Chatta subito con l'assistenza
Chat con il supporto

Identity Manager On Demand - Starling Edition Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Using product owners to find attestors

Use the approval procedure OA to determine whether product owners can be attestors. The following objects can be attested with this procedure:

  • Service items

  • System entitlements

  • System entitlement assignments to user accounts or system entitlements

  • System role assignments to identities


  • A service item must be assigned to the system entitlements and system roles.
  • There must be an application role for product owners assigned to the service item.

All identities assigned to the assigned application role are determined as attestors.

Using owners of a privileged object to find attestors

Installed modules: Privileged Account Governance Module

Use the OP approval procedure if you want to allow privileged objects in a Privileged Account Management system, for example, PAM assets or PAM directory accounts, to be attested by their owners. The owners attest the possible user accord to these privileged objects. The owners of the privileged objects must have the Privileged Account Governance | Asset and account owners application role or a child application role.

Using additional Active Directory group owners to find attestors

Installed modules:

Active Roles Module

If the Active Directory group is attested, the attestor can be determined through additional owners of this Active Directory group. Use the PA approval procedure for this purpose. This finds all identities that are:

  • A member in the assigned Active Directory group through their Active Directory user account

  • Linked to the assigned Active Directory user account

NOTE: Only use the PA approval procedure if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled. The column Additional owners is only available in this case.

Using owners of the attestation objects to find attestors

When you assign new owners to devices or system entitlements in the Web Portal, the new owner should agree with this assignment. An attestation with the PO approval procedure is carried out for this purpose.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione