Compliance Checks using Access Guardrails in Access Governance

Oracle Access Governance (AG) is a cloud service designed to provide comprehensive access visibility and governance across both cloud and on-premises environments. Many Access Governance customers require the ability to perform compliance checks as part of their access request process before granting access. Access Guardrails is a newly introduced feature in Access Governance that facilitates these compliance checks. This document will highlight how to define an Access Guardrails as part of an access request check.

Categories of Compliance Checks: Compliance checks typically fall into three main categories:

  1. Ensuring individuals have the appropriate roles/permissions.
  2. Verifying that individuals possess specific credentials or certifications.
  3. Confirming that individuals do not have conflicting roles and permissions (Segregation of Duty check).

Access Guardrails enables Access Governance customer to perform all three of the checks mentioned above.

Access Bundles and Access Guardrails: Within Access Governance, access requests are made in the form of Access Bundles, which are combinations of entitlements selected from a system. This feature allows users to request Access Bundles instead of individual entitlements or permissions. With the introduction of Access Guardrails, administrators can now configure Access Governance to check for specific Access Guardrails as part of each Access Bundle definition.

Defining Access Guardrails:

  1. An administrator can create an Access Guardrail within the Access Request section of Access Governance.

  1. After naming the Access Guardrail, the administrator can define a rule based on one of the following conditions:
    • Check if an identity has a specific permission.
    • Check if an identity must not have a specific permission.
    • Check if an identity matches a particular attribute.

  1. The administrator then selects the systems, roles, and permissions associated with the condition.

  1. Upon defining the condition, the administrator can specify the behavior, such as blocking the access request or allowing it for a limited time if the item is considered low risk.

After defining the Access Guardrail, Access Governance also allows the Administrator to check it against an identity for validation and accuracy.

 

  1. Lastly, the Access Guardrails can be associated with an Access Bundle. For example, an Access Bundle with receivables permission may block access if the user already has Payables permission, as defined by the FusionReceivable Guardrail which checked for Account Payable permission.

 

Result Finally as expected, whenever a user with Account Payable request the Account Receivable access bundle, the Access Guardrail will trigger a notification to the approver that a violation has occurred.

The Access Governance Administrator can also view all the violations for each AccessGuardrails.

Conclusion: Access Guardrails is a versatile and innovative compliance-checking feature recently introduced into Access Governance. Its user-friendly design allows for the quick creation of Access Guardrails and their integration into access requests. The design also enables the reuse of Guardrails across multiple Access Bundles. System administrators can now leverage this feature to perform common compliance checks, such as verifying credentials or conducting Segregation of Duty (SoD) checks. Furthermore, enterprise-level SoD checks are possible, allowing for the verification of permissions and roles across multiple systems.

To learn more about Oracle Access Governance, please refer to the following resources: