for that stage only, unless the Review Options are set to Allow self review in all stages.
If you specify more than one reviewer (such as a set of users or groups), each reviewer shares the responsibility for submitting a decision within a single reviewer stage. For example, you might want the permission holders to verify that they continue to need the assigned permission, then you want a group of users called Super group to approve the ongoing need. In this case, you would specify Self review then Review by Selected Users: Super group as the reviewers.
You can also specify that a stage is skipped if the prior stage decision is Keep or Remove. By default, you cannot specify the same reviewer in consequent stages.
At any point during a review run, Identity Governance might not be able to resolve a reviewer. For example, if you specify Permission owners as one of the reviewers and no permission owner is actually specified in the catalog, Identity Governance cannot resolve the reviewer to an identity. When this happens, the review item is escalated to the Escalation Reviewer, if one exists, or to the Review Owner, and this reviewer must complete the remaining review tasks for the item. In this situation, the review owner sees an exception section with the review items with the unresolved review items.