Chat now with support
Chat mit Support

Identity Manager On Demand - Starling Edition Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Approvals to be made externally

Use external approvals (EX approval procedure) if an attestation needs to be approved as soon as a defined event from outside One Identity Manager takes place. You can also use this procedure to reach attestors with no access to One Identity Manager.

Specify an event in the approval step that triggers an external approval. The event triggers a process that initiates the external approval for the attestation case and evaluates the result of the approval decision. The approval process waits for the external decision to be passed to One Identity Manager. Define the subsequent approval steps depending on the result of the external approval.

To use an approval procedure

  1. In the Designer, define your own processes that:

    • Triggers an external approval.

    • Analyzes the results of the external approval.

    • Grants or denies approval in the subsequent external approval step in One Identity Manager.

  2. Defines an event that starts the process for external approval. Enter the result in Result in the approval step.

If the external event occurs, the approval step status in One Identity Manager must be changed. Use the CallMethod process task with the MakeDecision method for this. Pass the following parameters to the process task:

MethodName: Value = "MakeDecision"

ObjectType: Value = "AttestationCase"

Param1: Value = "sa"

Param2: Value = <approval> ("true" = granted; "false" = denied)

Param3: Value = <reason for approval decision>

Param4: Value = <standard reason>

Param5: Value = <number approval steps> (PWODecisionStep.SubLevelNumber)

WhereClause: Value = "UID_AttestationCase ='"& $UID_AttestationCase$ &"'"

Use these parameters to specify which attestation case is to be approved by external approval (WhereClause). Param1 specifies the attestor. The attestor is always the sa system user. Param2 passes down the approval decision. If the attestation was granted, a value of True must be returned. If the attestation was denied, a value of False must be returned. Use Param3 to pass a reason text for the approval decision; use Param4 to pass a predefined standard reason. If more than one external approval steps have been defined in an approval level, use Param5 to pass the approval step count. This ensures the approval is aligned with the correct approval step.

Example

All compliance rules should be checked and attested by an external assessor. The attestation object data should be made available as a PDF on an external share. The assessor should save the result of the attestation in a text file on the external share. Use this approval procedure to make external approvals and define:

  • A P1 process that saves a PDF report with data about the attestation object data and the attestation procedure on an external share
  • An E1 event that starts the P1 process

    In the approval step, enter E1 in the Event field, and enter P1 in the process as the trigger for the external decision.

  • A P2 process that checks the share for new text files, evaluates the content, and calls the One Identity Manager CallMethod process task the method MakeDecision method
  • An E2 event that starts the P2 process
  • A schedule that starts the E2 event on a regular basis

For more information about creating processes, see the One Identity Manager Configuration Guide. For more information about setting up schedules, see the One Identity Manager Operational Guide.

Detailed information about this topic

Waiting for further approval

NOTE: Only one approval step can be defined with the WC approval procedure per approval level.

If you want to ensure that a specific data state exists in One Identity Manager before an attestation case is finally approved, then use the WC approval procedure. Use a condition to specify which prerequisites have to be fulfilled so that attestation can take place. The condition is evaluated as a function call, which must accept the attestation case UID as a parameter (AttestationCase.UID_AttestationCase). You use this UID to reference the attestation object. The function must define three return values as integer values. One of the following actions is carried out depending on the function’s return value.

Table 28: Return value for deferred approval

Return value

Action

Return value > 0

The condition is fulfilled. Deferred approval has completed successfully. The next approval step (in case of success) is carried out.

Return value = 0

The condition is not yet fulfilled. Approval is rolled back and is retested the next time DBQueue Processor runs.

Return value < 0

The condition is not fulfilled. Deferred approval has failed. The next approval step (in case of failure) is carried out.

To use an approval procedure

  1. Create a database function which tests the condition for the attestation.

  2. Create an approval step with the WC approval procedure. Enter the function call in Condition.

    Syntax: dbo.<function name>

  3. Specify an approval step in the case of success. Use the approval procedure with which One Identity Manager can determine the attestors.

  4. Specify an approval step in the case of failure.

Setting up approval procedures

You can create your own approval procedures if the default approval procedures for finding the responsible attestors do not meet your requirements. The condition through which the attestors are determined is formulated as a database query. Several queries may be combined into one condition.

To set up an approval procedure

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures category.

  2. Select an approval procedure in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the approval procedure main data.

  4. Save the changes.

To edit the condition

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures category.

  2. Select an approval procedure from the result list.

  3. Select Change queries for approver selection.

Detailed information about this topic

General main data of an approval procedure

Enter the following main data of an approval procedure.

Table 29: General main data of an approval procedure

Property

Description

Approval procedure

Descriptor for the approval procedure (maximum two characters).

Description

Approval procedure identifier.

DBQueue Processor task

Approvals can either be made automatically through a DBQueue Processor calculation task or by specified approvers. Assign a custom DBQueue Processor task if the approval procedure should make an automatic approval decision.

You cannot assign a DBQueue Processor task if a query is entered for determining the attestors.

Max. number approvers

Maximum number of attestors to be determined by the approval procedure. Specify how many identities must really make approval decisions in the approval steps used by this approval procedure.

Sort order

Value for sorting approval procedures in the menu.

Specify the value 10 to display this approval procedure at the top of the menu when you set up an approval step.

Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen