Identity Manager 9.1.1 - Attestation Administration Guide

If you attest memberships in application roles, you can use the QER | Attestation | AutoRemovalScope | AERoleMembership configuration parameter to configure automatic removal of application roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the application role.

Table 48: Effect of configuration parameters when attestation denied
Configuration parameter	Effect when set
QER \| Attestation \| AutoRemovalScope \| AERoleMembership \| RemoveDirectRole	The employee's secondary membership is removed from the application role. This removes all indirect assignments obtained by the employee through this application role. Membership in dynamic roles is not removed in this process.
QER \| Attestation \| AutoRemovalScope \| AERoleMembership \| RemoveRequestedRole	If the employee requested the application role through the IT Shop, the request is canceled or unsubscribed. This removes all indirect assignments obtained by the employee through this application role. Set the desired behavior in the QER \| Attestation \| AutoRemovalScope \| PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.
QER \| Attestation \| AutoRemovalScope \| AERoleMembership \| RemoveDelegatedRole	If the application role was delegated to the employee, delegation is canceled or unsubscribed. This removes all indirect assignments obtained by the employee through this application role. Set the desired behavior in the QER \| Attestation \| AutoRemovalScope \| PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.
QER \| Attestation \| AutoRemovalScope \| AERoleMembership \| RemoveDynamicRole	The employee is excluded from the application role's dynamic role. This removes all indirect assignments obtained by the employee through this application role. This does not remove memberships in the application role that were created in another way.

Business role attestation

Installed modules:

Business Roles Module

If you attest memberships in business roles, you can use the QER | Attestation | AutoRemovalScope | RoleMembership configuration parameter to configure automatic removal of business roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the business role.

Table 49: Effect of configuration parameters when attestation denied
Configuration parameter	Effect when set
QER \| Attestation \| AutoRemovalScope \| RoleMembership \| RemoveDirectRole	The employee's secondary membership in the business role is removed. This removes all indirect assignments obtained by the employee through this business role. Membership in dynamic roles is not removed by this.
QER \| Attestation \| AutoRemovalScope \| RoleMembership \| RemoveRequestedRole	If the employee requested the business role through the IT Shop, the request is canceled or unsubscribed. This removes all indirect assignments obtained by the employee through this business role. Set the desired behavior in the QER \| Attestation \| AutoRemovalScope \| PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.
QER \| Attestation \| AutoRemovalScope \| RoleMembership \| RemoveDelegatedRole	If the business role was delegated to the employee, delegation is canceled or unsubscribed. This removes all indirect assignments obtained by the employee through this business role. Set the desired behavior in the QER \| Attestation \| AutoRemovalScope \| PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.
QER \| Attestation \| AutoRemovalScope \| RoleMembership \| RemoveDynamicRole	The employee is excluded from the business role's dynamic role. This removes all indirect assignments obtained by the employee through this business role. This does not remove memberships in the business role that were created in another way.

User attestation and recertification

Use the One Identity Manager attestation functionality to regularly check and authorize employees' main data and target system entitlements and assignments. In addition, One Identity Manager provides default procedures for managers to quickly attest and certify the main data of newly added One Identity Manager users in the One Identity Manager database. This functionality can be used, for example, if external employees, such as contract workers, are provided with temporary access to the One Identity Manager. The sequence is different for internal and external employees.

Regular recertification can be run through scheduled tasks.

In the context of an attestation, a manager can check and update the main data of the user to be certified, if necessary. Use the Web Portal for attestation.

Detailed information about this topic

Related topics

Certifying new roles and organizations

One Identity Manager users for attesting and recertifying users

The following users are used for attesting and recertifying employees.

Table 50: Users
Users	Tasks
Employee administrators	Employee administrators must be assigned to the Identity Management \| Employees\| Administrators application role. Users with this application role: Can edit main data for all employees Assign managers to employees. Can assign company resources to employees. Check and authorize employee main data. Create and edit risk index functions. Edit password policies for employee passwords Delete employee's security keys (WebAuthn) Can see everyone's requests, attestations, and delegations and edit delegations in the Web Portal.
Manager	Check employee main data of the internal user to be certified. Update employee main data as required. Assign another manager if required. Attests the main data.
Attestors for external users	Attestors for external users must be assigned to the Identity & Access Governance \| Attestation \| Attestors for external users application role. Users with this application role: Attests new, external employees.
Administrators for attestation cases	Administrators must be assigned to the Identity & Access Governance \| Attestation \| Administrators application role. Users with this application role: Modify the attestation policies if necessary. Create more schedules if required.
Web Portal users	Log on to the Web Portal and enter their main data,
Self-registered employees	External employees, who have self-registered in the Web Portal, are assigned to the Base roles \| Self-registered employees application role through a dynamic role. Users with this application role: Specify their password and password questions for logging in to One Identity Manager tools.

Configuration parameter	Effect when set
QER \| Attestation \| AutoRemovalScope \| AERoleMembership \| RemoveDirectRole	The employee's secondary membership is removed from the application role. This removes all indirect assignments obtained by the employee through this application role. Membership in dynamic roles is not removed in this process.
QER \| Attestation \| AutoRemovalScope \| AERoleMembership \| RemoveRequestedRole	If the employee requested the application role through the IT Shop, the request is canceled or unsubscribed. This removes all indirect assignments obtained by the employee through this application role. Set the desired behavior in the QER \| Attestation \| AutoRemovalScope \| PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.
QER \| Attestation \| AutoRemovalScope \| AERoleMembership \| RemoveDelegatedRole	If the application role was delegated to the employee, delegation is canceled or unsubscribed. This removes all indirect assignments obtained by the employee through this application role. Set the desired behavior in the QER \| Attestation \| AutoRemovalScope \| PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.
QER \| Attestation \| AutoRemovalScope \| AERoleMembership \| RemoveDynamicRole	The employee is excluded from the application role's dynamic role. This removes all indirect assignments obtained by the employee through this application role. This does not remove memberships in the application role that were created in another way.

Configuration parameter	Effect when set
QER \| Attestation \| AutoRemovalScope \| RoleMembership \| RemoveDirectRole	The employee's secondary membership in the business role is removed. This removes all indirect assignments obtained by the employee through this business role. Membership in dynamic roles is not removed by this.
QER \| Attestation \| AutoRemovalScope \| RoleMembership \| RemoveRequestedRole	If the employee requested the business role through the IT Shop, the request is canceled or unsubscribed. This removes all indirect assignments obtained by the employee through this business role. Set the desired behavior in the QER \| Attestation \| AutoRemovalScope \| PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.
QER \| Attestation \| AutoRemovalScope \| RoleMembership \| RemoveDelegatedRole	If the business role was delegated to the employee, delegation is canceled or unsubscribed. This removes all indirect assignments obtained by the employee through this business role. Set the desired behavior in the QER \| Attestation \| AutoRemovalScope \| PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.
QER \| Attestation \| AutoRemovalScope \| RoleMembership \| RemoveDynamicRole	The employee is excluded from the business role's dynamic role. This removes all indirect assignments obtained by the employee through this business role. This does not remove memberships in the business role that were created in another way.

제품을 선택하십시오.

더 나은 서비스 제공을 위해 채팅 목적을 작성해 주십시오.

문제에 대한 권장 솔루션