2.4 Using Coverage Maps

Coverage maps allow administrators to map review or access request items to respective reviewers or approvers when creating a review definition or an access request approval policy. Coverage maps use one or more rules to specify:

  • An entity type or attribute based on the item under review

  • Different entity and attribute criteria in a single column

  • Secondary or related entity or attribute of related entity referenced by entity-entity relationships

For more information, see:

2.4.1 About Coverage Map Rules

Coverage maps comprise one or more rules that define and specify the following:

  • Reviewers of a User Access or Account Review definition

    NOTE:To specify a coverage map as a reviewer for unmapped accounts, ensure that All unmapped accounts is selected for the review items, and then specify Review by Coverage Map as the reviewer.

  • Approvers for requested access in the Request application

To create coverage map rules, Identity Governance uses an interface similar to the advanced filter for searches. Though the interface uses conditions and subconditions to define rules for coverage maps, you cannot save rules. You can, however, export the coverage map that you create, and you can import coverage maps that others have created.

2.4.2 Using Criteria Definitions in Rules

Criteria options in the rules interface correspond with the criteria that you define in your rules. For example, if you want to create a condition for your rule that specifies users with specific titles, select User: Title.

2.4.3 Using Operators, Conditions, Filters, Relationships, and Attributes in Rules

The rules interface uses the operators AND, OR, and NOT to create expressions that direct the rule definition to include, respectively, ALL of the conditions you define, ANY of the conditions you define, or NONE of the conditions you define in the search filter. Select one of these operators to start building a filter. The operator you select applies to every condition you create.

Conditions allow you to specify a criteria option as a criterion for a rule, and then use additional operators, such as “equal to,” “not equal to,” “greater than,” “less than,” and “greater than or equal to,” to define how the rule includes, or if it excludes, the defined item in the coverage map as a result of the condition.

Filters are subconditions that allow you to fine-tune a condition with additional AND, OR, and NOT statements.

Relationships and attributes appear as options only when you define reviewer or approver criteria. Relationships require that you also assign and define an attribute for the relationship.

2.4.4 Creating Rules for Coverage Maps

Rule creation requires that you create expressions to define and add criteria for your coverage map. Click Define Criteria to define conditions that create expressions for one or more of the following review or approval items:

  • User

  • Account

  • Permission

  • Application

Click Add Criteria to define conditions or relationships that create expressions for one or more of the following reviewer or approver criteria:

  • User

  • Group

2.4.5 Creating a Coverage Map

When you create a coverage map, Identity Governance searches for a matching statement in the order defined in the coverage map. When one or more review items match all defined review item criteria, the users or groups matching the respective user or group criteria become reviewers for those items.

To create a coverage map:

  1. Log in to Identity Governance as a Customer or Global Administrator.

  2. Select Policies > Coverage Maps.

  3. Click the add icon (+).

  4. Type a name and a description for the coverage map.

  5. Specify the coverage map type.

  6. (Conditional) Create the Review Type coverage map rules.

    1. Select Review.

    2. Click the plus icon (+).

    3. Under Review Item Criteria, click Define Criteria.

      NOTE:You are not required to define review item criteria. A rule may contain only a reviewer criteria.

    4. Click the plus icon (+) for the criteria you want to define, and then use operators, conditions, and filters available to create one or more expressions for each criteria.

      NOTE:Some condition expressions require 1:1 mapping. For example, if the condition "User: Display Name equals <Account Holder Display Name>" returns more than one possible result, Identity Governance displays an error message. You should configure "User: Display Name equals one of <Account Holder Display Name>."

    5. Click Save.

    6. Under Reviewer Criteria, click Add Criteria, and then select either Define Criteria or Define Relationship.

    7. Choose the criteria you want to define, and then use operators, conditions, and filters to create one or more conditions for each criteria.

    8. Click Save.

    Perform these steps for each rule you want to add to your Review Type coverage map.

  7. (Conditional) Create the Request Type coverage map rules.

    1. Select Request.

    2. Click the plus icon (+).

    3. Under Approval Item Criteria, click Define Criteria.

      NOTE:You are not required to define approval item criteria. A rule may contain only an approver criteria.

    4. Click the plus icon (+) for the criteria you want to define, and then use operators, conditions, and filters available to create one or more conditions for each criteria.

      NOTE:Some condition expressions require 1:1 mapping. For example, “equals” is not valid if the rule could return more than one possible result. In those cases, “equals one of” is a valid choice.

    5. Click Save.

    6. Under Approver Criteria, click Add Criteria, and then select either Define Criteria or Define Relationship.

    7. Choose the criteria you want to define, and then use operators, conditions, and filters to create one or more conditions for each criteria.

    8. Click Save.

    Perform these steps for each rule you want to add to your Request Type coverage map.

  8. Click Save.

2.4.6 Exporting and Importing a Coverage Map

Identity Governance allows you to export one or more coverage maps to a file that you can download and share with others in your enterprise.

To export a coverage map:

  1. Log in to Identity Governance as a Customer or Global Administrator.

  2. Select Policies > Coverage Maps.

  3. Select one or more coverage maps.

  4. Click Actions > Export Coverage Maps.

  5. On the Coverage Maps dialog box, enter a description for your export file, and then click Download.

  6. On the title bar, click the Download icon.

  7. On the Your Downloads dialog box, select the coverage map file you want to download, and then click the Download icon.

Identity Governance saves the following files to a ZIP archive in your browser download directory:

  • A JSON file containing information for the coverage maps you chose to export

  • A JSON file containing information for review definitions or access request approval policies (depending on the coverage map type) that use the coverage map(s)

You can share the downloaded file with others, who will extract the coverage map file before importing it. For information about importing review definitions and access requests, see Section 26.4, Downloading and Importing Review Definitions and Section 23.8, Downloading and Importing Access Request and Approval Policies.

To import a coverage map:

  1. Log in to Identity Governance as a Customer or Global Administrator.

  2. Select Policies > Coverage Maps.

  3. Click Import Coverage Maps.

  4. Browse to the local directory where you extracted the coverage map file.

  5. Select the file, and then click Open.

  6. On the Import Coverage Maps page, select the coverage maps you want to import.

  7. Click Import.

NOTE:Before you run a review, verify all mappings in the review definitions to ensure the coverage map associations are correct.

2.4.7 Creating Coverage Map Using a CSV File

Identity Governance allows you to create coverage maps using CSV files, which you can then load into Identity Governance. You can use these files to map review or request items to respective reviewers or approvers by specifying:

  • An entity type or attribute based on the item under review

  • Different entity and attribute criteria in a single column

  • Secondary or related entity or attribute of related entity referenced by entity-entity relationships

You should understand Identity Governance supported coverage map types, keywords, syntax, and entity-entity relationships to create and load coverage maps.

If you prefer to manually create a coverage map, you can create a CSV file with header and criteria cells. For greater flexibility use only keywords. For more information, see:

Supported Coverage Map Types and Keywords

Identity Governance supports the following coverage map type attributes and keywords:

Type

Description

Keywords

REVIEW

Maps for user access and account review based reviews

  • Reviewer

  • ReviewItem

REQUEST

Maps for request based approver determination

  • Approver

  • RequestItem

Supported Syntax

Header and Criteria Cells Syntax

For

Syntax

USER or GROUP based reviewer header cell

<Reviewer.user|Reviewer.group>[.related user or group attribute key]

Review item header cell

<Approver.user|Approver.group>[.related user or group attribute key]

USER or GROUP based approver header cell

<Application|Permission|User]>[.entity-attribute-key]

Request item header cell

[RequestItem.]<Application|Permission|ROLE_POLICY|User>.<entity-attribute-key>

Keyword(s) only header

<Reviewer|ReviewItem> or <Approver|RequestItem>

Attribute based criteria cell

[<entity-name>.]<attribute-name> <Op> <value(s)>

Attribute and relationship based criteria cell

[<entity-name>.]<attribute-name> <Op> ReviewItem.<entity-name>.[<relationship-name>.]<attribute-name>

HINT:Specifying only keywords in the header column, and specifying other entity and attributes details in the criteria cells provides more flexibility than other formats.

Operator Syntax

Value entries for attributes that have numeric data types support the following list of comparison prefixes: >, >=, <, <=, !=, <>. For example: "Permission.risk","< 40".

Value entries for attributes with string data types support multiple values by using the pipe (|) symbol. For example, "Reviewer.user.displayName","Sue Smith|Jerry Jones|Tom Carter". Additionally, you can use the following operators:

  • !IS_EMPTY! or !NULL!

  • !IN!

  • !CONTAINS!

  • !MATCHES!

  • !ENDS_WITH!

  • !STARTS_WITH!

  • !NOT!

Date Type

The system evaluates date types in comparisons using ISO 8601 date and time format. The following are some examples of January 31, 2017:

  • 2017-01-31

  • 2017-01-31T10:00Z

  • 2017-01-31T10:00-05:00

NOTE:Though the format allows for time to be specified, Identity Governance stores only the date in the catalog for date entity types.

Supported Relationships

Relationships can be nested in coverage maps. However, relationships cannot be referenced in the ReviewItem criteria cell; they can be accessed only from the Reviewer or Approver criteria cell.

The supported predefined relationships appear below:

Coverage Map Type(s)

Entity

Relationship

Related Entity

REVIEW and REQUEST

USER

supervsior

USER

REVIEW and REQUEST

USER

affiliate

USER

REVIEW and REQUEST

APPLICATION

applicationOwners

applicationOwners (table)

REVIEW and REQUEST

applicationOwners

owner

USER

REVIEW and REQUEST

applicationOwners

groupOwner

GROUP

REVIEW and REQUEST

PERMISSION

permissionOwners

resolved_spermission_owner (table)

REVIEW and REQUEST

resolved_spermission_owner

owner

USER

REVIEW only

ACCOUNT

accountHolders

saccount_user (table)

REVIEW only

saccount_user

holder

USER

REVIEW only

ACCOUNT

accountOwners

resolved_saccount_owner (table)

REVIEW only

resolved_saccount_owner

owner

USER

REQUEST only

ROLE_POLICY (technical role)

role_policyOwners

policy_owner

(table)

REQUEST only

policy_owner

owner

USER

REQUEST only

policy_owner

groupOwner

GROUP

NOTE:Any of the relationships that resolve to a table would need another segment to resolve to an ENTITY. For example, APPLICATION.applicationOwners is incomplete, because it resolves to a table. The complete expression should be: APPLICATION.applicationOwners.USER.<attributeName> or APPLICATION.applicationOwners.GROUP.<attributeName>

User Access Review Coverage Map Examples

USER based reviewer with risk and location as criteria

"Reviewer.user.displayName","Permission.risk","User.location"
"Sue Smith",">90","Boston"
"Charles Smith",">70","New York"

The first line is the header row and contains the column headers that identify the entity attributes that Identity Governance will use to determine reviewers.

The example uses the risk attribute from the permission entity and the location attribute from the user entity to match against review items. When a review item matches, the example uses the displayName attribute from the User entity to select a reviewer.

All the review item criteria columns must match for that row to be considered a match to the review item. In this example, the second line only matches a review item where the permission risk is greater than 90 and the user's location is Boston.

USER based reviewer with multiple criteria

"Reviewer.user.displayName","User.department"
"Armando Colaco","!STARTS_WITH! Opera"
"Charles Ward","!NOT! !MATCHES! Finance"
"Henry Morgan","!NOT! !NULL!"

The reviewer assignment attempts to perform a match on each row of the coverage map until a match has been found. The first line is the header row and contains the entity attributes that are being evaluated. The second row assigns Armando Colaco as reviewer if the department of the user under review starts with Opera. The third row assigns Charles Ward as reviewer for users who are not members of the Finance department. The fourth row assigns Henry Morgan as reviewer for users who are members of a department.

During coverage map processing, a matching row is searched for in the order they appear in the CSV file. After a match is found for a review item, the reviewers are assigned based on that matching row, and no further rows are processed for that review item.

NOTE:Any review items that do not find a match are assigned to the review exception queue.

Keywords only header with review item referenced in criteria cells

"ReviewItem", "Reviewer"
"user.department !IN! Transportation|Tours", "user.location == ReviewItem.user.supervisor.location"
"user.department !NULL!", "user.uniqueUserId !IN! ReviewItem.application.applicationOwners.owner.uniqueUserId"

In this example, the header cells use only keywords, and the first criteria row uses relationships to assign a reviewer. Note that the ReviewItem is referenced within the Reviewer criteria cells. For users under review who are in the Transportation or Tours department, a reviewer is assigned based on the location of the supervisor.

The second criteria row specifies multiple reviewers based on the owners of the application under review if the department attribute is null.

Account Review Coverage Map Examples

Self and account owners as reviewers

"ReviewItem.account.relationToUserType","Reviewer.user.uniqueUserId"
"==SHARED","!IN!ReviewItem.account.accountOwners.owner.uniqueUserId
"==SINGULAR","!IN!ReviewItem.account.accountHolders.holder.uniqueUserId"

In this example, the header cells use keywords and the criteria cells uses relationships to specify that all shared accounts are reviewed by the account owner, and single assigned accounts are reviewed by the holder of the account (self).

Supervisors as reviewers

"ReviewItem.account.relationToUserType","Reviewer.user.uniqueUserId"
"==SHARED", "!IN!ReviewItem.account.accountOwners.owner.supervisorUniqueId"
"==SINGULAR","!IN!ReviewItem.account.accountHolders.holder.supervisorUniqueId"

In this example, the supervisor of the account owner is specified as the reviewer for all shared accounts and the supervisor of the holder of the account is specified as reviewer for single accounts.

Access Request Coverage Map Example

Policy owners as approvers

"Approver.user.uniqueUserId","Approver.group.uniqueGroupId","RequestItem"
"!IN! RequestItem.role_policy.policyOwners.owner.uniqueUserId","!IN! RequestItem.role_policy.policyOwners.groupOwner.uniqueGroupId","role_policy.risk > 30"

In this example, for access requests to technical roles, if risk is greater than 30, then the policy owner is assigned as the approver.

2.4.8 Loading a Coverage Map CSV File

To load a coverage map CSV File:

  1. Log in to Identity Governance as a Customer or Global Administrator.

  2. Select Policy > Coverage Maps.

  3. To load a new coverage map:

    1. Click the load icon.

    2. Select the coverage map type: REVIEW or REQUEST.

    3. Type coverage map name and description.

    4. Click the upload icon, and then browse for the coverage map CSV file.

    5. Select Save.

  4. Repeat the above steps to add additional coverage maps.

2.4.9 Editing a Coverage Map

Identity Governance allows you to edit your coverage maps as needed.

To edit a coverage map:

  1. Log in to Identity Governance as a Customer or Global Administrator.

  2. Select Policy > Coverage Maps.

  3. Click the name of the coverage map you want to edit.

  4. Click Edit.

  5. Make the desired changes.

  6. Click Save.

2.4.10 Deleting a Coverage Map

You can delete coverage maps only if all the following conditions are met:

  • Identity Governance purged all the associated review instances

  • Authorized administrators either deleted and purged the mapped review definition or changed the mapping

To delete a single or multiple coverage maps:

  1. Log in to Identity Governance as a Customer or Global Administrator.

  2. Select Policy > Coverage Maps.

  3. Click on the review definition column and view associated review instances.

  4. Click the name of the coverage map that meets the conditions for deletion outlined above.

  5. Click Edit.

  6. Click the delete icon.

  7. To delete multiple coverage maps:

    1. Repeat Step 3 for each coverage map that you want to delete.

    2. Select the coverage maps that meet the conditions outlined above.

    3. Click Actions > Delete Coverage Map.