Coverage maps allow administrators to map review or access request items to respective reviewers or approvers when creating a review definition or an access request approval policy. Coverage maps use one or more rules to specify:
An entity type or attribute based on the item under review
Different entity and attribute criteria in a single column
Secondary or related entity or attribute of related entity referenced by entity-entity relationships
For more information, see:
Coverage maps comprise one or more rules that define and specify the following:
Reviewers of a User Access or Account Review definition
NOTE:To specify a coverage map as a reviewer for unmapped accounts, ensure that All unmapped accounts is selected for the review items, and then specify Review by Coverage Map as the reviewer.
Approvers for requested access in the Request application
To create coverage map rules, Identity Governance uses an interface similar to the advanced filter for searches. Though the interface uses conditions and subconditions to define rules for coverage maps, you cannot save rules. You can, however, export the coverage map that you create, and you can import coverage maps that others have created.
Criteria options in the rules interface correspond with the criteria that you define in your rules. For example, if you want to create a condition for your rule that specifies users with specific titles, select User: Title.
The rules interface uses the operators AND, OR, and NOT to create expressions that direct the rule definition to include, respectively, ALL of the conditions you define, ANY of the conditions you define, or NONE of the conditions you define in the search filter. Select one of these operators to start building a filter. The operator you select applies to every condition you create.
Conditions allow you to specify a criteria option as a criterion for a rule, and then use additional operators, such as “equal to,” “not equal to,” “greater than,” “less than,” and “greater than or equal to,” to define how the rule includes, or if it excludes, the defined item in the coverage map as a result of the condition.
Filters are subconditions that allow you to fine-tune a condition with additional AND, OR, and NOT statements.
Relationships and attributes appear as options only when you define reviewer or approver criteria. Relationships require that you also assign and define an attribute for the relationship.
Rule creation requires that you create expressions to define and add criteria for your coverage map. Click Define Criteria to define conditions that create expressions for one or more of the following review or approval items:
User
Account
Permission
Application
Click Add Criteria to define conditions or relationships that create expressions for one or more of the following reviewer or approver criteria:
User
Group
When you create a coverage map, Identity Governance searches for a matching statement in the order defined in the coverage map. When one or more review items match all defined review item criteria, the users or groups matching the respective user or group criteria become reviewers for those items.
To create a coverage map:
Log in to Identity Governance as a Customer or Global Administrator.
Select Policies > Coverage Maps.
Click the add icon (+).
Type a name and a description for the coverage map.
Specify the coverage map type.
(Conditional) Create the Review Type coverage map rules.
Select Review.
Click the plus icon (+).
Under Review Item Criteria, click Define Criteria.
NOTE:You are not required to define review item criteria. A rule may contain only a reviewer criteria.
Click the plus icon (+) for the criteria you want to define, and then use operators, conditions, and filters available to create one or more expressions for each criteria.
NOTE:Some condition expressions require 1:1 mapping. For example, if the condition "User: Display Name equals <Account Holder Display Name>" returns more than one possible result, Identity Governance displays an error message. You should configure "User: Display Name equals one of <Account Holder Display Name>."
Click Save.
Under Reviewer Criteria, click Add Criteria, and then select either Define Criteria or Define Relationship.
Choose the criteria you want to define, and then use operators, conditions, and filters to create one or more conditions for each criteria.
Click Save.
Perform these steps for each rule you want to add to your Review Type coverage map.
(Conditional) Create the Request Type coverage map rules.
Select Request.
Click the plus icon (+).
Under Approval Item Criteria, click Define Criteria.
NOTE:You are not required to define approval item criteria. A rule may contain only an approver criteria.
Click the plus icon (+) for the criteria you want to define, and then use operators, conditions, and filters available to create one or more conditions for each criteria.
NOTE:Some condition expressions require 1:1 mapping. For example, “equals” is not valid if the rule could return more than one possible result. In those cases, “equals one of” is a valid choice.
Click Save.
Under Approver Criteria, click Add Criteria, and then select either Define Criteria or Define Relationship.
Choose the criteria you want to define, and then use operators, conditions, and filters to create one or more conditions for each criteria.
Click Save.
Perform these steps for each rule you want to add to your Request Type coverage map.
Click Save.
Identity Governance allows you to export one or more coverage maps to a file that you can download and share with others in your enterprise.
To export a coverage map:
Log in to Identity Governance as a Customer or Global Administrator.
Select Policies > Coverage Maps.
Select one or more coverage maps.
Click Actions > Export Coverage Maps.
On the Coverage Maps dialog box, enter a description for your export file, and then click Download.
On the title bar, click the Download icon.
On the Your Downloads dialog box, select the coverage map file you want to download, and then click the Download icon.
Identity Governance saves the following files to a ZIP archive in your browser download directory:
A JSON file containing information for the coverage maps you chose to export
A JSON file containing information for review definitions or access request approval policies (depending on the coverage map type) that use the coverage map(s)
You can share the downloaded file with others, who will extract the coverage map file before importing it. For information about importing review definitions and access requests, see Section 24.4, Downloading and Importing Review Definitions and Section 21.8, Downloading and Importing Access Request and Approval Policies.
To import a coverage map:
Log in to Identity Governance as a Customer or Global Administrator.
Select Policies > Coverage Maps.
Click Import Coverage Maps.
Browse to the local directory where you extracted the coverage map file.
Select the file, and then click Open.
On the Import Coverage Maps page, select the coverage maps you want to import.
Click Import.
NOTE:Before you run a review, verify all mappings in the review definitions to ensure the coverage map associations are correct.
Identity Governance allows you to create coverage maps using CSV files, which you can then load into Identity Governance. You can use these files to map review or request items to respective reviewers or approvers by specifying:
An entity type or attribute based on the item under review
Different entity and attribute criteria in a single column
Secondary or related entity or attribute of related entity referenced by entity-entity relationships
You should understand Identity Governance supported coverage map types, keywords, syntax, and entity-entity relationships to create and load coverage maps.
If you prefer to manually create a coverage map, you can create a CSV file with header and criteria cells. For greater flexibility use only keywords. For more information, see:
Identity Governance supports the following coverage map type attributes and keywords:
Type |
Description |
Keywords |
---|---|---|
REVIEW |
Maps for user access and account review based reviews |
|
REQUEST |
Maps for request based approver determination |
|
Header and Criteria Cells Syntax
For |
Syntax |
---|---|
USER or GROUP based reviewer header cell |
<Reviewer.user|Reviewer.group>[.related user or group attribute key] |
Review item header cell |
<Approver.user|Approver.group>[.related user or group attribute key] |
USER or GROUP based approver header cell |
<Application|Permission|User]>[.entity-attribute-key] |
Request item header cell |
[RequestItem.]<Application|Permission|ROLE_POLICY|User>.<entity-attribute-key> |
Keyword(s) only header |
<Reviewer|ReviewItem> or <Approver|RequestItem> |
Attribute based criteria cell |
[<entity-name>.]<attribute-name> <Op> <value(s)> |
Attribute and relationship based criteria cell |
[<entity-name>.]<attribute-name> <Op> ReviewItem.<entity-name>.[<relationship-name>.]<attribute-name> |
HINT:Specifying only keywords in the header column, and specifying other entity and attributes details in the criteria cells provides more flexibility than other formats.
Operator Syntax
Value entries for attributes that have numeric data types support the following list of comparison prefixes: >, >=, <, <=, !=, <>. For example: "Permission.risk","< 40".
Value entries for attributes with string data types support multiple values by using the pipe (|) symbol. For example, "Reviewer.user.displayName","Sue Smith|Jerry Jones|Tom Carter". Additionally, you can use the following operators:
!IS_EMPTY! or !NULL!
!IN!
!CONTAINS!
!MATCHES!
!ENDS_WITH!
!STARTS_WITH!
!NOT!
Date Type
The system evaluates date types in comparisons using ISO 8601 date and time format. The following are some examples of January 31, 2017:
2017-01-31
2017-01-31T10:00Z
2017-01-31T10:00-05:00
NOTE:Though the format allows for time to be specified, Identity Governance stores only the date in the catalog for date entity types.
Relationships can be nested in coverage maps. However, relationships cannot be referenced in the ReviewItem criteria cell; they can be accessed only from the Reviewer or Approver criteria cell.
The supported predefined relationships appear below:
Coverage Map Type(s) |
Entity |
Relationship |
Related Entity |
---|---|---|---|
REVIEW and REQUEST |
USER |
supervsior |
USER |
REVIEW and REQUEST |
USER |
affiliate |
USER |
REVIEW and REQUEST |
APPLICATION |
applicationOwners |
applicationOwners (table) |
REVIEW and REQUEST |
applicationOwners |
owner |
USER |
REVIEW and REQUEST |
applicationOwners |
groupOwner |
GROUP |
REVIEW and REQUEST |
PERMISSION |
permissionOwners |
resolved_spermission_owner (table) |
REVIEW and REQUEST |
resolved_spermission_owner |
owner |
USER |
REVIEW only |
ACCOUNT |
accountHolders |
saccount_user (table) |
REVIEW only |
saccount_user |
holder |
USER |
REVIEW only |
ACCOUNT |
accountOwners |
resolved_saccount_owner (table) |
REVIEW only |
resolved_saccount_owner |
owner |
USER |
REQUEST only |
ROLE_POLICY (technical role) |
role_policyOwners |
policy_owner (table) |
REQUEST only |
policy_owner |
owner |
USER |
REQUEST only |
policy_owner |
groupOwner |
GROUP |
NOTE:Any of the relationships that resolve to a table would need another segment to resolve to an ENTITY. For example, APPLICATION.applicationOwners is incomplete, because it resolves to a table. The complete expression should be: APPLICATION.applicationOwners.USER.<attributeName> or APPLICATION.applicationOwners.GROUP.<attributeName>
USER based reviewer with risk and location as criteria
"Reviewer.user.displayName","Permission.risk","User.location" "Sue Smith",">90","Boston" "Charles Smith",">70","New York"
The first line is the header row and contains the column headers that identify the entity attributes that Identity Governance will use to determine reviewers.
The example uses the risk attribute from the permission entity and the location attribute from the user entity to match against review items. When a review item matches, the example uses the displayName attribute from the User entity to select a reviewer.
All the review item criteria columns must match for that row to be considered a match to the review item. In this example, the second line only matches a review item where the permission risk is greater than 90 and the user's location is Boston.
USER based reviewer with multiple criteria
"Reviewer.user.displayName","User.department" "Armando Colaco","!STARTS_WITH! Opera" "Charles Ward","!NOT! !MATCHES! Finance" "Henry Morgan","!NOT! !NULL!"
The reviewer assignment attempts to perform a match on each row of the coverage map until a match has been found. The first line is the header row and contains the entity attributes that are being evaluated. The second row assigns Armando Colaco as reviewer if the department of the user under review starts with Opera. The third row assigns Charles Ward as reviewer for users who are not members of the Finance department. The fourth row assigns Henry Morgan as reviewer for users who are members of a department.
During coverage map processing, a matching row is searched for in the order they appear in the CSV file. After a match is found for a review item, the reviewers are assigned based on that matching row, and no further rows are processed for that review item.
NOTE:Any review items that do not find a match are assigned to the review exception queue.
Keywords only header with review item referenced in criteria cells
"ReviewItem", "Reviewer" "user.department !IN! Transportation|Tours", "user.location == ReviewItem.user.supervisor.location" "user.department !NULL!", "user.uniqueUserId !IN! ReviewItem.application.applicationOwners.owner.uniqueUserId"
In this example, the header cells use only keywords, and the first criteria row uses relationships to assign a reviewer. Note that the ReviewItem is referenced within the Reviewer criteria cells. For users under review who are in the Transportation or Tours department, a reviewer is assigned based on the location of the supervisor.
The second criteria row specifies multiple reviewers based on the owners of the application under review if the department attribute is null.
Self and account owners as reviewers
"ReviewItem.account.relationToUserType","Reviewer.user.uniqueUserId" "==SHARED","!IN!ReviewItem.account.accountOwners.owner.uniqueUserId "==SINGULAR","!IN!ReviewItem.account.accountHolders.holder.uniqueUserId"
In this example, the header cells use keywords and the criteria cells uses relationships to specify that all shared accounts are reviewed by the account owner, and single assigned accounts are reviewed by the holder of the account (self).
Supervisors as reviewers
"ReviewItem.account.relationToUserType","Reviewer.user.uniqueUserId" "==SHARED", "!IN!ReviewItem.account.accountOwners.owner.supervisorUniqueId" "==SINGULAR","!IN!ReviewItem.account.accountHolders.holder.supervisorUniqueId"
In this example, the supervisor of the account owner is specified as the reviewer for all shared accounts and the supervisor of the holder of the account is specified as reviewer for single accounts.
Policy owners as approvers
"Approver.user.uniqueUserId","Approver.group.uniqueGroupId","RequestItem" "!IN! RequestItem.role_policy.policyOwners.owner.uniqueUserId","!IN! RequestItem.role_policy.policyOwners.groupOwner.uniqueGroupId","role_policy.risk > 30"
In this example, for access requests to technical roles, if risk is greater than 30, then the policy owner is assigned as the approver.
To load a coverage map CSV File:
Log in to Identity Governance as a Customer or Global Administrator.
Select Policy > Coverage Maps.
To load a new coverage map:
Click the load icon.
Select the coverage map type: REVIEW or REQUEST.
Type coverage map name and description.
Click the upload icon, and then browse for the coverage map CSV file.
Select Save.
Repeat the above steps to add additional coverage maps.
Identity Governance allows you to edit your coverage maps as needed.
To edit a coverage map:
Log in to Identity Governance as a Customer or Global Administrator.
Select Policy > Coverage Maps.
Click the name of the coverage map you want to edit.
Click Edit.
Make the desired changes.
Click Save.
You can delete coverage maps only if all the following conditions are met:
Identity Governance purged all the associated review instances
Authorized administrators either deleted and purged the mapped review definition or changed the mapping
To delete a single or multiple coverage maps:
Log in to Identity Governance as a Customer or Global Administrator.
Select Policy > Coverage Maps.
Click on the review definition column and view associated review instances.
Click the name of the coverage map that meets the conditions for deletion outlined above.
Click Edit.
Click the delete icon.
To delete multiple coverage maps:
Repeat Step 3 for each coverage map that you want to delete.
Select the coverage maps that meet the conditions outlined above.
Click Actions > Delete Coverage Map.