Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 9.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Providing terms of use for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls for attestation policies Setting up attestation in a separate database Configuration parameters for attestation

Phases of attestation

When performing attestations, it can be helpful to check in advance that the correct attestation objects are generated and the appropriate approvers are found. This determines whether the approval process can be deployed as defined and used for attestation or if it requires customizing. A staging phase like this can be added to the beginning of the approval procedure.

If entitlements are withdrawn because attestation was denied, affected identities can be given the opportunity to challenge the denial and thereby prevent the entitlements being withdrawn. A challenge phase like this can be placed at the end of the approval procedure. Depending on the outcome of the challenge, entitlements can subsequently be withdrawn automatically or manually.

Thus, approval procedures can be divided into four phases:

  1. (Optional) Staging

    Those responsible for attestations, specifically the owners of the respective attestation policy, are given the opportunity here to review the details of an attestation run. This allows the scope and sequence of attestation to be assessed before attestation is carried out. If errors are detected in the generated attestation cases, the affected attestation cases can be canceled, the errors corrected, and attestation restarted.

    The staging phase can be integrated into the approval processes of any attestation objects.

  2. Attestation

    Attestation is run according to the defined approval workflow.

  3. (Optional) Challenge

    If an attestation is finally denied, the identities affected can be given the opportunity to challenge this decision. This allows attested identities to register their legitimate interests before entitlements are withdrawn. For example, this prevents entitlements that are needed at short notice from being withdrawn by a scheduled attestation and then having to reassign them again with additional effort.

    It is possible to challenge if attesting user accounts, memberships in roles and organizations, or memberships in system entitlements.

  4. (Optional) Automatically withdraw entitlements

    If an attestation is denied in the end, the denied entitlements can be removed immediately. To do this, an automatic approval step with external approval is added to the end of the approval workflow.

For all four phases, appropriate approval levels are defined in the approval workflows.

Detailed information about this topic

Setting up the staging phase

A staging phase is when an approval level is inserted at the beginning of the approval workflow, which identifies the attestation policy owners as approvers. All attestation cases in an attestation run are thus submitted to a single identity (AttestationPolicy.UID_PersonOwner) or a group of identities (AttestationPolicy.UID_AERoleOwner) for review.

For example, a staging phase can be set up when the attestation policy or its components (attestation procedures, approval workflow, and so on) have been newly created and need to be tested to see if they deliver the expected results.

To set up a staging phase

  1. In the Manager, create a new approval workflow or edit an existing approval workflow.

  2. Add a new approval level at the beginning of the workflow and enter the approval step properties.

    • Approval procedure: PW - owner of the attestation policy.

  3. Drag the Approval connector from the decision level for testing to the next decision level.

  4. Save the changes.

  5. Assign an approval policy to the approval workflow.

  6. Assign an attestation policy to the approval policy.

  7. Assign a single owner or an application role as owner to the attestation policy.

  8. (Optional) Edit the main data of the attestation case assigned to attestation policy.

    • On the Template tab, in the Text template field, enter a text to describe the reviewers' and attestors' task.

      Example:

      For reviewer: Does the attestation case contain the correct data for the attestation object and will the correct attestors be identified?
      For attestors: Is the attestation object data correct and up-to-date?
  9. Save the changes.

This workflow configuration starts the attestation phase once the attestation policy owners has approved staging. If the approval step is denied, attestation for the current attestation case is finally denied and the necessary corrections can be made.

Detailed information about this topic
Related topics

Criteria for the Staging phase

In the staging phase, at the beginning of each attestation run of the attestation policy, the generated attestation cases are checked for correctness. Staging criteria can be:

  • Attestation scope

    Will too many or too few attestation cases be created?

    -> Does the condition of the attestation policy need to be worded differently?

  • Attestation sequence

    Will the correct attestors be identified in the correct order?

    -> Must the application workflow be changed?

  • Details of the attestation objects that the attestors see

    • Is too much or too little detailed information displayed?

      -> Does the report on attestation procedure or the content of the snapshot need to be changed?

    • Is incorrect information shown?

      -> Must the attestation object's main data need to be corrected?

If errors are found only in individual attestation cases, you can deny these attestations and make the necessary corrections to the attestation objects. All other attestation cases can be approved and continue down the approval process.

If fundamental issues are found with the attestation policy, the attestation procedure, or the approval workflow used, you can flag all pending attestation procedures, deny them all together, and then make the necessary corrections.

Related topics

Setting up the challenge phase

If an attestation is finally denied, the identities affected can be given the opportunity to challenge this decision. The challenge may be particularly useful if entitlements are to be automatically withdrawn following denied attestations. Those affected can prevent this in the final instance.

To set up the challenge phase

  1. In the Manager, edit an approval workflow and add a new approval level at the end of the workflow.

  2. Enter the approval step properties.

    • Approval procedure: CN - Challenge the decision

    If the workflow includes an approval level for automatically withdrawing attested entitlements , the challenge approval level must be inserted directly before it.

  3. Drag the Deny connector from the previous approval level to the challenge approval level.

  4. (Optional) Drag the Deny connector from the challenge approval level to the approval level for automatically withdrawing entitlements .

  5. Save the changes.

  6. Assign an approval policy to the approval workflow.

  7. Assign an attestation policy to the approval policy.

    A challenge is possible if attesting user accounts, memberships in roles and organizations, or memberships in system entitlements.

  8. (Optional) Edit the main data of the attestation case assigned to attestation policy.

    • On the Template tab, in the Text template field, enter a text to describe the attestors task.

  9. Save the changes.

If those affected deny this approval step, the attestation is finally denied approval. If automatic withdrawal of entitlements is configured, the attested assignment is then automatically removed. If those affected approve this approval step, the attestation is finally granted approval.

Detailed information about this topic
Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation