Oracle Access Governance is a cloud native identity governance and administration service that provides insight-based access reviews, identity analytics, and intelligence capabilities for businesses. More specifically, it provides
Please refer to the Oracle Access Governance web page for more details about the service.
Oracle Access Governance provides the following key features and functionalities:
To start using Access Governance, follow these steps:
Access Governance can be integrated with Oracle Identity Governance and Oracle Cloud Infrastructure (OCI) to load identity data. We will eventually continue to add other identity management systems. Please refer to the following product documentation for more details: Access Governance Integration with Connected Systems.
Access Governance offers a containerized agent for on-premises integrations, including Oracle Identity Governance. This agent is customized and configured to work with a specific instance of Access Governance and a specific setup of Oracle Identity Governance over a secure channel. The agent’s purpose is to facilitate the secure transfer of data between Access Governance and the customer’s on-premises source of identity and access data.
As an Oracle Identity Governance customer, you can use Oracle Access Governance to perform intelligent access reviews and keep using Identity Governance for identity lifecycle management, access control, access requests, and user provisioning.
Yes, Access Governance can be integrated with multiple OCI tenancies, thus providing cross-cloud access correlation of identities' access privileges. We will eventually continue to add other cloud service providers, such as AWS, Azure, and Google Cloud Platform.
Access Governance connects with cloud applications and cloud service providers through cloud application programming interfaces (APIs). No containerized agent is required to connect.
Users who are synchronized in Access Governance should be onboarded in Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) so they can access the Access Governance console. These users can be onboarded in OCI IAM using one of the following approaches:
Please refer to the following product documentation and tutorials for more details:
If you want to govern access privileges assigned to a subset of identities belonging to a defined location, department, organization, or any other user attribute, you can mark those users as ACTIVE in Oracle Access Governance. In Oracle Access Governance
Please refer to this documentation for more details: Activate/Inactivate Identities for License Management.
Oracle Access Governance is used to execute intelligent access review campaigns with prescriptive analytics–based identity insights to help access reviewers make informed decisions quickly. It supports event-driven, periodic, and on-demand access review campaigns. The access reviewers can review user permissions, role memberships, and OCI policies in a single dashboard view, ensuring that users only have the access privileges they need to complete their tasks.
An event-based access review is triggered for a user when their attributes, such as organization, manager, location, employment status, and so on, get updated in Access Governance.
Access Governance provides AI/ML-driven insights, such as peer group analysis, outlier detection, and recommendations, enabling reviewers to take suggested actions to complete access review tasks.
Oracle Access Governance helps an organization maintain the security posture for their OCI workloads by providing
Custom attributes of a user’s schema defined in Oracle Identity Governance can be used in Access Governance to
Please refer to the following product documentation for more details: View and Configure Custom Identity Attributes.
Yes, an access reviewer can delegate an access review task to another individual or an identity collection (user group) by defining the delegation policy for themselves in the Oracle Access Governance console.
Yes. For each decision made in an access review campaign, the following information is stored for auditing or compliance purposes:
Access Governance provides intelligent reporting for access reviews using graphs and charts that are easy to use and interpret. It also provides a detailed report of the access review campaign in CSV format.
Access Governance provides multiple workflows for access reviews out of the box. Workflows automatically perform the series of actions associated with the access review campaign.
Oracle Access Governance is a smart device–optimized, web-based console designed to perform seamlessly from any device—computer, tablet, or smartphone.
Access Governance supports Oracle Cloud Infrastructure Identity and Access Management as its identity provider for user login and authorization. To log in using an external identity provider, configure OCI IAM to use that external identity provider for federated authentication.
Please refer to the following product documentation for instructions on how to set up federation with an external identity provider: Manage Identity Providers.
Access Governance is available as part of Oracle Universal Credits. When you order Oracle Access Governance through Universal Credits, you automatically get access to Oracle Cloud Infrastructure and other required services. For details, please refer to the following product documentation: Before You Begin.
You create an Access Governance instance in the Oracle Cloud Infrastructure Console. For details, please refer to the following product documentation: Set Up Service Instance.
You can manage an Access Governance instance in the Oracle Cloud Infrastructure Console. For details, please refer to the following product documentation: Manage Service Instance.
It’s accessible from the Oracle Cloud Infrastructure Console. You can navigate to the Access Governance page, select the service instance you want to access, and then click the Access Governance URL.
Go to My Oracle Support and create a service request.
No. Support is included in the subscription fee.
Access Governance is a cloud native service. Oracle takes care of patching and upgrading the service.
Please refer to the SLA documentation (PDF).
Oracle Access Governance comes with two SKUs, and each SKU has different tiers. The two SKUs are
For more details, please refer to the Oracle Access Governance pricing.
The integrations supported by each of the two Access Governance SKUs are
"Workforce user per month" is the unit metric for each license in Access Governance. Please refer to the following documentation for more details: Oracle PaaS and IaaS Universal Credits Service Descriptions (PDF).
By default, all identities synchronized from connected systems, such as Oracle Identity Management, Oracle Cloud Infrastructure, and so on, into Access Governance will have NULL status. You can mark only the identities you want to govern in Access Governance as ACTIVE. Only the identities marked as ACTIVE in Access Governance will be considered for billing, starting from the hour in which those identities are marked as ACTIVE.
If you have marked a set of ACTIVE identities as INACTIVE, then those identities will not be considered for billing starting from the hour in which they are marked as INACTIVE.
Even though the metric for Access Governance SKUs is per month, Oracle is passing benefits on to the customer by calculating the number of ACTIVE identities on an hourly basis and generating the bill for the entire month.
Access Governance provides identity filtering or marking functionality based on which identities can be marked as ACTIVE. An administrator may use identity attributes to define such rules.
No, you can’t run access review campaigns on identities marked as INACTIVE in Access Governance.
No, identities marked as INACTIVE can’t access the Access Governance console.
A disabled identity can be marked as an ACTIVE identity in Access Governance so you can review its access privileges. An administrator may set rules to mark those disabled identities as ACTIVE in Access Governance.
For billing, Access Governance will include only those disabled identities marked as ACTIVE.
If you mark all identities as INACTIVE, then the bill generated for your Access Governance instance will be null.
The Access Governance license type can be upgraded without any service disruption. So, you may upgrade the license type from Oracle Access Governance for Oracle Cloud Infrastructure—Workforce User to Oracle Access Governance for Oracle Workloads—Workforce User. You can do it manually from the Access Governance page in the Oracle Cloud Infrastructure Console.
By default, all 22,000 users synchronized from Oracle Identity Management into Access Governance will have NULL status. You may mark the required 10,000 users as ACTIVE based on their user-organization attribute. You will be billed for users who are marked as ACTIVE in Access Governance.
If you want to review the access privileges of all users in this OCI tenancy, then you may mark all users as ACTIVE in Access Governance. You will be billed for 2,000 (2 × 1,000) users in this case.
If you want to review the access privileges of users belonging to only one of the two domains, then you may define a rule to mark only users of that domain as ACTIVE in Access Governance. You will be billed for 1,000 (1 × 1,000) users in this case.
You will be metered on an hourly basis and billed monthly for active workforce users. The bill amount is calculated based on the metered usage and your rate card.
Access Governance is metered hourly. Before the service instance is upgraded, you will be billed for Oracle Access Governance for Oracle Cloud Infrastructure—Workforce User on an hourly basis. After the license upgrade, you will be billed for Oracle Access Governance for Oracle Workloads—Workforce User. In effect, you would see billing for both line items throughout the month, but they will be charged for the number of hours each license type was active.
The workforce users are metered on an hourly basis and only active users are billed for. So, if the number of active users changes during the billing cycle, your bill is prorated accordingly.
Please refer to the cost estimator to estimate the cost of service usage by following these steps: