Chat now with support
Chat mit Support

Identity Manager 9.0 LTS - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Setting up multi-factor authentication for attestation

You can set up additional authentication for particularly security critical attestations, which requires every attestor to additionally authenticate themselves for attestation. In your attestation policies, define which attestation policies require this authentication.

One Identity Manager uses OneLogin for multi-factor authentication. Usable authentication modes are determined through the OneLogin user accounts linked to the employees.

Prerequisites

In OneLogin:

  • At least one authentication method is configured on all user accounts that are going to use multi-factor authentication.

In One Identity Manager:

  • The OneLogin Module is installed.

  • Synchronization with a OneLogin domain is set up and has been run at least once.

  • Employees linked to OneLogin user accounts.

  • The API Server and the web application are configured as required.

For more information about setting up multi-factor authentication, see the One Identity Manager Authorization and Authentication Guide.

To use multi-factor authentication for attesting

  1. In the Manager, select the attestation policies to which you want to apply multi-factor authentication.

  2. Enable the Approval by multi-factor authentication option.

    Multi-factor authentication cannot be used for default attestation policies.

Once the Approval by multi-factor authentication option is enabled on an attestation policy, additional authentication is requested in each approval step of the approval process. Attestors can select any one of the authentication methods assigned to their OneLogin user accounts.

IMPORTANT: An attestation cannot be sent by email if multi-factor authentication is configured for the attestation policy. Attestation emails for such attestations produce an error message.

For more information about multi-factor authentication, see the One Identity Manager Web Portal User Guide.

Related topics

Prevent attestation by employee awaiting attestation

The attestation object can also be determined as the attestor in an attestation case. which means the employees to be attested can attest themselves. To prevent this, set the QER | Attestation | PersonToAttestNoDecide configuration parameter.

NOTE:

  • Changing the configuration parameter only affects new attestation cases. Attestors are not recalculated for existing attestation cases.

  • The configuration parameter setting also applies for fallback approvers; it does not apply to the chief approval team.

  • If the Approval by affected employee option is set on an approval step, this configuration parameter has no effect.

To prevent employees from attesting themselves

  • In the Designer, set the QER | Attestation | PersonToAttestNoDecide configuration parameter.

This configuration parameter affects all attestation cases in which employees included in the attestation object or in object relations, are attestors at the same time. The following employees are removed from the group of attestors.

  • Employees included in AttestationCase.ObjectKeyBase

  • Employees included in AttestationCase.UID_ObjectKey1, ObjectKey2, or ObjectKey3

  • Employees' main identities

  • All subidentities of these main identities

If the configuration parameter is not set or if Approval by affected employee is enabled for the approval step, these employees can attest themselves.

Related topics

Properties of an approval step

Attestation by peer group analysis

Using peer group analysis, approval for attestation cases can be granted or denied automatically. For example, a peer group might be all employees in the same department. Peer group analysis assumes that these employees require the same system entitlements. For example, if the majority of employees belonging to a department have a system entitlement, assignment to another employee in the department can be carried out automatically. This helps to accelerate approval processes.

Peer group analysis can be used during attestation of the following memberships:

  • Assignment of system entitlements to user account (UNSAccountInUNSGroup table)
  • Secondary memberships in business role (PersonInOrg table)

Peer groups contain all employees with the same manager or belonging to the same primary or secondary department as the employee linked to the attestation object (= employee to be attested). Configuration parameters specify which employee belong to the peer group. At least one of the following configuration parameters must be set.

  • QER | Attestation | PeerGroupAnalysis | IncludeManager: Employees with the same manager as the employee being attested

  • QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Employees who belong to the same primary department as the employee being attested

  • QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the employee being attested

The number of employees in a peer group that must already own the membership to be attested is set by a threshold in the QER | Attestation | PeerGroupAnalysis | ApprovalThreshold configuration parameter. The threshold specifies the ratio of the total number of employees in the peer group to the number of employees in the peer group who already own this membership.

You can also specify that employees are not permitted to own cross-functional memberships, which means, if the membership and the employee being attested belong to different functional areas, the attestation case should be denied approval. To include this check in peer group analysis, set the QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.

Whether a membership is cross-functional or not can only be tested if the following conditions are fulfilled.

  • The employee being attested and the member of the peer group requested the membership in the IT Shop.

  • The employee being attested is assigned a primary department and this department is assigned a function area.

  • The service item that the membership is assigned to, is assigned a functional area.

Attestation cases are automatically approved for fully configured peer group analysis, if both:

  • The membership being attested is not cross-functional

  • The number of employees in the peer group who already own this membership equal or exceeds the given threshold

If this is not the case, attestation cases are automatically denied.

To use this functionality, One Identity Manager provides the QER_PersonWantsOrg_Peer group analysis process and the PeergroupAnalysis event. The process is run using an approval step with the EX approval procedure.

Detailed information about this topic

Configuring peer group analysis for attestations

To configure peer groups

  1. In the Designer, set the QER | ITShop | PeerGroupAnalysis configuration parameter.

  2. Set at least on of the following subparameters:

    • QER | Attestation | PeerGroupAnalysis | IncludeManager: Employees with the same manager as those with the employee linked to the attestation object

    • QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Employees who belong to the same primary department as those with the employee linked to the attestation object

    • QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the employee linked to the attestation object

    Thus, you specify which employees belong to the peer group. You can also set two or all of the configuration parameters.

  3. To specify a threshold for the peer group, set the QER | Attestation | PeerGroupAnalysis | ApprovalThreshold configuration parameter and specify a value between 0 and 1.

    The default value is 0.9. That means, at least 90 percent of the peer group members must already have the membership to be attested in order for the attestation case to be approved.

  4. (Optional) To check whether the membership to be attested is cross-functional, enable the QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.

    • Ensure that the following conditions are met:

      • The employee being attested and the member of the peer group requested the membership in the IT Shop.

      • The employee being attested is assigned a primary department and this department is assigned a function area.

      • The service item that the membership is assigned to, is assigned a functional area.

      Only functional areas that are primary assigned service items are taken into account.

      For more information about editing service items, see the One Identity Manager IT Shop Administration Guide. For more information about functional areas, see the One Identity Manager Identity Management Base Module Administration Guide.

  5. In the Manager, create an approval workflow with at least one approval level. For the approval step, enter at least the following data:

    • Single step: EXWithPeerGroupAnalysis.

    • Approval procedure: EX

    • Event: PeerGroupAnalysis

    The event starts the ATT_AttestationCase_Peer group analysis process, which runs the ATT_PeerGroupAnalysis_for_Attestation script.

    The script runs automatic approval and sets the approval step type to Grant or Deny.

Detailed information about this topic
Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen