지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.0 LTS - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Specifying permitted approval procedures for tables

You can only assign selected approval policies to attestation procedures. The approval policies permitted depend on the approval procedures applied in the approval policies and on the table that forms the attestation base object for an attestation procedure.

You specify which tables are permitted for use with custom approval procedures.

If you want to use custom tables with the default approval procedures AS, CD, EX, OM, OR, or WC then assign these table to the approval procedures.

To specify the tables that permit this approval procedure

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures category.

  2. Select an approval procedure from the result list.

  3. Select the Assign tables task.

    In the Add assignments pane, assign the tables to which the approval procedure can be assigned.

    TIP: In the Remove assignments pane, you can remove table assignments.

    To remove an assignment

    • Select the table and double-click .

  4. Save the changes.

You can see which tables allow an approval procedure on the approval procedure overview form.

Related topics

Copying an approval procedure

You can copy default approval procedures in order to customize them.

To copy an approval procedure

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures category.

  2. Select an approval procedure in the result list. Select the Change main data task.

  3. Select the Create copy task.

  4. Confirm the security prompt with Yes.

  5. Enter the short name for the copy.

    The short name for an approval procedure consists of a maximum of two characters.

  6. Click OK to start copying.

    - OR -

    Click Cancel to cancel copying.

Deleting approval procedures

To delete an approval procedure

  1. Remove all assignments to approval steps.

    1. On the approval procedure overview form, check which approval steps are assigned to the approval procedure.

    2. Switch to the approval workflow and assign another approval procedure to the approval step.

  2. In the Manager, select the Attestation > Basic configuration data > Approval procedures category.

  3. Select an approval procedure from the result list.

  4. Click .

  5. Confirm the security prompt with Yes.
Related topics

Determining the responsible attestors

The DBQueue Processor calculates which employee is authorized as an approver and in which approval level. Once an attestation is triggered, the attestors are determined for every approval step of the workflow to be processed. Changes to responsibilities may lead to an employee no longer being authorized as an approver for an attestation that is not yet finally approved. In this case, the attestors must be recalculated. The following changes can trigger recalculation of pending attestations:

  • Approval policy, workflow, step, or procedure changes.

  • An authorized approver loses their responsibility in One Identity Manager, for example, if a change is made to the department manager, attestation policy approver, or target system manager.

  • An employee obtains responsibilities in One Identity Manager and therefore is authorized as an approver, for example as the manager of the employee to be attested.

  • An employee authorized as an approver is deactivated.

Once an employee's responsibilities have changed in One Identity Manager, a task for recalculating the attestors is queued in the DBQueue. All approval steps of the pending attestation cases are also recalculated by default. Approval steps that have already been approved remain approved, even if their attestor has changed. Recalculating attestors may take a long time depending on the configuration of the system environment and the amount of data to be processed. To optimize this processing time, you can specify the approval steps for which the attestors are to be recalculated.

To configure recalculation of the attestors

  • In the Designer, set the QER | Attestation | ReducedApproverCalculation configuration parameter and select one of the following options as the value.

    Table 32: Options for recalculating attestors
    Option Description

    No

    All approval steps are recalculated. This behavior also applies if the configuration parameter is not set.

    Advantage: All valid attestors are displayed in the approval process. The rest of the approval sequence is transparent.

    Disadvantage: Recalculating attestors may take a long time.

    CurrentLevel

    Only the attestors for the approval level that is currently to be edited are recalculated. Once an approval level has been approved, the attestors are determined for the next approval level.

    Advantage: The number of approval levels to calculate is lower. Calculating the attestors may be faster.

    TIP: Use this option if performance problems occur in your environment in connection with the recalculation of attestors.

    Disadvantage: The originally calculated attestors are still displayed in the approval sequence for each subsequent approval step, even though they may no longer have approval authorization. The rest of the approval sequence is not correctly represented.

    NoRecalc

    No recalculation of attestors. The previous attestors remain authorized to approve the current approval level. Once an approval level has been approved, the attestors are determined for the next approval level.

    Advantage: The number of approval levels to calculate is lower. Calculating the attestors may be faster.

    TIP: Use this option if performance problems occur in your environment in connection with the recalculation of attestors, even though the CurrentLevel option is used.

    Disadvantage: The originally calculated attestors are still displayed in the approval sequence for each subsequent approval step, even though they may no longer have approval authorization. The rest of the approval sequence is not correctly represented. Employees that are no longer authorized can approve the current approval level.

    In the worst-case scenario, the only attestors originally calculated here now have no access to One Identity Manager, for example, because they have left the company. The approval level cannot be approved.

    To see approval steps of this type through

    • Define a timeout and timeout behavior when you set up the approval workflows on the approval steps.

      - OR -

    • When setting up the attestation, assign members to the chief approval team. These members can access pending attestation cases at any time.

Detailed information about this topic
Related topics
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택