Managing my system entitlements' attestation cases
You can use attestation to test the balance between security and compliance within your company. Managers or others responsible for compliance can use One Identity Manager attestation functionality to certify correctness of permissions, requests, or exception approvals either scheduled or on demand. Recertification is the term generally used to describe regular certification of permissions. One Identity Manager uses the same workflows for recertification and attestation.
There are attestation policies defined in One Identity Manager for carrying out attestations. Attestation policies specify which objects are attested when, how often, and by whom.Once an attestation is performed, One Identity Manager creates attestation cases that contain all the necessary information about the attestation objects and the attestor responsible. The attestor checks the attestation objects. They verify the correctness of the data and initiate any changes that need to be made if the data conflicts with internal rules.
Attestation cases record the entire attestation sequence. Each attestation step in an attestation case can be audit-proof reconstructed. Attestations are run regularly using scheduled tasks. You can also trigger single attestations manually.
Attestation is complete when the attestation case has been granted or denied approval. You specify how to deal with granted or denied attestations on a company basis.
Detailed information about this topic
Displaying my system entitlements' attestation cases
You can display attestation cases that involve system entitlements for which you are responsible.
In addition, you can obtain more information about the attestation cases.
To display attestation cases
-
In the menu bar, click Responsibilities > My Responsibilities.
-
In the navigation, click Identities.
-
On the System Entitlements page, click the system entitlement whose attestation cases you want to display.
-
In the Edit System Entitlement pane, click the Attestation tab.
This displays all the system entitlement's attestation cases.
-
(Optional) To display more details of an attestation case, click the respective attestation case.
Related topics
Approving and denying my system entitlements' attestation cases
You can grant or deny approval to attestation cases of system entitlements for which you are responsible.
To approve an attestation case
-
In the menu bar, click Responsibilities > My Responsibilities.
-
On the System Entitlements page, click the system entitlement whose attestation cases are pending your approval.
-
In the Edit System Entitlement pane, click the Attestation tab.
-
On the Attestation tab, click (Filter).
-
In the filter context menu, select the Pending option.
-
Perform one of the following actions:
-
To approve an attestation case, select the check box next to the attestation case in the list and click Approve below the list.
-
To deny an attestation case, select the check box next to the attestation case in the list and click Deny below the list.
-
In the Approve Attestation Case or the Deny Attestation Case pane, perform the following actions:
-
In the Reason for your decision field, select a standard reason for your approval decision.
-
In the Additional comments about your decision field, enter extra information about your approval decision.
TIP: By giving reasons, your approvals are more transparent and support the audit trail.
-
Click Save.
Related topics
Managing my system roles
System roles combine company resources that must always be assigned to identities together into a single package. Different types of company resources can be grouped into one system role, such as Active Directory groups, software, and resources. System roles can be assigned to user accounts, requested, or inherited through hierarchical roles. Identities and workdesks inherit company resources assigned to the system roles.
You can perform a variety of actions regarding system roles that you manage and gather information about them.
Detailed information about this topic