Risk factors, metrics that affect a risk score, apply to specific items and can have a positive or negative impact on the item's risk score. The weight of a risk factor is the percentage of an item's risk that the factor comprises. The maximum value for any risk factor component is the maximum risk score for the item multiplied by the percentage weight of the factor. For example, an organization specifies that user risk score has a maximum value of 1000 and 3 risk factors of equal weight. Each risk factor can only account for one third of the user's risk score.
For some risk factors, Identity Governance uses either the average value or the maximum value for that factor, based on which one you select. Other risk factors use a range of values that you set. When you assign a weight to a risk factor, such as Number of unmapped accounts, Identity Governance then looks at the range you have specified. If the value of the risk factor is at or above the high range, Identity Governance applies the full weight for that risk factor to the risk score. If the value is below the high range, Identity Governance applies a percentage of the weight that is appropriate to the percentage of the high range for the value. If a risk factor value is at or below the low range, that factor does not add anything to the risk score.
You can use the following risk factors to control how Identity Governance calculates risk scores in your environment.
Governance Risk Factors | Risk Factor Type |
|---|---|
User risk scores | Average or Max |
Application risk scores | Average or Max |
Account risk scores | Average or Max |
Business role risk scores | Average or Max |
Technical role risk scores | Average or Max |
Permission risk scores | Average or Max |
Number of unmapped accounts | Low to high range |
Number of unauthorized assignment (permission and technical role) | Low to high range |
Number of outstanding SOD violations | Low to high range |
Number of expired certification violations | Low to high range |
Total number of certification violations | Low to high range |
Number of no decision certification violations | Low to high range |
Number of not reviewed certification violations | Low to high range |
Application Risk Factors | Risk Factor Type |
|---|---|
Risk of assigned permissions in application | Average or Max |
Risk of accounts in application | Average or Max |
Number of unmapped accounts | Low to high range |
Number of permissions in the application | Low to high range |
Number of exceptions (access not authorized by policy) | Low to high range |
Number of expired certification violations | Low to high range |
Total number of certification violations | Low to high range |
Number of no decision certification violations | Low to high range |
Number of not reviewed certification violations | Low to high range |
Collected application risk score attribute | Application attribute. Typically, application risk. |
User Risk Factors | Risk Factor Type |
|---|---|
Risk of permissions assigned to user | Average or Max |
Risk of accounts assigned to user | Average or Max |
Number of outstanding SOD violations | Low to high range |
Number of exceptions (access not authorized by policy) | Low to high range |
Number of permissions assigned to the user | Low to high range |
Number of business roles the user is in | Low to high range |
Collected user risk score attribute | Value |
Number of expired certification violations | Low to high range |
Total number of certification violations | Low to high range |
Number of no decision certification violations | Low to high range |
Number of not reviewed certification violations | Low to high range |
Days past expired certification | Impact |
