Chat now with support
Chat with Support

Identity Manager 8.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Custom mail templates for notifications
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Configuration parameters for attestation

Attestation procedure

Attestation procedures specify the attestation base object. They define which attestation object properties are to be attested. Attestation object data can be provided in list or report form.

To edit an attestation procedure

  1. In the Manager, select the Attestation > Basic configuration data > Attestation procedures category.

  2. Select an attestation procedure in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the attestation procedure main data.

  4. Save the changes.

General main data of an attestation procedure

Enter the following properties for an attestation procedure.

Table 2: General main data of an attestation procedure

Property

Description

Attestation procedure

Any name for the attestation procedure.

Attestation type

Criteria for grouping attestation procedures. Attestation types make it easier to assign a matching attestation procedure to the attestation policies.

Description

Text field for additional explanation.

Report

Report for the attestor containing all the necessary information about the attestation objects.

Predefined reports are supplied in a menu. If you do not want to assign a report, you can specify additional information about the attestation objects in the Property 1-4 (template) fields.

Table

Database table in which the attestation objects are to be found (= attestation base object). All tables, which fulfill the following conditions, are available:

  1. The table contains a XObjectKey column.

  2. The table type is Table, View, ReadOnly, or Proxy.

  3. The usage type is User data, Materialized data, or Read only data.

  4. It is not the basetree table. It is not an assignment table referencing basetree.

  5. Table belongs to the application data model.

  6. Table is not disabled.

For more information about table types and usage types, see the One Identity Manager Configuration Guide.

Preprocessor condition

Specifies the preprocessor configuration parameters on which the attestation procedure depends. Attestation procedures that are disabled through a preprocessor condition are not displayed in One Identity Manager.

Grouping column 1-3 (template)

A value template for formatting the value used to group and filter pending attestation cases in the Web Portal.

Enter a value template in dollar notation. This template can access the base object properties and the properties of all objects connected through foreign keys.

Grouping column 1-3

Column headers for Grouping column 1-3 (template). The columns are multi-language. To enter a translation, click .

Property 1-4 (template)

Templates for formulating a value that supplies additional information about the attestation object. Use these fields to show additional information about the attestation object in the Web Portal.

Enter a value template in dollar notation. This template can access the base object properties and the properties of all objects connected through foreign keys.

Property 1-4

Column headers for Property 1-4 (template). The columns are multi-language. To enter a translation, click .

Risk index template

Template for formulating the value for the attestation case’s risk index.

Enter a value template in dollar notation. This template can access the base object properties and the properties of all objects connected through foreign keys.

Related object 1-3 (template)

Template for formulating an object key for an object related to the attestation base object. Required for displaying pending attestation cases in the Web Portal.

Enter a value template in dollar notation. This template can access the base object properties and the properties of all objects connected through foreign keys.

Define the display value for this object in Grouping column 1-3 (template).

Example

You want to attest Active Directory group memberships. Group the attestation cases by user account display value, Active Directory group display value, and the display value of associated employees. The Active Directory group's canonical name should be displayed with every group membership in the Web Portal. The attestation case's risk index can be determined from the group membership's risk index. The object key for the object relation can be found from the Active Directory user account. The information required about the attestation objects will be summarized in a report. To do this, enter the following data on the main data form.

Table 3: Example of an attestation case definition

Property

Value

Table

Database table ADSAccountInADSGroupTotal

Report

<report name>

Grouping column 1

$UID_ADSAccount[d]$

Grouping column 2

$UID_ADSGroup[d]$

Grouping column 3

$FK(UID_ADSAccount).UID_Person[d]$

Property 1 (template)

$FK(UID_ADSGroup).CanonicalName$

Risk index template

$RiskIndexCalculated$

Object relation 1

$FK(UID_ADSAccount).XObjectKey$

Detailed information about this topic

Defining reports for attestation

Define attestation reports with the Report Editor. Note the following when you define a report for attestation:

  • The base table for the report must be identical to the one for the attestation procedure.

  • Enter Attestation as the report category. This ensures that the report is displayed in the Report menu of the attestation procedure.

  • In order to create a report for each attestation object with the information relating exactly to the attestation object, define a ObjectKeyBase parameter for the attestation object in the report. Use the parameters in the data source definition for the report in Condition field.

    Example: XObjectKey = @ObjectKeyBase

Default reports

One Identity Manager supplies some default reports for attestation. These are used in the default attestation procedures, amongst others. Default report are given the prefix VI_.

TIP: Default reports cannot be changed. If you want to customize a default report, create a copy and edit it according to your requirements. Then assign the copy to the attestation procedure.

Default attestation procedures

One Identity Manager provides a default approval procedure for default attestation of new users and recertification of all employees stored in the One Identity Manager database. Moreover, default approval procedures are supplied through which the different roles, user accounts, and system entitlements mapped in the Unified Namespace can be attested. Using these default approval policies you can create attestation procedures easily in the Web Portal.

To display default attestation procedures

  • In the Manager, select the Attestation > Basic configuration data > Attestation procedures > Predefined category.

For detailed information about using default attestation procedures, see the One Identity Manager Web Designer Web Portal User Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating