Chatta subito con l'assistenza

Ottieni assistenza in tempo reale
Completa la registrazione

Accedi

Richiedi prezzo

Contatta il supporto vendite

Identity Manager 9.1 - Attestation Administration Guide

Table of Contents

Attestation and recertification

One Identity Manager users for attestation Attestation base data Attestation types

Default attestation types Additional tasks for attestation types

Overview of the attestation type Assigning attestation procedures

Attestation procedure

General main data of an attestation procedure Templates for attestation procedures Providing information about attestation objects

Defining reports for attestation Defining snapshot content

Default attestation procedures Additional tasks for attestation procedures

Overview of the attestation procedure Assigning approval policies Creating a copy

Attestation schedules

Default schedules Additional tasks for schedules

Schedule overview Assigning attestation policies Starting schedules immediately

Compliance frameworks

Additional tasks for compliance frameworks

Compliance framework overview Assigning attestation policies

Chief approval team Attestation policy owners Standard reasons for attestation

Predefined standard reasons for attestations

Attestation policies

General main data of attestation policies Specifying risk indexes for attestation guidelines Default attestation policies Additional tasks for attestation policies

The attestation policy overview Assigning approvers to attestation policies Assigning compliance frameworks to attestation policies Mitigating controls

Assigning mitigating controls Creating mitigating controls

Running attestation for single objects Showing or hiding conditions Copy attestation policies Showing selected objects Deleting attestation policies

Disabling attestation policies Reports about attestations

Sample attestation

Creating, editing, deleting samples General main data of samples Managing sample data Generating sample data automatically Using samples with attestation policies Displaying the sample overview Default sample for attesting memberships in system entitlements

Grouping attestation policies

Creating and editing policy collections General main data of policy collections Assigning policy collections to attestation policies Disabling policy collections Deleting policy collections

Custom mail templates for notifications

Creating and editing attestation mail templates General properties of a mail template Creating and editing a mail definition

Using base object properties Use of hyperlinks in the Web Portal

Default functions for creating hyperlinks

Customizing email signatures

Copying mail templates for attestation Displaying attestation mail templates previews Deleting mail templates for attestation Custom notification processes

Suspending attestation

Approval processes for attestation cases

Approval policies for attestations

General main data of approval policies Default approval policies Additional tasks for approval policies

Editing approval workflows Validity checking

Approval workflow for attestations

Working with the workflow editor Setting up approval workflows

Editing approval levels Editing approval steps Properties of an approval step Connecting approval levels

Additional tasks for approval workflows

The approval workflow overview Copying approval workflows

Deleting approval workflows Default approval workflows

Selecting attestors

Default approval procedures

Using attestation policies to find attestors Using roles of employees to be attested to find attestors Using attestation objects to find attestors Determining attestors using the attestation objects' service item Using attestation object managers to find attestors Using persons responsible for attestation objects to find attestors Using a specified role to find attestors Using product owners to find attestors Using owners of a privileged object to find attestors Using additional Active Directory group owners to find attestors Using owners of the attestation objects to find attestors Using employees assigned to user accounts to find attestors Determining attested employee as attestor Determining attestation policy owners Calculated approval Approvals to be made externally Waiting for further approval

Setting up approval procedures

General main data of an approval procedure Queries for finding attestors

Additional tasks for approval procedures

Overview of the approval procedure Specifying permitted approval procedures for tables Copying an approval procedure

Deleting approval procedures Determining the responsible attestors

Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Phases of attestation

Setting up the staging phase Criteria for the Staging phase Setting up the challenge phase Setting up withdrawal of entitlements

Attestation by peer group analysis

Configuring peer group analysis for attestations

Managing attestation cases

Getting more information Appointing other attestors Escalating an attestation case Attestors cannot be established Automatic approval on timeout Halting an attestation case on timeout Attesting by chief approval team

Attestation sequence

Starting attestation Additional tasks for attestation cases

Attestation case overview Approval sequence Attestation history Reports about attestation cases

Modifying approval workflows for pending attestation cases Closing attestation cases for deactivated employees Deleting attestation cases Notifications in the attestation case

Requesting attestation Reminding attestors Scheduling attestation requests Reminding attestors about attestation objects Granting or denying attestation cases Notifying delegates Canceling attestation cases Escalation of attestation cases Delegating attestations Rejecting approvals Notifications with questions Notifications from additional attestors Link for verifying new external users Default mail templates

Attestation by mail

Processing attestation mails

Adaptive cards attestation

Using adaptive cards for attestations Adding and deleting recipients and channels Creating, editing, and deleting adaptive cards for attestations Creating, editing, and deleting adaptive cards templates for attestations General main data for adaptive cards Deploying and evaluating adaptive cards for attestations Disabling adaptive cards

Default attestation and withdrawal of entitlements

Attesting system entitlements System role attestation Application role attestation Business role attestation

User attestation and recertification

One Identity Manager users for attesting and recertifying users Configuring user attestation and recertification Attesting new users

Self-registration of new users in the Web Portal Adding new employees using a manager or employee administrator Importing new employee main data Scheduled attestation Limiting attestation objects for certification

Recertifying existing users

Preparing for recertification The recertification sequence Limiting attestation objects for recertification

Certifying new roles and organizations

One Identity Manager users for certifying roles and organizations Configuring certification of new departments Configuring certification of new cost centers Configuring certification of new locations Configuring certification of new business roles Configuring certification of new application roles

Mitigating controls

General main data of mitigating controls Additional tasks for mitigating controls

Mitigating controls overview Assigning attestation policies

Calculating mitigation

Setting up attestation in a separate database

Requirements for the central database Setting up work databases Setting up synchronization between central and work databases Setting up and running attestations in the work database

Configuration parameters for attestation

Setting up the staging phase

For a staging phase, an approval level is inserted at the beginning of the approval workflow, in which the owners of the attestation policy are identified as approvers. All attestation cases in an attestation run are thus submitted to a single employee (AttestationPolicy.UID_PersonOwner) or a group of employees (AttestationPolicy.UID_AERoleOwner) for review.

For example, a staging phase can be set up when the attestation policy or its components (attestation procedures, approval workflow, and so on) have been newly created and need to be tested to see if they deliver the expected results.

To set up a staging phase

In the Manager, create a new approval workflow or edit an existing approval workflow.
Add a new approval level at the beginning of the workflow and enter the approval step properties.
- Approval procedure: PW - owner of the attestation policy.
Drag the Approval connector from the decision level for testing to the next decision level.
Save the changes.
Assign an approval policy to the approval workflow.
Assign an attestation policy to the approval policy.
Assign a single owner or an application role as owner to the attestation policy.

Edit the main data of the attestation procedure assigned to the attestation policy.

On the Template tab, in the Text template field, enter a text to describe the reviewers' and attestors' task.

Example:

For reviewer: Does the attestation case contain the correct data for the attestation object and will the correct attestors be identified?
For attestors: Is the attestation object data correct and up-to-date?

Save the changes.

This workflow configuration starts the attestation phase once the attestation policy owners has approved staging. If the approval step is denied, attestation for the current attestation case is finally denied and the necessary corrections can be made.

Detailed information about this topic

Related topics

Criteria for the Staging phase

In the staging phase, at the beginning of each attestation run of the attestation policy, the generated attestation cases are checked for correctness. Staging criteria can be:

Attestation scope

Will too many or too few attestation cases be created?

-> Does the condition of the attestation policy need to be worded differently?
Attestation sequence

Will the correct attestors be identified in the correct order?

-> Must the application workflow be changed?
Details of the attestation objects that the attestors see
- Is too much or too little detailed information displayed?
  
  -> Does the report on attestation procedure or the content of the snapshot need to be changed?
- Is incorrect information shown?
  
  -> Must the attestation object's main data need to be corrected?

If errors are found only in individual attestation cases, you can deny these attestations and make the necessary corrections to the attestation objects. All other attestation cases can be approved and continue down the approval process.

If fundamental issues are found with the attestation policy, the attestation procedure, or the approval workflow used, you can flag all pending attestation procedures, deny them all together, and then make the necessary corrections.

Related topics

Setting up the challenge phase

If an attestation is finally denied, the employees affected can be given the opportunity to challenge this decision. The challenge may be particularly useful if entitlements are to be automatically withdrawn following denied attestations. Those affected can prevent this in the final instance.

To set up the challenge phase

In the Manager, edit an approval workflow and add a new approval level at the end of the workflow.
Enter the approval step properties.
- Approval procedure: CN - Challenge the decision
If the workflow includes an approval level for automatically withdrawing attested entitlements , the challenge approval level must be inserted directly before it.
Drag the Deny connector from the previous approval level to the challenge approval level.
(Optional) Drag the Deny connector from the challenge approval level to the approval level for automatically withdrawing entitlements .
Save the changes.
Assign an approval policy to the approval workflow.
Assign an attestation policy to the approval policy.

It is possible to challenge if attesting user accounts, memberships in roles and organizations, or memberships in system entitlements.
Edit the main data of the attestation procedure assigned to the attestation policy.
- On the Template tab, in the Text template field, enter a text to describe the attestors task.
  
  Example:
```
For attestors: Is the attestation object data correct and up-to-date?
For affected: Challenge the deny decision?
- Yes: Approval granted
- No: Approval denied
```
Save the changes.

This workflow configuration finally approves an attestation if the challenge step is approved, meaning denial is successfully challenged. The attestation is finally denied if the challenge step is denied, meaning the attestors' approval decision is accepted. If automatic withdrawal of entitlements is configured, the attested assignment is then automatically removed.

Detailed information about this topic

Related topics

Setting up withdrawal of entitlements

If an attestation is denied in the end, the denied entitlements can be removed immediately. To do this, an automatic approval step with external approval is added to the end of the approval workflow.

To setup automatic withdrawal of entitlements

In the Manager, edit an approval workflow and add a new approval level at the end of the workflow.
Enter the approval step properties.
- Approval procedure: EX - Approvals to be made externally
- Event: AUTOREMOVE
Drag the Deny connector from the previous approval level to the approval level for automatically withdrawing entitlements.
Save the changes.
Assign an approval policy to the approval workflow.
Assign an attestation policy to the approval policy.

Automatic withdrawal of entitlements is possible if attesting memberships or assignments to application roles, business role, system roles, or system entitlements.
Save the changes.

In the Designer, set the QER | Attestation | AutoRemovalScope configuration parameter and the configuration subparameters.
If the entitlements were obtained through IT Shop, specify whether these requests should be unsubscribed or canceled. To do this, set the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter and select a value.
- Abort: Requests are canceled. In this case, they do not go through a cancellation workflow. The requested entitlements are withdrawn without additional checks.
- Unsubscribe: Requests are unsubscribed. They go through the cancellation workflow defined in the approval policies. Withdrawal of the entitlement can thus be subjected to an additional check.
  
  If the cancellation is denied, the entitlement is not withdrawn even though the attestation has been denied.
If the configuration parameter is not set, the requests are canceled.

Detailed information about this topic

Related topics

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione

© ALL RIGHTS RESERVED. Feedback Termini di utilizzo Privacy Cookie Preference Center