지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager On Demand Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Deleting attestation cases

The AttestationCase table expands very quickly when attestation is performed regularly. To limit the number of attestation cases in the One Identity Manager database, you can delete obsolete, closed attestation cases from the database. The attestation case properties are logged and then the attestation cases are deleted. The same number of attestation cases remain in the database as are specified in the attestation policy. For more information about logging data changes tags, see the One Identity Manager Configuration Guide.

NOTE: Ensure that the logged request procedures are archived for audit reasons. For more information about the archiving process, see the One Identity Manager Data Archiving Administration Guide.

Prerequisites

  • The Common | ProcessState | PropertyLog configuration parameter is enabled.

  • The attestation policy is enabled.

To delete attestation cases automatically

  1. Set the Log changes when deleting option on at least three columns in the AttestationCase table.

    1. In the Designer, select the Database schema > Tables > AttestationCase category.

    2. Select the Show table definition task.

      This opens the Schema Editor.

    3. Select a column in the Schema Editor.

    4. In the edit view of the schema editor, select the More tab.

    5. Set the option Log changes when deleting.

    6. Repeat steps (c) to (e) for all columns that are to be recorded on deletion. There must be at least three.

    7. Click on Commit to database and save the changes.

      The changes take effect as soon as the DBQueue Processor has performed the calculation tasks.

  2. Set the Log changes when deleting option on at least three columns in the AttestationHistory table.

    1. In the Designer, select the Database schema > Tables > AttestationHistory category.

    2. Repeat the steps 1(b) to 1(h) for the AttestationHistory table.

  3. Enter the number of obsolete cases in the attestation policies.

    1. In the Manager, select the Attestation > Attestation policies category.

    2. Select the attestation policy in the result list whose attestation cases should be deleted.

    3. Select the Change main data task.

    4. In the Obsolete tasks limit field, enter a value greater than 0.

    5. Save the changes.
TIP: If you want to prevent attestation cases being deleted for certain attestation policies, enter the value 0 for the obsolete task limit for these attestation policies.

Attestation cases are deleted as soon as a new attestation is started for an attestation policy.

One Identity Manager tests how many closed attestation cases exist in the database for each attestation object of this attestation policy. If the number is more than the number of obsolete attestation cases:

  • The attestation case properties and their approval sequence are recorded.

    All columns are recorded, which are marked for logging on deletion.

  • The attestation cases are deleted.

    The same number of attestation cases remain in the database as are specified in the obsolete tasks limit.

If the Common | ProcessState | PropertyLog configuration parameter is disabled later or not enough columns are marked with the Record on delete option, the value for Number of obsolete processes has no effect.

Notes for disabling attestation policies
  • Disabling an attestation policy always deletes all attestation cases.

  • The number of obsolete cases is not taken into account.

  • The attestation case are also deleted if the Common | ProcessState | PropertyLog configuration parameter is disabled. In this case, the deleted attestation cases are not logged.

Related topics

Notifications in the attestation process

In an attestation process, various email notifications can be sent to attestors and other employees. The notification procedure uses mail templates to create notifications. The mail text in a mail template is defined in several languages. This ensures that the language of the recipient is taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.

Messages are not sent to the chief approval team by default. Fallback approvers are only notified if not enough approvers could be found for an approval step.

To use notification in the request process

  1. Ensure that the email notification system is configured in One Identity Manager. For more information, see the One Identity Manager Installation Guide.

  2. In the Designer, set the QER | Attestation | DefaultSenderAddress configuration parameter and enter the sender address used to send the email notifications.

  3. Ensure that all employees have a default email address. Notifications are sent to this address. For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  4. Ensure that a language can be determined for all employees. Only then can they receive email notifications in their own language. For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  5. Configure the notification procedure.

Related topics

Demanding attestation

When a new attestation case is made, the attestor is notified by mail. Demands for attestation can be configured separately for each approval step.

Prerequisite

  • The QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is not set.

To set up the notification procedure

  • On the Mail templates tab of the approval step, enter the following data:

    Mail template request: Attestation - approval required

    TIP: To allow approval by email, select the Attestation - approval required (by email) mail template.

NOTE: You can schedule demands for attestation to send a general notification if there are attestations pending. This replaces single demands for attestation at each approval step.

Related topics

Reminding attestors

If an attestor has not made a decision by the time the reminder timeout expires, notification can be sent by email as a reminder. The attestors working hours are taken into account when the time is calculated.

Prerequisite

  • The QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is not set.

To set up the notification procedure

  • Enter the following data for the approval step.

    • Reminder after (minutes):

      Number of minutes to elapse after which the attestor is notified by mail that there are still pending attestation cases for attestation. The input is converted into working hours and displayed additionally.

      The reminder interval is set to 30 minutes, by default. To change this interval, modify the Checks reminder interval and timeout of attestation cases schedule.

      NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

      TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

      If more than one attestor was found, each attestor will be notified. The same applies if an additional attestor has been assigned.

      If an attestor delegated the approval, the time point for reminding the delegation recipient is recalculated. The delegation recipient and all the other attestors are notified. The original attestor is not notified.

      If an attestor has made an inquiry, the time point for reminding the queried employee is recalculated. As long as the inquiry has not been answered, only this employee is notified.

    • Mail template reminder: Select the Attestation - remind approver mail template.

      TIP: To allow approval by email, select the Attestation - remind approver (by email) mail template.

NOTE: You can schedule demands for attestation to send a general notification if there are attestations pending. This replaces single demands for attestation at each approval step.

Related topics
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택