Recertifying existing users
IMPORTANT: Access to connected target systems may possibly be denied to One Identity Manager users as a result of recertification. You can configure this behavior to meet your company’s requirements. Read the following section thoroughly before you use the recertification function.
One Identity Manager provides an attestation policy for performing cyclical attestation of existing users allowing companies to regularly test and authorize employee main data stored in the One Identity Manager database. Cyclical attestation is triggered through a scheduled task. This resets the certification status for all employees stored in the database. One Identity Manager uses the same procedure for this as for attesting new users. The case is referred to as recertification.
Result of recertification
-
Certified, activated employees who can access all entitlements assigned to them in One Identity Manager and the connected target systems.
Company resources are inherited. Account definitions are assigned to internal employees.
- OR -
-
Denied and permanently deactivated employees.
Disable employees cannot log in to One Identity Manager tools. Company resources are not inherited. Account definitions are not automatically assigned. User accounts associated with the employee are also locked or deleted. You can customize the behavior to meet your requirements.
Preparing for recertification
To set up regular user attestation
-
In the Designer, set the required configuration parameters.
- Create a schedule and assign it to the User recertification attestation policy. By doing this, you replace the schedule assigned by default.
Detailed information about this topic
Related topics
The recertification sequence
One Identity Manager uses the same method for recertification as for certification of new users. User recertification is triggered when all the following are true:
-
The QER | Attestation | UserApproval configuration parameter is set.
-
No Import data source is stored with the employee or the Import data source is not E-Business Suite.
-
The processing time in the schedule stored for the User recertification attestation policy has been reached.
Internal employees are attested by their manager. If an employee is not assigned a manager, the employee administrator assigns an initial manager for them. Only employee administrators can ultimately deny recertification. If a manager denies recertification, the case is always returned to the employee administrators to decide approval.
External employees are attested by members of the Identity & Access Governance | Attestation | Attestors for external users application role.
If the External option is not set for an employee, attestation takes place as described in the Adding new employees using a manager or employee administrator section, step 5.
If the External option is set for the employee, attestation takes place as described in the Self-registration of new users in the Web Portal section, steps 4 to 5.
The attestors are determined using the Certification of users approval policy.
Limiting attestation objects for recertification
IMPORTANT: In order to customize the User recertification default attestation policy, you must make changes to One Identity Manager objects. Always use a custom copy of the relevant object to make these changes.
All employees saved in the database are recertified using the User recertification attestation policy supplied in One Identity Manager. It may be necessary to limit recertification of new users to a certain group of employees, for example, if only employees in a specific departments should be attested. To do this, you can extend the condition attached to the attestation policy. Create a custom attestation policy for this.
The following objects must be changed so that recertification of users can be carried out with this attestation policy. Always create a copy of the respective object to do this.
-
User recertification attestation policy
-
VI_Attestation_AttestationCase_Person_Approval_Granted process
-
VI_Attestation_AttestationCase_Person_Approval_Dismissed process
IMPORTANT: In order for recertification to run correctly in the Web Portal, the default Certification of users attestation procedure and the default Certification of users approval policy must be assigned to the attestation policy.
The default attestation procedure, the default approval policy, and the default Certification of users approval workflow must not be changed.
To customize default recertification of users
-
Copy the User recertification attestation policy and customize it.
Table 58: Attestation policy properties
Attestation procedure |
Certification of users. |
Approval policies |
Certification of users. |
Editing conditions |
Copy the default condition without modification so that the correct attestation object is selected.
To limit the number of attestation objects, you can add additional partial conditions to the database query. |
-
In the Designer, copy the VI_Attestation_AttestationCase_Person_Approval_Granted process of the AttestationCase base object and customize the copy.
Table 59: Process properties with changes
Pre-script for generating |
Replace the UID of the User recertification attestation policy with the UID of the new attestation policy. |
Generating condition |
-
In the Designer, copy the VI_Attestation_AttestationCase_Person_Approval_Dismissed process of the AttestationCase base object and customize the copy.
Table 60: Process properties with changes
Pre-script for generating |
Replace the UID of the User recertification attestation policy with the UID of the new attestation policy. |
Generating condition |
For detailed information about editing processes, see the One Identity Manager Configuration Guide.
Detailed information about this topic