Chat now with support
Chat mit Support

Identity Manager 9.1.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Phases of attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Certifying new roles and organizations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Using roles of employees to be attested to find attestors

Installed modules:

Business Roles Module (for approval procedure AO).

If you want to attest company resource assignments to employees or their requests, use the AD, AL, AO, or AP approval procedures. The attestors found are members of the Attestor application role.

Attestation objects are employees (Person table) or request recipients (PersonWantsOrg table). These approval procedures determine the role (department, location, business role, cost center) for each attestation object to which the attestation object is primarily assigned. If the primarily assigned role is not directly assigned an attestor, the approval procedure finds the attestator's parents roles. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.

NOTE: When attestors are found using the AO approval procedure and when "bottom-up" inheritance is defined for business roles, note the following:

  • If there is no attestor given for the primary business role, attestors are taken from the child business role.

Related topics

Using attestation objects to find attestors

Use the AR, AY, or AT approval procedures if you want to attest the validity of compliance rules, rule violations, company policies, policy violations, or of departments, locations, cost centers, or business roles. The AT procedure is also suitable for attesting assignments to IT Shop structures (shops, shopping centers, or shelves). Use the AA or AN approval procedures to attest system entitlement or system role assignments to departments, locations, cost centers, business roles or IT Shop structures. The attestors found are members of the Attestor application role.

 

Attestation base objects

Available in Module

AR

Rules (ComplianceRule)

Rule violations (PersonInNonCompliance)

Compliance Rules Module

AY

Company policies (QERPolicy)

Policy violations (QERPolicyHasObject)

Company Policies Module

AT

Departments (Department)

IT Shop Structures (ITShopOrg)

Locations (Locality)

Business roles (Org)

Cost centers (ProfitCenter)

IT Shop Templates (ITShopSrc)

 

AA, AN

System entitlement or target system group assignments to roles (<BaseTree>HasUNSGroupB,

<BaseTree>HasADSGroup, <BaseTree>HasEBSResp, ...)

System role assignments to roles (<BaseTree>HasESet)

Target System Base Module

These approval procedures determine the attestors to which the attestation object is assigned. The AA approval procedure finds the attestor using the role (departments, locations, business roles, cost centers) or IT Shop structures (IT Shop templates). The AN approval procedure finds the attestor using the service item assigned to the system entitlement or target system group.

Furthermore, the following also applies to the AT and AA approval procedures: If an attestor is not directly assigned to the attestation object, the approval procedure finds the attestor of the parent roles/IT Shop structures. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.

NOTE: If the attestation base object is a business role or a business role assignment and bottom-up inheritance is defined for the associated role classes, the following applies:

  • If there is no attestor assigned to the attestation object, the approval procedure finds attestors from the attestors of subordinate roles.

Related topics

Determining attestors using the attestation objects' service item

The OT approval procedure is used to determine the attestors of the service item assigned to the attestation object. You can use this approval procedure for the following attestation base objects:

  • Service items (AccProduct)

  • System entitlements (UNSGroup)

  • User accounts: system entitlement assignments (UNSAccountInUNSGroup)

  • Account definitions (TSBAccountDef) and employee assignments (PersonHasTSBAccountDef)

  • System roles (ESet) and employee assignments (PersonHasESet)

  • Subscribable reports (RPSReport) and employee assignments (PersonHasRPSReport)

  • Resources (QERResource) and employee assignments (PersonHasQERResource)

  • Multi-requestable resources (QERReuse)

  • Multi requestable/unsubscribable resources (QERReuseUS)

  • Assignment resources (QERAssign)

The attestors found are members of the Attestor application role. If there is no attestor assigned to the service item, the attestors are taken from the associated service category.

Related topics

Using attestation object managers to find attestors

If you want to have employees, user accounts, roles, system roles, role memberships, assignments of system roles, or entitlements for employees, roles, or IT Shop structures attested through their managers, use the CM, DM, LM, MO, RM, RR, or RE approval procedures.

Approval procedure

Attestation base objects

Available in Module

CM

Employees (Person)

Employees: memberships in application roles (PersonInAERole)

Employees: department memberships (PersonInDepartment)

Employees: location memberships (PersonInLocality)

Employees: cost center memberships (PersonInProfitCenter)

Employees: business role memberships (PersonInOrg)

Employees: system role assignments (PersonHasESet)

 

 

DM

Employees (Person)

Employees: department memberships (PersonInDepartment)

 

LM

Employees (Person)

Employees: location memberships (PersonInLocality)

 

MO

Employees (Person)

Employees: business role memberships (PersonInOrg)

Business Roles Module

PM

Employees (Person)

Employees: cost center memberships (PersonInProfitCenter)

 

RE

System roles (ESet)

Employees: system role assignments (PersonHasESet)

Departments: system role assignments(DepartmentHasESet)

Business roles: system role assignments (OrgHasESet)

IT Shop structures: system role assignments (ITShopOrgHasESet)

IT Shop templates: system role assignments (ITShopSrcOrgHasESet)

Cost centers: system role assignments (ProfitCenterHasESet)

Locations: system role assignments (LocalityHasESet)

System Roles Module

RM

Employees: department memberships (PersonInDepartment)

Employees: IT Shop structure memberships (PersonInITShopOrg)

Employees: location memberships (PersonInLocality)

Employees: business role memberships (PersonInOrg)

Employees: cost center memberships (PersonInProfitCenter)

 

RR

Departments (Department)

IT Shop Structures (ITShopOrg)

Locations (Locality)

Business roles (Org)

Cost centers (ProfitCenter)

IT Shop Templates (ITShopSrc)

All system entitlement or system role assignments to roles; for example Roles and organizations: Active Directory group assignments (BaseTreeHasADSGroup) or Locations: EBS entitlement assignments (LocalityHasEBSResp)

 

XM

Employees (Person)

Employees: memberships in application roles (PersonInAERole)

Employees: department memberships (PersonInDepartment)

Employees: location memberships (PersonInLocality)

Employees: cost center memberships (PersonInProfitCenter)

Employees: business role memberships (PersonInOrg)

Employees: system role assignments (PersonHasESet)

User accounts (UNSAccount)

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

 

These approval procedures find the manager associated with every attestation object. In the RE approval procedure, the system role manager is determined as attestor; in the RM and RR approval procedures, the role/IT Shop structure manager is determined. The approval procedures CM, DM, LM, MO, and PM find the department manager and deputy manager of the role in which the attesting employee is a member. The approval procedure XM determines the manager of the employee who can be determined through the attestation object.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen