The attestation object can also be determined as the attestor in an attestation case. which means the employees to be attested can attest themselves. To prevent this, set the QER | Attestation | PersonToAttestNoDecide configuration parameter.
Changing the configuration parameter only affects new attestation cases. Attestors are not recalculated for existing attestation cases.
The configuration parameter setting also applies for fallback approvers; it does not apply to the chief approval team.
If the Approval by affected employee option is set on an approval step, this configuration parameter has no effect.
To prevent employees from attesting themselves
This configuration parameter affects all attestation cases in which employees included in the attestation object or in object relations, are attestors at the same time. The following employees are removed from the group of attestors.
Employees included in AttestationCase.ObjectKeyBase
Employees included in AttestationCase.UID_ObjectKey1, ObjectKey2, or ObjectKey3
Employees' main identities
All subidentities of these main identities
If the configuration parameter is not set or if Approval by affected employee is enabled for the approval step, these employees can attest themselves.
Properties of an approval step
Using peer group analysis, approval for attestation cases can be granted or denied automatically. For example, a peer group might be all employees in the same department. Peer group analysis assumes that these employees require the same system entitlements. For example, if the majority of employees belonging to a department have a system entitlement, assignment to another employee in the department can be carried out automatically. This helps to accelerate approval processes.
Peer group analysis can be used during attestation of the following memberships:
- Assignment of system entitlements to user account (UNSAccountInUNSGroup table)
- Secondary memberships in business role (PersonInOrg table)
Peer groups contain all employees with the same manager or belonging to the same primary or secondary department as the employee linked to the attestation object (= employee to be attested). Configuration parameters specify which employee belong to the peer group. At least one of the following configuration parameters must be set.
QER | Attestation | PeerGroupAnalysis | IncludeManager: Employees with the same manager as the employee being attested
QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Employees who belong to the same primary department as the employee being attested
QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the employee being attested
The number of employees in a peer group that must already own the membership to be attested is set by a threshold in the QER | Attestation | PeerGroupAnalysis | ApprovalThreshold configuration parameter. The threshold specifies the ratio of the total number of employees in the peer group to the number of employees in the peer group who already own this membership.
You can also specify that employees are not permitted to own cross-functional memberships, which means, if the membership and the employee being attested belong to different functional areas, the attestation case should be denied approval. To include this check in peer group analysis, set the QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.
Whether a membership is cross-functional or not can only be tested if the following conditions are fulfilled.
The employee being attested and the member of the peer group requested the membership in the IT Shop.
The employee being attested is assigned a primary department and this department is assigned a function area.
The service item that the membership is assigned to, is assigned a functional area.
Attestation cases are automatically approved for fully configured peer group analysis, if both:
If this is not the case, attestation cases are automatically denied.
To use this functionality, One Identity Manager provides the QER_PersonWantsOrg_Peer group analysis process and the PeergroupAnalysis event. The process is run using an approval step with the EX approval procedure.
Detailed information about this topic
During attestation, you may find it necessary to assign someone else as default attestor responsible for the attestation because, for example, the actual attestor is absent. You may require additional information about an attestation object. One Identity Manager offers different possibilities to intervene in an open attestation case.