Auditing is a process performed on an existing configuration to locate erroneous privileges and other deviations from policies. The client tools contains two auditing modules: a basic role-based auditing module and a policy compliance module. This section discussed basic role-based auditing; policy compliance is discussed afterward.
Basic auditing tools apply internal logic and in-built algorithms to an existing configuration to analyze and identify many types of non-conformities or suspicions related to users, roles, and resources (currently about 50 different types). These tools can be individually applied to produce a limited number of suspicion types such as: collectors (users with too many resources), collectibles (resources with too many users), suspect roles, excess privileges for an individual entity. After identifying problematic entities, the Role Engineer can correct them and run the tool again to verify that the problem has been solved. In this manner, individual tools can be used “interactively” during the audit process.
In addition, an audit can be comprehensive and include many types of suspicions for many configuration records. In this case, an AuditCard is generated listing all suspicious records and the type of suspicion involved. The AuditCard contains a built-in mechanism for tracking progress in resolving the suspicion until resolution is achieved. In addition, this AuditCard can be printed.
Note: Role discovery tools can also be used as auditing tools and role discovery results can be the basis for determining comprehensive audits. Auditing tools can be run immediately after role discovery and verification has been performed to double-check, or periodically after inevitable changes on the production server (after downloading updated data), or as part of a comprehensive audit of the organization.
|
Copyright © 2014 CA.
All rights reserved.
|
|