Access Governance FAQ

Service functionality

What is Oracle Access Governance?

Oracle Access Governance is a cloud native identity governance and administration (IGA) solution that provides user provisioning, access reviews, and identity analytics to define and govern access privileges. It provides visibility into compliance and actionable artificial intelligence/machine learning–driven identity intelligence to reduce risks.

Please refer to the Oracle Access Governance web page for more details about the service.

What are some key features of Oracle Access Governance?

Oracle Access Governance provides the following key features and functionalities:

  • Identity orchestration with Oracle Cloud Infrastructure (OCI) and Oracle Identity Governance/Oracle Identity Management
  • Continuous discovery of users, groups, roles, applications, permissions, and policies
  • Visibility into user access privileges for any resource across the organization
  • Cross-cloud and cross-enterprise access correlation
  • Access requests and role-based, attribute-based, and policy-based access control
  • Ad hoc, periodic, and event-based access review campaigns to govern the access privileges assigned to users (including employees, contractors, and partners)
  • Prescriptive analytics and recommendations, enabling access reviewers to efficiently review and limit user access
  • An easy-to-comprehend view and simplified access reviews of OCI policies and OCI group memberships
  • Automated fulfillment of access decisions

How can I start using Access Governance?

To start using Access Governance, follow these steps:

Which identity management systems can be integrated with Access Governance?

Access Governance provides out-of-the-box integrations with Oracle and non-Oracle workloads. We will continue to add more systems and services.

Please refer to the following product documentation for more details: Access Governance Integrations.

How does Access Governance connect with Oracle and non-Oracle workloads?

Access Governance connects with cloud applications and cloud service providers, such as Oracle Cloud Infrastructure, through cloud application programming interfaces (APIs).

Access Governance offers a containerized agent for other integrations. This agent is customized and configured to work with a specific instance of Access Governance over a secure channel. The agent’s purpose is to facilitate the secure transfer of data between Access Governance and the customer’s on-premises source of identity and access data.

Can Access Governance be used with Oracle Identity Governance in hybrid mode to perform identity governance and administration?

Yes, Access Governance can be seamlessly integrated with Oracle Identity Governance to perform hybrid identity governance and administration.

Can the Access Governance service be integrated with multiple Oracle Cloud Infrastructure (OCI) tenancies?

Yes, Access Governance can be integrated with multiple OCI tenancies, thus providing cross-cloud access correlation of identities' access privileges. We will eventually continue to add other cloud service providers, such as AWS, Azure, and Google Cloud Platform.

How can users who are synchronized in Access Governance access its service console?

Users who are synchronized in Access Governance should be onboarded in Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) so they can access the Access Governance console. These users can be onboarded in OCI IAM using one of the following approaches:

  • Configure Oracle Identity Governance provisioning with OCI IAM using the Oracle Identity Cloud Service connector.
  • Set up federation with an external identity provider and enable Security Assertion Markup Language (SAML) just-in-time provisioning.
  • Build a self-registration profile.

Please refer to the following product documentation and tutorials for more details:

How can I select a subset of identities in my enterprise to govern their access privileges in Oracle Access Governance?

If you want to govern access privileges assigned to a subset of identities belonging to a defined location, department, organization, or any other user attribute, you can mark those users as Active in Oracle Access Governance.

  • Access review tasks will be generated for the identities marked as Active.
  • Access control will be provided for the identities marked as Active.
  • Only users marked as Active can log in to the Oracle Access Governance console and review their directs’ access privileges.

Please refer to this documentation for more details: Activate/Inactivate Identities for License Management.

How do access reviews work in Oracle Access Governance?

Oracle Access Governance is used to execute intelligent access review campaigns with prescriptive analytics–based identity insights to help access reviewers make informed decisions quickly. It supports event-driven, periodic, and on-demand access review campaigns. The access reviewers can review user permissions, role memberships, identity collection memberships, and OCI policies in a single dashboard view, ensuring that users only have the access privileges they need to complete their tasks.

How do event-based access reviews work in Access Governance?

An event-based access review is triggered for a user when their attributes, such as organization, manager, location, employment status, and so on, get updated in Access Governance.

Access Governance also offers timeline-based microcertifications, which help facilitate timely access reviews based on important milestones.

Does Access Governance provide identity intelligence (analytics, artificial intelligence/machine learning–based insights, and so on)?

Access Governance provides AI/ML-driven insights, such as peer group analysis, outlier detection, and recommendations, enabling reviewers to take suggested actions to complete access review tasks.

How does Access Governance help maintain the identity security posture in Oracle Cloud Infrastructure (OCI)?

Access Governance helps an organization maintain the security posture for their OCI workloads by providing

  • Visibility into who has access to what for any cloud resource
  • An easy-to-comprehend view and simplified access reviews of OCI policies and OCI group memberships
  • Identity orchestration and automated fulfillment based on OCI best practices

Can a user’s core and custom attributes be used in Access Governance?

Custom attributes of a user’s schema defined in Oracle Identity Governance can be used in Access Governance to

  • Mark identities as Workforce users or Consumer users
  • Define user selection criteria in access review campaigns
  • Define event-based access reviews

Please refer to the following product documentation for more details: View and Configure Custom Identity Attributes.

Can an access reviewer reassign an access review task in Oracle Access Governance?

Yes, you can reassign an access review task to an individual by selecting the reassign option for the selected review task. You can also reassign access review tasks in bulk.

Are access review decisions recorded for auditing and compliance purposes?

Yes, for each decision made in an access review campaign, the following information is stored for auditing or compliance purposes:

  • What is decided
  • Who decided it
  • Why (justification)
  • When it was decided

What reporting and analytics functionality does the product provide?

Access Governance provides intelligent reporting for access reviews using graphs and charts that are easy to use and interpret. It also provides a detailed report of the access review campaign in CSV format.

Does Access Governance offer functionality to manage orphaned or unmatched accounts?

Access Governance detects unmatched accounts across all integrated applications and systems and notifies business owners about those that could be orphaned, rogue, or service accounts. Business owners can clean up these unmatched accounts manually or by assigning orphaned accounts to identities and reviewing these assigned accounts periodically. Event-based reviews can also be configured to review unmatched accounts when they are detected for an integrated application or system.

Does the solution provide access request functionality?

Access Governance provides an intuitive self-service user experience to request access privileges for oneself and others and to keep track of the access request’s progress.

What type of access control does Access Governance provide?

Access Governance provides access requests and role-based access control (RBAC), attribute-based access control (ABAC) and policy-based access control (PBAC).

Does Access Governance provide functionality to build custom workflows?

Access Governance provides functionality to build custom workflows for access approvals and access reviews. Multistage and parallel workflows can be defined effortlessly, without coding.

Does Access Governance offer integration with a disconnected resource or application?

Access Governance supports CSV (flat) file-based integration for a disconnected resource. It can be integrated as a source-of-identities and/or as a managed system.

Does Access Governance provide a web-based and mobile-friendly administration and self-service console?

Access Governance is a smart device–optimized, web-based console designed to perform seamlessly from any device—computer, tablet, or smartphone.

Which identity providers does Access Governance support for user login?

Access Governance supports Oracle Cloud Infrastructure Identity and Access Management as its identity provider for user login and authorization. To log in using an external identity provider, configure OCI IAM to use that external identity provider for federated authentication.

Please refer to the following product documentation for instructions on how to set up federation with an external identity provider: Manage Identity Providers.

Service management

How can I get Access Governance in Oracle Cloud?

Access Governance is available as part of Oracle Universal Credits. When you order Oracle Access Governance through Universal Credits, you automatically get access to Oracle Cloud Infrastructure and other required services. For details, please refer to the following product documentation: Before You Begin.

How do I create an Access Governance instance?

You create an Access Governance instance in the Oracle Cloud Infrastructure Console. For details, please refer to the following product documentation: Set Up Service Instance.

How do I manage an Access Governance instance?

You can manage an Access Governance instance in the Oracle Cloud Infrastructure Console. For details, please refer to the following product documentation: Manage Service Instance.

How can I launch an Access Governance instance once it's created?

It’s accessible from the Oracle Cloud Infrastructure Console. You can navigate to the Access Governance page, select the service instance you want to access, and then click the Access Governance URL.

How can I get support for Access Governance?

Go to My Oracle Support and create a service request.

Is there a charge for Oracle Support in addition to my subscription fee?

No. Support is included in the subscription fee.

How can I patch or upgrade my service?

Access Governance is a cloud native service. Oracle takes care of patching and upgrading the service.

Where can I get more information about the service level agreement?

Please refer to the SLA documentation (PDF).

Licensing and pricing

What are the various license types and SKUs available in Oracle Access Governance?

Oracle Access Governance offers three license types and five SKUs. These are

  • Oracle Access Governance for Oracle Cloud Infrastructure
    • Oracle Access Governance for Oracle Cloud Infrastructure—Workforce User
  • Oracle Access Governance for Oracle Workloads
    • Oracle Access Governance for Oracle Workloads—Workforce User
    • Oracle Access Governance for Oracle Workloads—Consumer User
  • Oracle Access Governance Premium
    • Oracle Access Governance Premium—Workforce User
    • Oracle Access Governance Premium—Consumer User

For more details, please refer to the Oracle Access Governance pricing web page.

What are the various tiers within the SKUs for Oracle Access Governance?

Oracle Access Governance provides multiple tiers within the SKUs. These are

  • Oracle Access Governance for Oracle Cloud Infrastructure—Workforce User
    • First 100,000 workforce users
    • More than 100,000 workforce users
  • Oracle Access Governance for Oracle Workloads—Workforce User
    • First 10,000 workforce users
    • More than 10,000 workforce users and up to 30,000 workforce users
    • More than 30,000 workforce users
  • Oracle Access Governance for Oracle Workloads—Consumer User
    • No tiers
  • Oracle Access Governance Premium—Workforce User
    • First 10,000 workforce users
    • More than 10,000 and up to 30,000 workforce users
    • More than 30,000 workforce users
  • Oracle Access Governance Premium—Consumer User
    • No tiers

Which integrations are supported under each license type?

Oracle Access Governance provides a large set of integrations. The integrations supported by each of the SKUs are

  • Oracle Access Governance for Oracle Cloud Infrastructure
    • Supported integrations: Oracle Cloud Infrastructure
  • Oracle Access Governance for Oracle Workloads
    • Supported integrations: Oracle Cloud Infrastructure and Access Governance integrations with Oracle Cloud services and Oracle enterprise applications, such as Oracle E-Business Suite, Oracle Database, Oracle Unified Directory, and others.
  • Oracle Access Governance Premium
    • Supported integrations: All Access Governance integrations, including ServiceNow, Azure AD, and others.

What is the unit metric in an Oracle Access Governance license?

There are two unit metrics in Oracle Access Governance.

  1. Workforce user per month: for an identity that is configured to access the service either through a user interface or through programmatic configuration during the billing period, regardless of whether the identity is actively accessing the service at any given time
  2. Consumer user per month: for an identity that is not configured to access the service through either a user interface or through a programmatic configuration during the billing period, but whose accesses are managed in the Access Governance console by workforce users

Please refer to the following documentation for more details: Oracle PaaS and IaaS Universal Credits Service Descriptions.

How can I select a subset of identities in my enterprise to be governed in Oracle Access Governance?

If you want to govern access privileges assigned to a subset of identities belonging to a defined location, department, organization, or any other user attribute, you can mark those users as Active in Oracle Access Governance.

You can further flag these Active identities as Workforce or Consumer users.

What does it mean to have “Workforce” or “Consumer” identities in Access Governance?

Active identities in Access Governance can be workforce users or consumer users.

  • Workforce users can log in to the Access Governance console. They can contribute to the identity and governance administration program by performing administrative roles in Access Governance and by requesting and reviewing access privileges assigned to themselves or others.
  • Consumer users cannot log in to the Access Governance console. They are provisioned with a fixed set of privileges that typically don’t change over time. They can’t request and review access privileges assigned to themselves or others.

For more details about the capabilities of workforce and consumer users, please refer to the following documentation: Manage Identities.

Please provide some examples that demonstrate who should be marked as “Workforce” users and who should be marked as “Consumer” users.

These are some examples illustrating who should be marked as Workforce and Consumer users in Access Governance; they are for illustration purposes only.

Industry/ sector Workforce identities Consumer identities
Banking and insurance Employees and contractors: bank accountants and managers, tellers, financial advisors, administrative staff, outsourced IT staff Customers: bank account owners, bank loan holders, insurance policy holders
Contractors: cafeteria, electric, janitorial
Partners and vendors: suppliers selling insurance or similar ancillary services
Healthcare Employees and contractors: doctors, clinicians, medical staff, administrative staff Consumers: patients, beneficiaries
Contractors: cafeteria, janitorial
Partners and vendors: companies providing canes, bandages, medications, and so on
Education Employees and contractors: faculty, support staff, administrative staff Consumers: students, alums, parents, guardians
Contractors: cafeteria, janitorial
Partners and vendors: companies providing textbooks, transportation service providers, and so on

Will I be charged for all identities synchronized in Access Governance?

Only the identities marked as Active (workforce users or consumer users) in Access Governance will be considered for billing, starting from the hour in which those identities are marked as Active. Even though the metric for Access Governance SKUs is per month, Oracle is passing benefits on to the customer by calculating the number of active identities on an hourly basis and generating the bill for the entire month.

Please refer to the following documentation for more details: Manage Identities.

How can I mark identities as ”Active” and as ”Workforce” and ”Consumer” users in Access Governance?

Access Governance provides identity filtering or marking functionality based on which identities can be marked as Active or Workforce/Consumer users. An administrator may use identity attributes to define such rules.

Please refer to the following documentation for more details: Manage Identities.

I want to review the access privileges of disabled identities. How can I do so in Access Governance?

A disabled identity can be marked as an Active workforce user or consumer user in Access Governance so you can review its access privileges.

Will I be charged for disabled identities?

For billing, Access Governance will include only those disabled identities marked as Active.

How can I stop billing and keep the Access Governance instance?

If you don’t mark any identity as Active, there will be no bill for Access Governance.

Can the licensing model of my Access Governance service instance be upgraded if the current license type is Oracle Access Governance for Oracle Workloads?

Yes, the license type of the Oracle Access Governance service instance can be upgraded from Oracle Access Governance for Oracle Workloads to Oracle Access Governance Premium without any service disruption. You can do it manually from the Access Governance page in the Oracle Cloud Infrastructure Console.

Can the licensing model of my Access Governance service instance be upgraded if the current license type is Oracle Access Governance for Oracle Cloud Infrastructure?

Yes, the Access Governance license type can be upgraded without any service disruption. You can upgrade the license type from Oracle Access Governance for Oracle Cloud Infrastructure to Oracle Access Governance for Oracle Workloads or Oracle Access Governance Premium.

Can the licensing model of my Access Governance service instance be downgraded if the current license type is Oracle Access Governance for Oracle Workloads or Oracle Access Governance Premium?

No, these Access Governance license types can’t be downgraded.

If I upgrade from Oracle Access Governance for Oracle Cloud Infrastructure to Oracle Access Governance for Oracle Workloads, how does the metering work for the month when the conversion takes place?

Access Governance is metered hourly. Before the service instance is upgraded, you will be billed for Oracle Access Governance for Oracle Cloud Infrastructure on an hourly basis. After the license upgrade, you will be billed for Oracle Access Governance for Oracle Workloads. In effect, you would see billing for both line items throughout the month, but you will only be charged for the number of hours each license type was active.

I have 22,000 users in Oracle Identity Governance/Oracle Identity Management integrated with Access Governance. I want to set 10,000 users who belong to a specific organization, say Employee, as Workforce users. I also want to set another 8,000 users who belong to another organization, say Contractor, as Consumer users. The license type of my instance is Oracle Access Governance for Oracle Workloads. How can I do so and for how many users will I be billed?

By default, all 22,000 users synchronized from Oracle Identity Management in Access Governance will not be marked as Active. You may mark 18,000 users as Active based on their organization (Employee and Contractor). Then you can mark 8,000 users from the External organization as Consumer users.

You will be billed according to the

  • Oracle Access Governance for Oracle Workloads—Workforce User SKU for 10,000 users
  • Oracle Access Governance for Oracle Workloads—Consumer User SKU for the other 8,000 users

I have two Identity Access Management domains in my Oracle Cloud Infrastructure tenancy with 1,000 users in each domain, and each OCI user is distinct. For how many users will I be billed?

If you want to review the access privileges of all users in this OCI tenancy, then you may mark all users as Active in Access Governance. You will be billed for 2,000 (2 × 1,000) users in this case.

If you want to review the access privileges of users belonging to only one of the two domains, then you may define a rule to mark only users of that domain as Active in Access Governance. You will be billed for 1,000 (1 × 1,000) users in this case.

How does the billing amount change based on the number of workforce and consumer users during a billing cycle?

You will be metered on an hourly basis and billed monthly for active workforce users and consumer users. The bill amount is calculated based on the metered usage and your rate card. So, if the number of active workforce or active consumer users changes during the billing cycle, your bill is prorated accordingly.

How can I estimate the cost of the service usage?

Please use the cost estimator to estimate the cost of service usage by following these steps: