When you assign new owners to devices or system entitlements in the Web Portal, the new owner should agree with this assignment. An attestation with the PO approval procedure is carried out for this purpose.
When you assign new owners to devices or system entitlements in the Web Portal, the new owner should agree with this assignment. An attestation with the PO approval procedure is carried out for this purpose.
If you want to allow user accounts to be attested by the employees assigned to them, use the EA approval procedure. This approval procedure can be used if the Target System Base Module is installed.
If you want to make attestation dependent on specific conditions, use the CD approval procedure. This procedure does not determine an attestor. One Identity Manager makes the decision depending on the condition that is formulated in the approval step.
You can use the procedure for any attestation base objects. You create a condition in the approval step. If the condition returns a result, the approval step is approved through One Identity Manager. If the condition does not return a result, the approval step is denied by One Identity Manager. If there are no further approval steps, the approval procedure is either finally granted or denied.
To enter a condition for the CD approval procedure
Edit the approval step properties.
In the Condition input field, enter a valid WHERE clause for database queries. You can enter the SQL query directly or with a wizard. In the condition, you reference the actual attestation case using the @UID_AttestationCase variable.
External employees should be attestation by their managers. If no manager is assigned, the members of a designated application role must attest the employees.
You can find all external employees, who have managers assigned to them by using the CD approval procedure and the following condition.
EXISTS
(SELECT 1 FROM
(SELECT xobjectkey FROM Person WHERE (IsExternal = 1)
AND (EXISTS
(SELECT 1 FROM
(SELECT UID_Person FROM Person WHERE 1 = 1) as X
WHERE X.UID_Person = Person.UID_PersonHead) )) as X
WHERE X.xobjectkey = AttestationCase.ObjectKeyBase)
If the condition is fulfilled, the external employee's manager can attest the employee. To do this, add an approval step in the positive approval path with the CM approval procedure.
If the condition is not fulfilled, the employee is attested by the member of a designated application role. To do this, add an approval step in the negative approval path with the OR approval procedure and assign the application role.
Use external approvals (EX approval procedure) if an attestation needs to be approved as soon as a defined event from outside One Identity Manager takes place. You can also use this procedure to allow any number of objects to be attested by employees who do not have access to One Identity Manager.
Specify an event in the approval step that triggers an external approval.
To use an approval procedure
Define your own processes that:
Triggers an external approval.
Analyzes the results of the external approval.
Grants or denies approval in the subsequent external approval step in One Identity Manager.
Defines an event that starts the process for external approval. Enter the result in Result in the approval step.
If the external event occurs, the approval step status in One Identity Manager must be changed. Use the CallMethod process task with the MakeDecision method for this. Pass the following parameters to the process task:
MethodName: Value = "MakeDecision"
ObjectType: Value = "AttestationCase"
Param1: Value = "sa"
Param2: Value = <approval> ("true" = granted; "false" = denied)
Param3: Value = <reason for approval decision>
Param4: Value = <standard reason>
Param5: Value = <number approval steps> (PWODecisionStep.SubLevelNumber)
WhereClause: Value = "UID_AttestationCase ='"& $UID_AttestationCase$ &"'"
Use the Process Editor to define and edit processes.
All compliance rules should be checked and attested by an external assessor. The attestation object data should be made available as a PDF on an external share. The assessor should save the result of the attestation in a text file on the external share. Use this approval procedure to make external approvals and define:
In the approval step, enter E1 in the Event field, and enter P1 in the process as the trigger for the external decision.
For detailed information about creating processes, see the One Identity Manager Configuration Guide. For detailed information about setting up schedules, see the One Identity Manager Operational Guide.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center