23.8 Specifying Reviewers

When defining a review, you assign users and roles to perform the review. Depending on the type of review, you can specify any or more than one of the following options as reviewers.

User Access

User Profile

Accounts

Accounts Access

Business Role Membership

Business Role Definition

Direct Reports

Supervisor of the individual being reviewed

Supervisor of the individual being reviewed

Supervisor of the individual being reviewed

Owner of the permission being reviewed

Supervisor of the individual being reviewed

Business role owner

Supervisor of direct reports or supervisors

Owners of the applications being reviewed (not available for role reviews)

User whose profile is being reviewed, called self review

Owner of the application being reviewed

Owner of the application being reviewed

Business role owner

Selected users or groups

Selected users or groups

Owners of the permissions being reviewed (not available for roles reviews)

Selected users or groups

Selected users or groups

Selected users or groups

Selected users or groups

Business role

Business role

Holder of the permission or role being reviewed, called self review

Business role

Business role

Business role

Business role

 

 

Selected users or groups

 

Account custodian

Account custodian

 

 

 

Coverage map

 

Coverage map

NOTE:To specify coverage map as a reviewer for unmapped accounts, make sure All unmapped accounts is selected as review items and then specify Review by Coverage Map as the reviewer.

Coverage map

 

 

 

Business role

 

 

 

 

 

 

For more information about owners of applications and permissions, see Section 11.2, Understanding Identity, Application, and Permission Management. For more information about coverage maps, see Using Coverage Maps.

For additional verification or approvals, you might specify more than one reviewer stage. If you specify more than one stage for reviews, the reviewer assignment workflow will vary based on the specified stages. For more information about multistage reviews, see Section 23.8.1, Understanding Multistage Reviews.

To ensure a timely review process, you can also specify an Escalation Reviewer. Escalation Reviewer resolves all review tasks that are not completed on time. You can specify users, groups, and business roles as Escalation Reviewers. If you do not specify an Escalation Reviewer, the Review Owner is the default Escalation Reviewer. Escalated review items also appear in the Exceptions stage. If Identity Governance detects any escalations at the start of a review, all of the review items appear in the Exceptions stage.

For more information about authorizations including Escalation Reviewer, see Section 2.1.2, Runtime Authorizations.

23.8.1 Understanding Multistage Reviews

If you specify more than one reviewer stage, the reviewers must complete the review in the assigned order. For example, you might want the permission holders to verify that they continue to need the assigned permission, then the individual’s supervisor can approve that ongoing need. As a final step, the permission owners can review the assigned permission. In this case, you would specify Self review, Supervisor, then Permission owners as the reviewers. Each stage shows as a separate group of review items to the review owner. When you select Self Review, users can review their access for that stage only, unless the Review Options are set to Allow self review in all stages.

If you specify more than one reviewer (such as a set of users or groups), each reviewer shares the responsibility for submitting a decision within a single reviewer stage. For example, you might want the permission holders to verify that they continue to need the assigned permission, then you want a group of users called Super group to approve the ongoing need. In this case, you would specify Self review then Review by Selected Users: Super group as the reviewers.

You can also specify that a stage is skipped if the prior stage decision is Keep or Remove. By default, you cannot specify the same reviewer in consequent stages.

At any point during a review run, Identity Governance might not be able to resolve a reviewer. For example, if you specify Permission owners as one of the reviewers and no permission owner is actually specified in the catalog, Identity Governance cannot resolve the reviewer to an identity. When this happens, the review item is escalated to the Escalation Reviewer, if one exists, or to the Review Owner, and this reviewer must complete the remaining review tasks for the item. In this situation, the review owner sees an exception section with the review items with the unresolved review items.