Chat now with support
Chat mit Support

Identity Manager 9.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Providing terms of use for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls for attestation policies Setting up attestation in a separate database Configuration parameters for attestation

Configuring user attestation and recertification

To use the attestation and recertification function for new internal users

  1. In the Designer, set the QER | Attestation | UserApproval configuration parameter.

  2. Assign at least one identity to the Identity Management | Identities | Administrators application role.

    All identities with this application role can assign a manager to the identity being attested during the attestation run.

To use the attestation and recertification function for new external users

  1. In the Designer, set the following configuration parameters:

    • QER | Attestation | ApproveNewExternalUsers: Select the value 1.

    • QER | WebPortal | PasswordResetURL: Specify the API Server's web address that deploys the Password Reset Portal. This web address is used for navigation.

    • QER | Attestation | MailTemplateIdents | NewExternalUserVerification: Mail template sending verification links.

    • QER | Attestation | NewExternalUserTimeoutInHours: For new external users, specify the duration of the verification link in hours.

      The default is 4 hours. If logging in to the Password Reset Portal fails because the timeout has expired, the user can ask for a new verification link to be sent. To change the duration of the verification link, change the value in the configuration parameter.

    • QER | Attestation | NewExternalUserFinalTimeoutInHours: Specify the duration in hours, within which self-registration must be successfully completed.

      If the user does not complete registration with 24 hours, the attestation case quits. To register anyway, the user must log in again to the Web Portal from the beginning. To change the checkout duration of registration, change the value of the configuration parameter.

  2. Assign at least one identity to the Identity & Access Governance | Attestation | Attestor for external users application role.

Detailed information about this topic

Attesting new users

Attestation of new users is divided into three use cases by One Identity Manager:

  1. Registration of new external users logging in to the Web Portal.

  2. Adding new identities in the Manager or using a manager in the Web Portal.

  3. Adding new identities by importing identity main data.

The result of attestation is the same in all three cases.

  • Certified, activated identities who can access all entitlements assigned to them in One Identity Manager and the connected target systems.

    Company resources are inherited. Account definitions are assigned to internal identities.

    - OR -

  • Denied and permanently deactivated identities.

    Disable identities cannot log in to One Identity Manager tools. Company resources are not inherited. Account definitions are not automatically assigned. User accounts associated with the identity are also locked or deleted. You can customize the behavior to meet your requirements.

Self-registration of new users in the Web Portal

Users who are not yet registered have the option to register themselves to use the Web Portal. These users can log in to the Web Portal once a manager has attested the user's main data and the set the user's password. This adds an external identity to the One Identity Manager database.

Attestation sequence:

  1. The user logs in to the Web Portal for the first time and enters the required properties.

    A new identity is added to the One Identity Manager database with properties:

    Table 42: Properties of a newly added identity

    Property

    Value

    Certification status

    New

    External

    Set

    Contact email address

    Email address to send the verification link to.

    Permanently deactivated

    Set

    No inheritance

    Set

  2. Attestation is started automatically.

    Attestation policy used: New user certification

    NOTE: The attestation only starts automatically if the QER | Attestation | UserApproval configuration parameter is set. Otherwise the new user remains permanently deactivated until a manager changes the identity main data manually.
  3. Attestors are found.

    Effective approval policy: Certification of users

  4. If the QER | Attestation | ApproveNewExternalUsers configuration parameter is set and the value is 1, attestation of members of the Identity & Access Governance | Attestation | Attestors for external users is submitted.

    1. If an attestor for external users denies the attestation, the attestation case is closed. The identity's properties are updated in the database.
      Table 43: Properties of an external identity with denied attestation

      Property

      Value

      Explanation

      Certification status

      Denied

      External

      Set

       

      Permanently deactivated

      Set

      The user cannot log in to the Web Portal.

      No inheritance

      Set

      Company resources are not inherited.

    2. If an attestor for external users approves attestation, an email with a verification link is sent to the new user.

    NOTE: If the QER | Attestation | ApproveNewExternalUsers configuration parameter is not set or the value is 0, an email with a verification link is sent immediately to the new user.

  5. Once the user has followed the link and a password and a password question have been set, the attestation case is approved. The identity's properties are updated in the database.

    Table 44: Properties of an external identity with approved attestation

    Property

    Value

    Explanation

    Certification status

    Certified

     

    External

    Set

     

    Permanently deactivated

    Not set

    The user can log in to the Web Portal.

    No inheritance

    Not set

    Company resources are inherited.

The default is 4 hours. If logging in to the Password Reset Portal fails because the timeout has expired, the user can ask for a new verification link to be sent.

If the user does not complete registration with 24 hours, the attestation case quits. To register anyway, the user must log in again to the Web Portal from the beginning.

Related topics

Adding new identities using a manager or administrator for identities

You can also attest new users if new identities are added in the Manager or if a manager in the Web Portal adds a new identities. Specify the required behavior with the configuration parameter QER | Attestation | UserApproval | InitialApprovalState. This configuration parameter has the default value 0. This gives each new identity the certification status Certified. Automatic attestation is not carried out.

To automatically attest new users

  • In the Designer, enable the QER | Attestation | UserApproval | InitialApprovalState configuration parameter and set the value to 1.

    All identities added to the database from this point on are given the certification status New. This means automatic attestation of these identities is carried out.

The sequence is different for internal and external identities.

Attestation sequence:

  1. Enter the new user's main data and assign a manager to them.

    For more information about adding identities, see the One Identity Manager Identity Management Base Module Administration Guide and the One Identity Manager Web Portal User Guide.

    The certification status corresponds to the value of the QER | Attestation | UserApproval | InitialApprovalState configuration parameter. If the configuration parameter has the value 1, certification status is set to New.

    The identity is activated by default. They can therefore log in to One Identity Manager immediately. To ensure that the identity cannot log in to One Identity Manager until their main data has been attested, deactivate the identity.

    • To do this, run the Deactivate identity permanently task.

  2. Once the identity's main data has been saved, attestation starts.

    Attestation policy used: New user certification

  3. Attestors are found.

    Effective approval policy: Certification of users

  4. If the External option is set for the identity:

    Attestation takes place as described in the Self-registration of new users in the Web Portal section, steps 4 to 5.

  5. If the External option is set for the identity:
    1. One Identity Manager checks whether you have assigned a manager to the identity.

      • If you have assigned a manager to the identity, the case is immediately passed on to them for approval.

      • If you have not assigned a manager to the identity, the case is assigned to the identity administrators for approval.

    2. An identity administrator checks your main data and also assigns a manager to you.

      • An identity administrator assigns a manager and approves attestation. The attestation case is assigned to the manager for approval.

      • If the identity administrator does not assign a manager and approves attestation, the attestation case is closed. The identity's properties are updated in the database.

        Table 45: Properties of an identity with approved attestation

        Property

        Value

        Explanation

        Certification status

        Certified

        External

        Not set

         

        Disabled permanently

        Not set

         

        No inheritance

        Not set

        Company resources are inherited.

      • If the identity administrator denies attestation, the attestation case is closed. The identity properties are updated in the database.

        Table 46: Properties of an identity with rejected attestation

        Property

        Value

        Explanation

        Ceritifcation status

        Rejected

        External

        Not set

         

        Permanently disabled

        Set

        No inheritance

        Set

        Company resources are not inherited.

        User accounts are not created automatically.

    3. The manager can deny attestation approval if they are not the manager in charge of the user.

      • The manager can assign another identity as manager. The attestation case is immediately assigned to this manager.

      • If the manager does not know who your manager is, approval is returned to the identity administrators. These can

        • Assign another manager

        • Not assign another manager and grant attestation approval

        • Deny attestation approval

    4. If the manager approves attestation, the attestation case is closed. The identity properties are updated in the database.
      Table 47: Properties of an identity with approved attestation

      Property

      Value

      Explanation

      Certification status

      Certified

      External

      Not set

       

      Disabled permanently

      Not set

       

      No inheritance

      Not set

      Company resources are inherited.

      NOTE: Only identity administrators can ultimately deny attestation approval. If a manager denies attestation, the case is returned to the identity administrators for approval in any case.
Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen