Determining attestors using the attestation objects' service item
The OT approval procedure is used to determine the attestors of the service item assigned to the attestation object. You can use this approval procedure for the following attestation base objects:
-
Service items (AccProduct)
-
System entitlements (UNSGroup)
-
User accounts: system entitlement assignments (UNSAccountInUNSGroup)
-
Account definitions (TSBAccountDef) and identity assignments (PersonHasTSBAccountDef)
-
System roles (ESet) and identity assignments (PersonHasESet)
-
Subscribable reports (RPSReport) and identity assignments (PersonHasRPSReport)
-
Resources (QERResource) and identity assignments (PersonHasQERResource)
-
Multi-requestable resources (QERReuse)
-
Multi requestable/unsubscribable resources (QERReuseUS)
-
Assignment resources (QERAssign)
The attestors found are members of the Attestor application role. If there is no attestor assigned to the service item, the attestors are taken from the associated service category.
Related topics
Using attestation object managers to find attestors
If you want to have identities, user accounts, roles, system roles, role memberships, assignments of system roles, or entitlements for identities, roles, or IT Shop structures attested through their managers, use the CM, DM, LM, MO, RM, RR, or RE approval procedures.
CM |
Identities (Person)
Identities: memberships in application roles (PersonInAERole)
Identities: department memberships (PersonInDepartment)
Identities: location memberships (PersonInLocality)
Identities: cost center memberships (PersonInProfitCenter)
Identities: business role memberships (PersonInOrg)
Identities: system role assignments (PersonHasESet) |
|
DM |
Identities (Person)
Identities: department memberships (PersonInDepartment) |
|
LM |
Identities (Person)
Identities: location memberships (PersonInLocality) |
|
MO |
Identities (Person)
Identities: business role memberships (PersonInOrg) |
Business Roles Module |
PM |
Identities (Person)
Identities: cost center memberships (PersonInProfitCenter) |
|
RE |
System roles (ESet)
Identities: system role assignments (PersonHasESet)
Departments: system role assignments(DepartmentHasESet)
Business roles: system role assignments (OrgHasESet)
IT Shop structures: system role assignments (ITShopOrgHasESet)
IT Shop templates: system role assignments (ITShopSrcOrgHasESet)
Cost centers: system role assignments (ProfitCenterHasESet)
Locations: system role assignments (LocalityHasESet) |
System Roles Module |
RM |
Identities: department memberships (PersonInDepartment)
Identities: IT Shop structure memberships (PersonInITShopOrg)
Identities: location memberships (PersonInLocality)
Identities: business role memberships (PersonInOrg)
Identities: cost center memberships (PersonInProfitCenter) |
|
RR |
Departments (Department)
IT Shop Structures (ITShopOrg)
Locations (Locality)
Business roles (Org)
Cost centers (ProfitCenter)
IT Shop Templates (ITShopSrc)
All system entitlement or system role assignments to roles; for example Roles and organizations: Active Directory group assignments (BaseTreeHasADSGroup) or Locations: EBS entitlement assignments (LocalityHasEBSResp) |
|
XM |
Identities (Person)
Identities: memberships in application roles (PersonInAERole)
Identities: department memberships (PersonInDepartment)
Identities: location memberships (PersonInLocality)
Identities: cost center memberships (PersonInProfitCenter)
Identities: business role memberships (PersonInOrg)
Identities: system role assignments (PersonHasESet)
User accounts (UNSAccount)
User accounts: system entitlement assignments (UNSAccountInUNSGroup) |
|
These approval procedures find the manager associated with every attestation object. In the RE approval procedure, the system role manager is determined as attestor; in the RM and RR approval procedures, the role/IT Shop structure manager is determined. The approval procedures CM, DM, LM, MO, and PM find the department manager and deputy manager of the role in which the attesting identity is a member. The approval procedure XM determines the manager of the identity that can be determined through the attestation object.
Using persons responsible for attestation objects to find attestors
If you want to attest system entitlements and the user accounts assigned to them, use the ED, EM, EN, EO, or SO approval policies. Use the approval procedures AM, MD, or SO to attest user accounts. Attestation objects are user accounts or system entitlements and the user accounts assigned to them as well as system roles that have system entitlements or system roles assigned to them.
You use the KA approval procedure to attest Active Directory groups and group memberships. This approval procedure is only available if the Active Roles Module is present.
The approval procedures determine the following attestors.
AM |
User accounts (UNSAccount) |
Identity’s department manager to whom the user account is connected. |
Target System Base Module |
ED |
User accounts: system entitlement assignments (UNSAccountInUNSGroup) |
Identity’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case. |
Target System Base Module |
EM |
User accounts: system entitlement assignments (UNSAccountInUNSGroup) |
Identity’s department manager to whom the user account is connected. |
Target System Base Module |
EN |
User accounts: system entitlement assignments (UNSAccountInUNSGroup)
System entitlements (UNSGroup) |
Target system manager of the target system area to which the system entitlement belongs. |
Target System Base Module |
EO |
System roles: assignments (ESetHasEntitlement)
All user account assignments to system entitlements; for example, User accounts: system entitlement assignments (UNSAccountInUNSGroup) or SAP user accounts: assignments to roles (SAPUserInSAPRole)
All system entitlement or system role assignments to roles; for example, Roles and organizations: Active Directory group assignments (BaseTreeHasADSGroup) or Locations: EBS entitlement assignments (LocalityHasEBSResp) |
Product owner of the service item to which the system entitlement or system role is assigned. |
Target System Base Module or System Roles Module |
MD |
User accounts (UNSAccount) |
Identity’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case. |
Target System Base Module |
SO |
User accounts: system entitlement assignments (UNSAccountInUNSGroup)
User accounts (UNSAccount)
System entitlements: assignments to system entitlements (UNSGroupInUNSGroup) |
Target system manager for the target system to which the system entitlement or user account belongs. |
Target System Base Module |
KA |
Active Directory groups (ADSGroup)
Active Directory user Accounts: assignments Group (ADSAccountInADSGroup)
User accounts: system entitlement assignments (UNSAccountInUNSGroup)
System entitlements (UNSGroup) |
Product owner and additional owner of the Active Directory Group
If the groups were added automatically to the IT Shop, the account managers are identified as product owners.
The additional owners of the Active Directory groups are determined only if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled.
For more information about these functions, see the One Identity Manager Administration Guide for One Identity Active Roles Integration. |
Active Roles Module |
Using a specified role to find attestors
If the attestors for any object are specified in a certain role, use the OR or OM approval procedure. You can allow any objects to be attested by identities from any role using these approval procedures. In the approval step, specify the role by means of which the attestors are to be determined. The approval procedures determine the following attestors.
OM |
Departments (Department)
Cost centers (ProfitCenter)
Locations (Locality)
Business roles (Org) |
Manager and deputy manager of the role specified in the approval step. |
OR |
Departments (Department)
Cost centers (ProfitCenter)
Locations (Locality)
Business roles (Org)
Application roles (AERole) |
All secondary members of the role specified in the approval step. |