The following configuration parameters are additionally available in One Identity Manager after the module has been installed. Some general configuration parameters are relevant for attestation. The following table contains a summary of all applicable configuration parameters for attestation.
Configuration parameter |
Description |
---|---|
QER | Attestation |
Preprocessor relevant configuration parameter for controlling the model parts for attestation. Changes to the parameter require recompiling the database. If the parameter is enabled you can use the attestation function. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide. |
QER | Attestation | AllowAllReportTypes |
This configuration parameter specifies whether all report formats are permitted for attestation policies. By default, only PDF is allowed because it is the only audit secure format. |
QER | Attestation | ApproveNewExternalUsers |
This configuration parameter specifies whether new external users must be attested before the are enabled. |
QER | Attestation | |
If this configuration parameter is set, pending attestation cases for an employee are closed, when this employees is permanently deactivated. |
QER | Attestation | AutoRemovalScope |
General configuration parameter for defining automatic withdrawal of memberships/assignments if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
Determines default behavior for automatic removal of application role memberships if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, it ends the application role delegation if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the employee’s membership of the application role is removed if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this application role! |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the request for membership of the application role is canceled if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDynamicRole |
If this configuration parameter is set, the employee is excluded from the application role's dynamic role if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this application role! |
QER | Attestation | AutoRemovalScope | DepartmentHasESet |
Determines default behavior for automatic removal of system role assignments to departments if attestation approval has been denied. |
QER | Attestation | AutoRemovalScope | DepartmentHasESet | RemoveDirect |
If this configuration parameter is set, system role to department assignments are removed if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | DepartmentHasUNSGroup |
Determines default behavior for automatic removal of system entitlement assignments to departments if attestation approval has been denied. |
QER | Attestation | AutoRemovalScope | DepartmentHasUNSGroup | RemoveDirect |
If this configuration parameter is set, system entitlement to department assignments are removed if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
Determines default behavior for automatic removal of system role memberships if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, it ends the role delegation through which the employee obtained the system role if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the direct user account membership in the system role will be removed if attestation approval is not granted. This removes all indirect assignments obtained by the employee through the system role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the secondary membership of the employee in the role (organization or business role) through which the employee obtained the system role is removed if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the employee is excluded from the dynamic role through which the employee obtained the system role if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the primary role assignment through which the employee obtained the system role is removed from the employee if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the requested system role is canceled if attestation approval is not granted. This removes all indirect assignments obtained by the employee through the system role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the request for the role through which the employee obtained the system role is canceled if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | ESetHasEntitlement |
Determines default behavior for automatic removal of system role assignments after attestation approval has been denied. |
QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveDirect |
If this configuration parameter is set, company resource assignments to system roles are removed if attestation approval is denied. |
QER | Attestation | AutoRemovalScope | |
Determines default behavior for automatic removal of united namespace system entitlements if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, it ends the role delegation through which the employee obtained the system entitlement if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the direct user account membership in the system entitlement will be removed if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, secondary membership of the employee in the role (organization or business role) through which the employee obtained the system entitlement is removed if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the employee is excluded from the dynamic role through which the employee obtained the system entitlement if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the primary role assignment through which the employee obtained the system entitlement is removed from the employee if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the requested system entitlement is canceled if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the request for the role through which the employee obtained the system entitlement is canceled if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the system role assignment through which the employee obtained the system entitlement is removed from the employee if attestation approval is not granted. This removes all indirect assignments obtained by the employee through this system role. NOTE: This configuration parameter is only available if the System Roles Module is installed. |
QER | Attestation | AutoRemovalScope | LocalityHasESet |
Determines default behavior for automatic removal of system role assignments to locations if attestation approval has been denied. |
QER | Attestation | AutoRemovalScope | LocalityHasESet | RemoveDirect |
If this configuration parameter is set, system role to location assignments are removed if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | LocalityHasUNSGroup |
Determines default behavior for automatic removal of system entitlement assignments to locations if attestation approval has been denied. |
QER | Attestation | AutoRemovalScope | LocalityHasUNSGroup | RemoveDirect |
If this configuration parameter is set, system entitlement to location assignments are removed if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | OrgHasESet |
Determines default behavior for automatic removal of system role assignments to business roles if attestation approval has been denied. |
QER | Attestation | AutoRemovalScope | OrgHasESet | RemoveDirect |
If this configuration parameter is set, system role to business role assignments are removed if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | OrgHasUNSGroup |
Determines default behavior for automatic removal of system entitlement assignments to business roles if attestation approval has been denied. |
QER | Attestation | AutoRemovalScope | OrgHasUNSGroup | RemoveDirect |
If this configuration parameter is set, system entitlement to business role assignments are removed if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | ProfitCenterHasESet |
Determines default behavior for automatic removal of system role assignments to system roles if attestation approval has been denied. |
QER | Attestation | AutoRemovalScope | ProfitCenterHasESet | RemoveDirect |
If this configuration parameter is set, system role to cost center assignments are removed if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | ProfitCenterHasUNSGroup |
Determines default behavior for automatic removal of system entitlement assignments to system roles if attestation approval has been denied. |
QER | Attestation | AutoRemovalScope | ProfitCenterHasUNSGroup | RemoveDirect |
If this configuration parameter is set, system entitlement to cost center assignments are removed if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | PWOMethodName |
Method to be run on requests if the requested assignment is to be deleted if attestation approval is not granted. The requests can be unsubscribed (Unsubscribe) or canceled (Abort). If the configuration parameter is not set, the requests are canceled by default. |
QER | Attestation | AutoRemovalScope | |
Determines default behavior for automatic removal of business role memberships if attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, it ends the business role delegation if attestation approval is not granted. This removes all indirect assignments the employee obtained through this business role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the employee secondary membership in the business role will be removed if attestation approval is not granted. This removes all indirect assignments the employee obtained through this business role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the employee is excluded from the business role's dynamic role if attestation approval is not granted. This removes all indirect assignments the employee obtained through this business role. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the request for membership of the business role is canceled if attestation approval is not granted. This removes all indirect assignments the employee obtained through this business role. |
QER | Attestation | AutoRemovalScope | |
Specifies the default behavior for removing assignments from system entitlements to system entitlement is attestation approval is not granted. |
QER | Attestation | AutoRemovalScope | |
If this configuration parameter is set, the system entitlement assignment to a system entitlement is removed if attestation approval is not granted. |
QER | Attestation | |
Sender's default email address for sending automatically generated notifications about attestation cases. Replace the default address with a valid email address. Syntax: sender@example.com Example: NoReply@company.com You can enter the sender's display name in addition to the email address. In this case, ensure that the email address is enclosed in chevrons (<>). Example: One Identity <NoReply@company.com> |
QER | Attestation | MailApproval | |
Name of the user account for authenticating the mailbox used for approval by mail. |
QER | Attestation | MailApproval | AppID |
Exchange Online application ID for authentication with OAuth 2.0. If the value is not set, the Basic or the NTML authentication method is used. |
QER | Attestation | MailApproval | |
Specifies the way emails are deleted from the inbox. |
QER | Attestation | MailApproval | |
Domain of the user account for authenticating the mailbox used for approval by mail. |
QER | Attestation | MailApproval | |
|
QER | Attestation | MailApproval | |
Microsoft Exchange mailbox to which approvals by mail are sent. |
QER | Attestation | MailApproval | |
Password of the user account for authenticating the mailbox used for approval by mail. |
QER | Attestation | |
This mail template is used to send a notification with an answer to a question from an approver. |
QER | Attestation | |
Mail template used for attestation by mail. |
QER | Attestation | |
This mail template is used to notify approvers that an approval decision has been made for the step they added. |
QER | Attestation | |
This mail template is used to notify approvers that an approval decision has been made for the step they delegated. |
QER | Attestation | |
Mail template for sending a message with a verification link to a new external user. |
QER | Attestation | |
This mail template is used to send a notification with a question from an approver to an employee. |
QER | Attestation | |
This mail template is used for generating an email when there are pending attestation for an approver. If this configuration parameter is not set, a Mail template request or Mail template reminder can be entered for single approval steps. This template is then sent for each individual attestation case. If this configuration parameter is set, single mails are not sent. |
QER | Attestation | NewExternalUserFinalTimeoutInHours |
Number of hours given for new external users to register (default: 24 hrs). |
QER | Attestation | NewExternalUserTimeoutInHours |
Number of hours that the passcode and verification link for new external users are valid (default: 4 hrs). |
QER | Attestation | OnWorkflowAssign |
This configuration parameter specifies how pending attestation cases are handled when a new approval workflow is assigned to the approval policy. |
QER | Attestation | OnWorkflowUpdate |
This configuration parameter specifies how pending attestations are handled when the approval workflow is changed. |
QER | Attestation | PeerGroupAnalysis |
This configuration parameter allows automatic approval of attestation cases by peer group analysis. |
QER | Attestation | PeerGroupAnalysis | ApprovalThreshold |
This configuration parameter defines a threshold for peer group analysis between 0 and 1. The default value is 0.9. |
QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment |
This configuration parameter specifies whether functional areas should be take into account in peer group analysis. If the parameter is set, the attestation case is only approved if the employee linked to the attestation case and the attestation object belong to the same functional area. |
QER | Attestation | PeerGroupAnalysis | IncludeManager |
This configuration parameter specifies whether employees can be added to the peer group who have the same manager as the employee linked to the attestation case. |
QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment |
This configuration parameter specifies whether employees can be added to the peer group who are primary members of the primary department of the employee linked to the attestation object. |
QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment |
This configuration parameter specifies whether employees can be added to the peer group who are secondary members of the secondary department of the employee linked to the attestation object. |
QER | Attestation | |
This configuration parameter specifies whether employees to be attested are allowed to approve this attestation case. If the parameter is set, an attestation case cannot be approved by employees, which are contained in the attestation object (AttestationCase.ObjectKeyBase) or in the objects identifiers 1-3 (AttestationCase.UID_ObjectKey1, ObjectKey2 or ObjectKey3). If the parameter is not set, these employee are allowed to make approval decisions for this attestation case. |
QER | Attestation | PrepareAttestationTimeout |
Number in hours given to generate new attestation cases (default: 48). If exceeded, the process is canceled. |
QER | Attestation | |
This configuration parameter specifies, which approval steps are recalculated if modifications require attestors to be redetermined. |
QER | Attestation | UserApproval |
Supports attestation procedures for regularly checking and confirming One Identity Manager users through their Manager. |
QER | Attestation | UserApproval | |
Certification status for new employees. If an employee is added with the certification status 1 = new, data attestation by the employee’s manager is started. |
QER | Attestation | UseWorkingHoursDefinition |
Specifies whether working days should be taken into account when calculating the due date of attestation processes according to the definition in the QBM | WorkingHours configuration parameter. |
QER | CalculateRiskIndex |
Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database. If the parameter is enabled, values for the risk index can be entered and calculated. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide. |
QER | Person | Starling |
Specifies whether connecting to the One Identity Starling cloud platform is supported. Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to One Identity Starling. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com. |
QER | Person | Starling | ApiEndpoint |
Token endpoint for logging in to One Identity Starling The value is determined by the Starling configuration wizard. |
QER | Person | Starling | ApiKey |
Credential string for logging in to One Identity Starling. The value is determined by the Starling configuration wizard. |
QER | Person | Starling | UseApprovalAnywhere |
This configuration parameter defines whether requests and attestation cases can be approved by adaptive cards. |
QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire |
This configuration parameter specifies the time in seconds by which the adaptive card must be answered. |
QER | WebPortal | BaseURL |
API Server URL. This address is used in mail templates to add hyperlinks to the Web Portal. |
QER | WebPortal | PasswordResetURL |
URL for the Password Reset Portal. This address is used to navigate. |
Common | MailNotification | |
This configuration parameter contains the default language for email notifications if no language can be determined for the recipient. |
Common | MailNotification | Signature |
Data for the signature in email automatically generated from mail templates. |
Common | MailNotification | Signature | Caption |
Signature under the salutation. |
Common | MailNotification | Signature | Company |
Company name. |
Common | MailNotification | Signature | Link |
Link to the company's website. |
Common | MailNotification | Signature | LinkDisplay |
Display text for the link to the company's website. |
Common | MailNotification | |
User account name for authentication on an SMTP server. |
Common | MailNotification | |
User account domain for authentication on the SMTP server. |
Common | MailNotification | |
User account password for authentication on the SMTP server. |
Common | MailNotification | |
Port for SMTP services on the SMTP server (default: 25). |
Common | MailNotification | |
SMTP server for sending notifications. |
Common | MailNotification | |
If this configuration parameter is set, the One Identity Manager Service credentials are used for authentication on the SMTP server. If this configuration parameter is not set, the login data stored in the configuration parameters Common | MailNotification | SMTPDomain and Common | MailNotification | SMTPAccount or Common | MailNotification | SMTPPassword is used. |
Common | ProcessState | PropertyLog |
When this configuration parameter is set, changes to individual values are logged and shown in the process view. Changes to the parameter require recompiling the database. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide. |
QBM | WorkingHours | IgnoreHoliday |
The configuration parameter specifies whether holidays are taken into account when calculating working hours. If the configuration parameter is set, holidays are not taken into account. |
QBM | WorkingHours | IgnoreWeekend |
The configuration parameter specifies whether weekends are included in the calculation of working hours. If the configuration parameter is set, holidays are not taken into account. |
ISM |
General configuration parameter for the system synchronization service module. |
ISM | PrimaryDB |
Information about the central database located within the corporate infrastructure. |
ISM | PrimaryDB | AppServer |
Connection parameter for the central database's application server. |
ISM | PrimaryDB | AppServer | AuthenticationString |
Authentication data for establishing a connection using the REST API of the central database's application server. Syntax: Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,… All authentication modules provided by the application server being addressed are allowed. For more information about authentication modules, see the One Identity Manager Authorization and Authentication Guide. |
ISM | PrimaryDB | AppServer | ConnectionString |
Connection parameters for establishing a connection using the REST API of the central database's application server. Syntax: url=<application server URL>[;ClientId=<client ID>;ClientSecret=<secret>;TokenEndpoint=<token endpoint>] |