Chat now with support
Chat with Support

Identity Manager 9.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Determining attestors using the attestation objects' service item

The OT approval procedure is used to determine the attestors of the service item assigned to the attestation object. You can use this approval procedure for the following attestation base objects:

  • Service items (AccProduct)

  • System entitlements (UNSGroup)

  • User accounts: system entitlement assignments (UNSAccountInUNSGroup)

  • Account definitions (TSBAccountDef) and identity assignments (PersonHasTSBAccountDef)

  • System roles (ESet) and identity assignments (PersonHasESet)

  • Subscribable reports (RPSReport) and identity assignments (PersonHasRPSReport)

  • Resources (QERResource) and identity assignments (PersonHasQERResource)

  • Multi-requestable resources (QERReuse)

  • Multi requestable/unsubscribable resources (QERReuseUS)

  • Assignment resources (QERAssign)

The attestors found are members of the Attestor application role. If there is no attestor assigned to the service item, the attestors are taken from the associated service category.

Related topics

Using attestation object managers to find attestors

If you want to have identities, user accounts, roles, system roles, role memberships, assignments of system roles, or entitlements for identities, roles, or IT Shop structures attested through their managers, use the CM, DM, LM, MO, RM, RR, or RE approval procedures.

Approval procedure

Attestation base objects

Available in Module

CM

Identities (Person)

Identities: memberships in application roles (PersonInAERole)

Identities: department memberships (PersonInDepartment)

Identities: location memberships (PersonInLocality)

Identities: cost center memberships (PersonInProfitCenter)

Identities: business role memberships (PersonInOrg)

Identities: system role assignments (PersonHasESet)

 

 

DM

Identities (Person)

Identities: department memberships (PersonInDepartment)

 

LM

Identities (Person)

Identities: location memberships (PersonInLocality)

 

MO

Identities (Person)

Identities: business role memberships (PersonInOrg)

Business Roles Module

PM

Identities (Person)

Identities: cost center memberships (PersonInProfitCenter)

 

RE

System roles (ESet)

Identities: system role assignments (PersonHasESet)

Departments: system role assignments(DepartmentHasESet)

Business roles: system role assignments (OrgHasESet)

IT Shop structures: system role assignments (ITShopOrgHasESet)

IT Shop templates: system role assignments (ITShopSrcOrgHasESet)

Cost centers: system role assignments (ProfitCenterHasESet)

Locations: system role assignments (LocalityHasESet)

System Roles Module

RM

Identities: department memberships (PersonInDepartment)

Identities: IT Shop structure memberships (PersonInITShopOrg)

Identities: location memberships (PersonInLocality)

Identities: business role memberships (PersonInOrg)

Identities: cost center memberships (PersonInProfitCenter)

 

RR

Departments (Department)

IT Shop Structures (ITShopOrg)

Locations (Locality)

Business roles (Org)

Cost centers (ProfitCenter)

IT Shop Templates (ITShopSrc)

All system entitlement or system role assignments to roles; for example Roles and organizations: Active Directory group assignments (BaseTreeHasADSGroup) or Locations: EBS entitlement assignments (LocalityHasEBSResp)

 

XM

Identities (Person)

Identities: memberships in application roles (PersonInAERole)

Identities: department memberships (PersonInDepartment)

Identities: location memberships (PersonInLocality)

Identities: cost center memberships (PersonInProfitCenter)

Identities: business role memberships (PersonInOrg)

Identities: system role assignments (PersonHasESet)

User accounts (UNSAccount)

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

 

These approval procedures find the manager associated with every attestation object. In the RE approval procedure, the system role manager is determined as attestor; in the RM and RR approval procedures, the role/IT Shop structure manager is determined. The approval procedures CM, DM, LM, MO, and PM find the department manager and deputy manager of the role in which the attesting identity is a member. The approval procedure XM determines the manager of the identity that can be determined through the attestation object.

Using persons responsible for attestation objects to find attestors

If you want to attest system entitlements and the user accounts assigned to them, use the ED, EM, EN, EO, or SO approval policies. Use the approval procedures AM, MD, or SO to attest user accounts. Attestation objects are user accounts or system entitlements and the user accounts assigned to them as well as system roles that have system entitlements or system roles assigned to them.

You use the KA approval procedure to attest Active Directory groups and group memberships. This approval procedure is only available if the Active Roles Module is present.

The approval procedures determine the following attestors.

 

Attestation base objects

Attestors

Available in Module

AM

User accounts (UNSAccount)

Identity’s department manager to whom the user account is connected.

Target System Base Module

ED

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

Identity’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case.

Target System Base Module

EM

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

Identity’s department manager to whom the user account is connected.

Target System Base Module

EN

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

System entitlements (UNSGroup)

Target system manager of the target system area to which the system entitlement belongs.

Target System Base Module

EO

System roles: assignments (ESetHasEntitlement)

All user account assignments to system entitlements; for example, User accounts: system entitlement assignments (UNSAccountInUNSGroup) or SAP user accounts: assignments to roles (SAPUserInSAPRole)

All system entitlement or system role assignments to roles; for example, Roles and organizations: Active Directory group assignments (BaseTreeHasADSGroup) or Locations: EBS entitlement assignments (LocalityHasEBSResp)

Product owner of the service item to which the system entitlement or system role is assigned.

Target System Base Module or System Roles Module

MD

User accounts (UNSAccount)

Identity’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case.

Target System Base Module

SO

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

User accounts (UNSAccount)

System entitlements: assignments to system entitlements (UNSGroupInUNSGroup)

Target system manager for the target system to which the system entitlement or user account belongs.

Target System Base Module

KA

Active Directory groups (ADSGroup)

Active Directory user Accounts: assignments Group (ADSAccountInADSGroup)

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

System entitlements (UNSGroup)

Product owner and additional owner of the Active Directory Group

If the groups were added automatically to the IT Shop, the account managers are identified as product owners.

The additional owners of the Active Directory groups are determined only if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled.

For more information about these functions, see the One Identity Manager Administration Guide for One Identity Active Roles Integration.

Active Roles Module

Using a specified role to find attestors

If the attestors for any object are specified in a certain role, use the OR or OM approval procedure. You can allow any objects to be attested by identities from any role using these approval procedures. In the approval step, specify the role by means of which the attestors are to be determined. The approval procedures determine the following attestors.

 

Selectable Roles

Attestors

OM

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Manager and deputy manager of the role specified in the approval step.

OR

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Application roles (AERole)

All secondary members of the role specified in the approval step.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating