Attested identities can themselves be determined as attestors and thus influence the approval sequence. The following approval procedures can be used for this:
An identity can attest to the correctness of their own main data to confirm that it has been entered correctly, for example. The approval procedure is used by default to assign managers to identities that do not have a manager assigned to them (Attestation of initial manager assignment attestation policy).
Attestation base objects:
-
Identities (Person)
Attestors:
-
Identity to attest.
Approval procedure used to challenge denied attestations. For example, affected identities can prevent necessary entitlements being removed. For more information, see Setting up the challenge phase.
Attestation base objects:
-
Identities: memberships in application roles (PersonInAERole)
-
Identities: department memberships (PersonInDepartment)
-
Identities: location memberships (PersonInLocality)
-
Identities: cost center memberships (PersonInProfitCenter)
-
Identities: business role memberships (PersonInOrg)
-
Identities: system role assignments (PersonHasESet)
-
All target system user accounts; for example, Microsoft Entra ID user accounts (AADUser) or User accounts (UNSAccountB)
-
User account assignments to system entitlements in all target systems; for example, User accounts: system entitlement assignments (UNSAccountInUNSGroup)
Attestors:
-
Identity with assignments to attest or that is connected to the user account to attest.