Chat now with support
Chat mit Support

Identity Manager 9.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Providing terms of use for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls for attestation policies Setting up attestation in a separate database Configuration parameters for attestation

Criteria for approval recommendations for attestation

Various criteria are evaluated for approval recommendations. Which criteria can be applied depends on the object to be attested. For example, the last time a user account logged in to the target system can only be evaluated when attesting user accounts or assigning user accounts to system entitlements. This criterion is not applicable to other attestation objects. Non-applicable criteria do not affect the outcome of the recommendation.

The following criteria are evaluated when determining recommendations for approving attestation cases.

  1. Peer group factor

    The peer group factor assumes that all members of a peer group require the same system entitlements or secondary memberships. For example, if the majority of identities belonging to a department have a certain system entitlement, assignment to another identity in the department can be approved.

    The number of identities in a peer group that must already own the assignment or membership to be attested is set by a threshold in the QER | Attestation | Recommendation | PeerGroupThreshold configuration parameter. The threshold specifies the ratio of the total number of identities in the peer group to the number of identities in the peer group who already own this assignment or membership.

    Peer groups contain all identities with the same manager or belonging to the same primary or secondary department as the identity linked to the attestation object (= identity to be attested). Configuration parameters specify which identity belong to the peer group. At least one of the following configuration parameters must be set.

    • QER | Attestation | PeerGroupAnalysis | IncludeManager: Identities with the same manager as the identity being attested

    • QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Identities that belong to the same primary department as the identity being attested

    • QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Identities whose secondary department corresponds to the primary or secondary department of the identity being attested

    This criterion is evaluated only for the following attestations:

    • Assignments of system entitlements to user accounts ( UNSAccountInUNSGroup table) if the user account is linked to an identity
    • Secondary memberships in roles and organizations (PersonInBaseTree table and its derivatives)

  2. Assigned functional area

    This evaluates whether the assignment to attest and the primary department of the identity to attest are assigned to the same functional area. If this is not the case, the assignment or membership is considered cross-functional. Whether an assignment or a membership is cross-functional or not can only be verified if the following conditions are fulfilled:

    • The identity being attested and the member of the peer group requested the assignment or membership in the IT Shop.

    • The identity being attested is assigned to a primary department and this department is assigned to a functional area.

    • The service item to which the assignment or membership is assigned, is assigned to a functional area.

    This criterion is evaluated only for the following attestations:

    • Assignments of system entitlements to user accounts ( UNSAccountInUNSGroup table) if the user account is linked to an identity
    • Secondary memberships in roles and organizations (PersonInBaseTree table and its derivatives)

  3. Compliance rule violations

    This evaluates whether the attestation object may violate existing compliance rules if the attestation were granted approval. Once a rule violation is detected, denying the attestation is recommended.

    This criterion is evaluated for all attestation objects.

  4. Risk factor

    This calculates the risk factor of the attestation object. If this risk index exceeds the specified threshold, denying approval is recommended. The threshold is specified in the QER | Attestation | Recommendation | RiskIndexThreshold configuration parameter.

    This criterion is evaluated for all attestation objects that have a risk index ( RiskIndex or RiskIndexCalculated column).

  5. Approval rate

    This determines the proportion of approvals for this attestation object in previous attestations. For this, all approval procedures with manual approval that are also used in the currently running approval workflow are determined in the approval sequence (AttestationHistory). The proportion of approvals for the same attestation object is determined from the entries in the approval sequence.

    If the approval rate exceeds the specified threshold, granting approval is recommended. The threshold is specified in the QER | Attestation | Recommendation | ApprovalRateThreshold configuration parameter.

    This criterion is evaluated for all attestation objects that were already attested.

  6. Assignment rate

    This determines the number of company resource assignments to the attested identity (PersonHasObject) and compares it to the average number per identity. If the assignment rate is less that the average per identity, denying approval is recommended.

    This criterion is evaluated only when identities are being attested (Person table).

  7. Last log in time

    This determines the last time the user account logged in (from UNSAccount.LastLogon). If the login was more that a defined number of days in the past, denying approval is recommended. The number of days is set in the QER | Attestation | Recommendation | UnusedDaysThreshold configuration parameter.

    This criterion is evaluated only when attesting user accounts (such as the UNSAccount table) or system entitlement assignments to user accounts (UNSAccountInUNSGroup table) if the LastLogin column exists in the user account table.

Recommendation for granting approval

All applicable criteria are fulfilled. That means:

  • The peer group has members and the peer group factor is higher than the threshold (PeerGroupThreshold).

  • The attestation object and the primary department of the attested identity belong to the same functional area. Therefore the attestation object is not cross-functional.

  • There are not rule violations.

  • The risk index of the attestation object is lower than the threshold (RiskIndexThreshold).

  • The approval rate is higher than the threshold (ApprovalRateThreshold).

  • The assignment rate is higher than average.

  • The last login was less than the specified number of days ago (UnusedDaysThreshold) and a time for the last login is entered.

Recommendation for denying approval

At least one of the following criteria applies.

  • The peer group has no members or the peer group factor is lower than the threshold (PeerGroupThreshold).

  • There is at least one rule violation.

  • The assignment rate is less than average.

If at least two of the following applicable criteria hold, denying approval is also recommended.

  • The product is cross-functional.

  • The risk index of the attestation object is higher than the threshold (RiskIndexThreshold).

  • The approval rate is lower than the threshold (ApprovalRateThreshold).

  • The last login was longer than the specified number of days ago (UnusedDaysThreshold) or there is no time entered for the last login.

In all other cases, no recommendation is given.

Related topics

Configuring approval recommendations for attestation

To use approval recommendations, add an additional approval level to the approval workflows and configure the thresholds. Based on the recommendation, attestations can be automatically granted approval. If denying approval is recommended or a clear recommendation cannot be made, the attestations must be submitted to additional attestors. If requests are not approved automatically, also define a manual approval level in case the recommendation is to grant approval.

The attestors are shown the approval recommendation. They can follow the recommendation or make their own approval decision independently.

TIP: One Identity Manager provides the Attestation by the identity's manager (with approval recommendation) sample workflow for approval recommendations with automatic approval. You can use this approval workflow as a template and adjust to suit your requirements. To do this, copy the workflow and add approval levels with manual approval steps.

To configure approval recommendations

  1. In the Designer, set the QER | ITShop | PeerGroupAnalysis configuration parameter.

  2. Set at least on of the following subparameters:

    • QER | Attestation | PeerGroupAnalysis | IncludeManager: Identities with the same manager as the identity linked to the attestation object.

    • QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Identities that belong to the same primary department as the identity linked to the attestation object.

    • QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Identities whose secondary department corresponds to the primary or secondary department of the identity linked to the attestation object.

    This allows you to specify which identities belong to the peer group. You can also set two or all of the configuration parameters.

  3. Specify the threshold for the peer group factor in the QER | Attestation | Recommendation | PeerGroupThreshold configuration parameter. Enter a value between 0 and 1.

    The default value is 0.9. That means, at least 90 percent of the peer group members must already have the attestation object so that the granting approval can be recommended.

  4. Set the threshold for the risk factor in the QER | Attestation | Recommendation | RiskIndexThreshold configuration parameter. Enter a value between 0 and 1.

    The default value is 0.5. That means, the attestation object's risk index must be less than 0.5 for granting approval to be recommended.

  5. Set the approval rate threshold in the QER | Attestation | Recommendation | ApprovalRateThreshold configuration parameter. Enter a value between 0 and 1.

    The default value is 0.5. That means, if more than 50% of all previous attestation cases of this attestation object were approved using the same approval procedure, granting approval is recommended.

  6. Specify the number of days after which user accounts are considered unused in the TargetSystem | UNS | UnusedUserAccountThresholdInDays configuration parameter.

    The default value is 90. That means, if the time of the last login with a user account is less than 90 day ago, granting approval is recommended.

  7. Create an approval workflow in the Manager and insert an approval step with the following data as the first approval level:

    • Approval procedure: EX

    • Event: RecommendationAnalysis

    The event starts the ATT_AttestationCase_Recommendation process, which runs the ATT_AttestationCase_Recommendation script. The script runs automatic approval.

  8. Add an approval level to manual approval.

  9. In case denying approval might be recommended or no recommendation can be made, connect this approval level to the deny connection point at the first approval level.

  10. (Optional) If the request is not to be approved automatically, connect the connection point for granting approval at the first approval level to an approval level for manual approval as well. This means that attestation cases have to be approved manually even if granting approval is recommended.

  11. Create an approval policy and assign it to the approval workflow.

    • Use this approval policy for attesting.

Related topics

Managing attestation cases

During attestation, you may find it necessary to assign someone else as default attestor responsible for the attestation because, for example, the actual attestor is absent. You may require additional information about an attestation object. One Identity Manager offers different possibilities to intervene in an pending attestation case.

Getting more information

An attestor has the option to gather more information about an attestation case. This ability does not, however, replace the granting or denying approval of an attestation case. There is no additional approval step required in the approval workflow to obtain the information.

Attestors can request information from any identity. The attestation case is put on hold while the query is pending. Once the identity requested has supplied the required information and the attestors have made an decision on the approval step, hold status is revoked. Attestors can recall a pending query at any time. The request is taken off hold. The query and answer are logged in the approval sequence and made available to the attestors.

NOTE: Hold status is revoked if the attestor who asked a question is removed as an approver. The queried identity does not have to answer and the attestation case proceeds.

Email notification to the identities involved can be sent using unanswered inquiries.

For more information about queries, see the One Identity Manager Web Portal User Guide.

Detailed information about this topic
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen