If you want to attest system entitlements and the user accounts assigned to them, use the ED, EM, EN, EO, or SO approval policies. Use the approval procedures AM, MD, or SO to attest user accounts. Attestation objects are user accounts or system entitlements and the user accounts assigned to them as well as system roles that have system entitlements or system roles assigned to them.
You use the KA approval procedure to attest Active Directory groups and group memberships. This approval procedure is only available if the Active Roles Module is present.
The approval procedures determine the following attestors.
|
|
Attestation base objects |
Attestors |
Available in Module |
|---|---|---|---|
|
AM |
User accounts (UNSAccount) |
Employee’s department manager to whom the user account is connected. |
Target System Base Module |
|
ED |
User accounts: system entitlement assignments (UNSAccountInUNSGroup) |
Employee’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case. |
Target System Base Module |
|
EM |
User accounts: system entitlement assignments (UNSAccountInUNSGroup) |
Employee’s department manager to whom the user account is connected. |
Target System Base Module |
|
EN |
User accounts: system entitlement assignments (UNSAccountInUNSGroup) System entitlements (UNSGroup) |
Target system manager of the target system area to which the system entitlement belongs. |
Target System Base Module |
|
EO |
System roles: assignments (ESetHasEntitlement) All user account assignments to system entitlements; for example, User accounts: system entitlement assignments (UNSAccountInUNSGroup) or SAP user accounts: assignments to roles (SAPUserInSAPRole) All system entitlement or system role assignments to roles; for example, Roles and organizations: Active Directory group assignments (BaseTreeHasADSGroup) or Locations: EBS entitlement assignments (LocalityHasEBSResp) |
Product owner of the service item to which the system entitlement or system role is assigned. |
Target System Base Module or System Roles Module |
|
MD |
User accounts (UNSAccount) |
Employee’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case. |
Target System Base Module |
|
SO |
User accounts: system entitlement assignments (UNSAccountInUNSGroup) User accounts (UNSAccount) System entitlements: assignments to system entitlements (UNSGroupInUNSGroup) |
Target system manager for the target system to which the system entitlement or user account belongs. |
Target System Base Module |
|
KA |
Active Directory groups (ADSGroup) Active Directory user Accounts: assignments Group (ADSAccountInADSGroup) User accounts: system entitlement assignments (UNSAccountInUNSGroup) System entitlements (UNSGroup) |
Product owner and additional owner of the Active Directory Group If the groups were added automatically to the IT Shop, the account managers are identified as product owners. The additional owners of the Active Directory groups are determined only if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled. For more information about these functions, see the One Identity Manager Administration Guide for One Identity Active Roles Integration. |
Active Roles Module |