立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Managing attestation cases

During attestation, you may find it necessary to assign someone else as default attestor responsible for the attestation because, for example, the actual attestor is absent. You may require additional information about an attestation object. One Identity Manager offers different possibilities to intervene in an pending attestation case.

Getting more information

An attestor has the option to gather more information about an attestation case. This ability does not, however, replace the granting or denying approval of an attestation case. There is no additional approval step required in the approval workflow to obtain the information.

Attestors can request information from any identity. The attestation case is put on hold while the query is pending. Once the identity requested has supplied the required information and the attestors have made an decision on the approval step, hold status is revoked. Attestors can recall a pending query at any time. The request is taken off hold. The query and answer are logged in the approval sequence and made available to the attestors.

NOTE: Hold status is revoked if the attestor who asked a question is removed as an approver. The queried identity does not have to answer and the attestation case proceeds.

Email notification to the identities involved can be sent using unanswered inquiries.

For more information about queries, see the One Identity Manager Web Designer Web Portal User Guide.

Detailed information about this topic

Appointing other attestors

Once an approval level in the approval workflow has been reached, the attestors at this level can appoint another identity to handle the approval. To do this, you have the options described below:

  • Rerouting approvals

    The attestor appoints another approval level to carry out attestations. To do this, set up a connection to the approval level in the approval workflow to which an approval decision can be rerouted.

  • Appointing additional attestors

    The attestor appoints another identity to carry out the attestation. The other attestor must make an approval decision in addition to the known attestors. To do this, enable the Additional approver possible option in the approval step.

    The additional attestor can reject the approval and return the attestation case to the original attestor. The original attestor is informed about this by email. The original attestor can appoint another additional attestor.

  • Delegate approval

    The attestor appoints another identity to carry out the attestation. This identity is added to the current approval step as the attestor and then makes the approval decision instead of the attestor who delegated. To do this, enable the Approval can be delegated option in the approval step.

    The current attestor can reject the approval and return the attestation case to the original attestor. The original attestor can withdraw the delegation and delegate a different identity, for example, if the other attestor is not available.

Email notifications can be sent to the original attestors and the others.

Detailed information about this topic
Related topics

Escalating an attestation case

Approval steps can be automatically escalated once the specified timeout is exceeded. The attestation case is presented again to another approval body. The attestation case can subsequently be processed again in the normal approval workflow.

To configure escalation of an approval step

  1. Open the approval workflow in the Workflow Editor.

  2. Add an additional approval level with one approval step for escalation.

  3. Connect the approval step that is going to be escalated when the time period is exceeded with the new approval step. Use the connection point for escalation to do this.

    Figure 3: Example of an approval workflow with escalation

  4. Configure the behavior for the approval step to be escalated when it times out.

    Table 32: Properties for escalation on timeout
    Property Meaning
    Timeout (minutes)

    Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

    The timeout is check every 30 minutes, by default. To change this interval, modify the Checks reminder interval and timeout of attestation cases schedule.

    The working hours of the respective approver are taken into account when the time is calculated.

    NOTE: Ensure that a state, county, or both is entered into the identity's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating identities' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

    TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

    If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

    If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

    If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

    If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    Timeout behavior

    Action that is run if the timeout expires.

    • Escalation: The attestation case is escalated. The escalation approval level is called.

  5. (Optional) If the approval step still needs to be escalated but no attestor be found and no fallback approver is assigned, set the Escalate if no approver found option.

    In this case, the attestation case is escalated instead of being canceled or passed to the chief approval team.

In the event of an escalation, email notifications can be sent to the new approvers and other identities.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级