Using additional Active Directory group owners to find attestors
Active Roles Module
If the Active Directory group is attested, the attestor can be determined through additional owners of this Active Directory group. Use the PA approval procedure for this purpose. This finds all employees that are:
NOTE: Only use the PA approval procedure if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled. The column Additional owners is only available in this case.
Using owners of the attestation objects to find attestors
When you assign new owners to devices or system entitlements in the Web Portal, the new owner should agree with this assignment. An attestation with the PO approval procedure is carried out for this purpose.
Using employees assigned to user accounts to find attestors
If you want to allow user accounts to be attested by the employees assigned to them, use the EA approval procedure. This approval procedure can be used if the Target System Base Module is installed.
Determining attested employee as attestor
An employee can attest to the correctness of their own main data to confirm that it has been entered correctly, for example. Use the CS approval procedure to do this. Employees are the base object for attestation. The approval procedure is used by default to assign managers to employees who do not have a manager assigned to them (Attestation of initial manager assignment attestation policy).
When user accounts, memberships in roles and organizations, or memberships in system entitlements are attested, the CN decision procedure determines whether the employee to whom these objects are assigned can be an attestor. The CN approval procedure is used to challenge denied attestations. For example, affected employees can prevent necessary entitlements being removed. For more information, see Setting up the challenge phase.