지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager On Demand Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Attestation by mail

To provide attestors who are temporarily unable to access One Identity Manager tools with the option of making attestation case decisions, you can set up attestation by email. In this process, attestors are notified by email when an attestation case is pending their approval. Approvers can use the links in the email to make approval decisions without having to connect to the Web Portal. This generates an email that contains the approval decision and in which attestors can state the reasons for their approval decision. This email is sent to a central mailbox. One Identity Manager checks this mailbox regularly, evaluates the incoming emails and updates the status of the attestation cases correspondingly.

IMPORTANT: An attestation cannot be sent by email if multi-factor authentication is configured for the attestation policy. Attestation emails for such attestations produce an error message.
Prerequisites
  • If you use a Microsoft Exchange mailbox, configure the Microsoft Exchange with:

    • Microsoft Exchange Client Access Server version 2007, Service Pack 1 or higher

    • Microsoft Exchange Web Service .NET API Version 1.2.1, 32-bit

  • If you use an Exchange Online mailbox, register an application in your Azure Active Directory tenant in the Microsoft Azure Management Portal. For example, One Identity Manager <Approval by mail>.

    For detailed information about how to register an application, see https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-application.

  • The One Identity Manager Service user account used to log into Microsoft Exchange or Exchange Online requires full access to the mailbox given in the QER | Attestation | MailApproval | Inbox configuration parameter.

  • The QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is not set.

To set up attestation by email

  1. In the Designer, set the QER | Attestation | MailApproval | Inbox configuration parameter and enter the mailbox to which the approval mails are to be sent.

  2. Set up mailbox access.

    • If you use a Microsoft Exchange mailbox:

      • By default, One Identity Manager uses the One Identity Manager Service user account to log in to the Microsoft Exchange Server and access the mailbox.

        - OR -

      • You enter a separate user account for logging in to theMicrosoft Exchange Server for mailbox access.

        • In the Designer, set the QER | Attestation | MailApproval | Account configuration parameter and enter the user account's name.

        • In the Designer, set the QER | Attestation | MailApproval | Domain configuration parameter and enter the user account's domain.

        • In the Designer, set the QER | Attesatation | MailApproval | Password configuration parameter and enter the user account's password.

    • If you use an Exchange Online mailbox:

      • In the Designer, set the QER | Attestation | MailApproval | AppId configuration parameter and enter the application ID that was generated when the application was registered in the Azure Active Directory tenant.

      • In the Designer, set the QER | Attestation | MailApproval | Domain configuration parameter and enter the domain for logging into Azure Active Directory.

      • In the Designer, set the QER | Attestation | MailApproval | Password configuration parameter and enter the client secret (application password) for the application.

  3. In the Designer, set the QER | Attestation | MailTemplateIdents | ITShopApproval configuration parameter.

    The mail template used to create the attestation mail is stored with this configuration parameter. You can use the default mail template or add a custom mail template.

    TIP: To use a company-specific mail template for attestation mails, change the value of the configuration parameter.To use a company-specific mail template for approval decision mails, change the value of the configuration parameter. In this case, also change the VI_MailApproval_ProcessMail script.

  4. Assign the following mail templates to the approval steps.

    Table 38: Mail templates for approval by mail

    Property

    Mail template

    Mail template request

    Attestation - approval required (by mail)

    Mail template reminder

    Attestation - remind approver (by mail)

    Mail template delegation

    Attestation - delegated/additional approval (by mail)

    Mail template rejection

    Attestation - reject approval (by mail)

  5. In the Designer, configure and enable the Processes attestation mail approvals schedule.

    Based on this schedule, One Identity Manager regularly checks the mailbox for new attestation mails. The mailbox is checked every 15 minutes. You can change how frequently it checks, by altering the interval in the schedule as required.

To clean up a mail box

  • In the Designer, set the QER | Attestation | MailApproval | DeleteMode configuration parameter and select one of the following values.

    • HardDelete: The processed email is immediately deleted.

    • MoveToDeletedItems: The processed email is moved to the Deleted objects mailbox folder.

    • SoftDelete: The processed email is moved to the Active Directory recycling bin and can be restored if necessary.

    NOTE: If you use the MoveToDeletedItems or SoftDelete cleanup method, you should empty the Deleted objects folder and the Active Directory recycling bin on a regular basis.

Related topics

Processing attestation mails

The Processes attestation mail approvals schedule starts the VI_Attestation_Process Approval Inbox process. This process runs the VI_MailApproval_ProcessInBox script, which searches the mailbox for new attestation mails and updates the attestation cases in the One Identity Manager database. The contents of the attestation mail are processed at the same time.

NOTE: The validity of the email certificate is checked with the VID_ValidateCertificate script. You can customize this script to suit your security requirements. Take into account that this script is also used for approval decisions for IT Shop requests by email.

If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.

TIP: The VI_MailApproval_ProcessInBox script finds the Exchange Web Service URL that uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.

If this is not possible, enter the URL in the QER | Attestation | MailApproval | ExchangeURI configuration parameter.

Attestation mails are processed with the VI_MailApproval_ProcessMail script. The script finds the relevant approval decision, sets the Approved option if approval is granted, and stores the reason for the approval decision with the attestation cases. The attestor is found through the sender address. Then the attestation mail is removed from the mailbox depending on the selected cleanup method.

NOTE: If you use a custom mail template for the attestation mail, check the script and modify it as required. Take into account that this script is also used for approval decisions for IT Shop requests by email.

Default attestation and withdrawal of entitlements

One Identity Manager provide various default attestation procedures for different data situations and default attestation procedures.

Data situations for default attestations:

  • System entitlements owned by an employee

  • System entitlements assigned to system entitlements

  • System entitlements assigned to hierarchical roles

  • System roles assigned to an employee

  • Company resources assigned to system roles

  • System roles assigned to hierarchical roles

  • Business and application role memberships

  • Employee main data of a new One Identity Manager user

  • Employee main data of an existing One Identity Manager user

The attestation polices required for attesting employee main data are also supplied by default. You can also use the default supplied attestation policies without modifying them. The prerequisites and the attestation sequence for employee data are described in User attestation and recertification.

You can set up attestation policies easily in the Web Portal using default attestation procedures for other data situations. You can also use the default attestation policies supplied without customizing them. Furthermore, you can configure how to deal with denied attestations that are based on these default attestation procedures. If your specific data situation allows, denied entitlements can be removed by One Identity Manager following the attestation.

To remove denied permissions automatically

  1. In the Designer, set the QER | Attestation | AutoRemovalScope configuration parameter and the configuration subparameters.

  2. If the entitlements were obtained through IT Shop, specify whether these requests should be unsubscribed or canceled. To do this, set the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter and select a value.

    • Abort: Requests are canceled. In this case, they do not go through a cancellation workflow. The requested entitlements are withdrawn without additional checks.

    • Unsubscribe: Requests are unsubscribed. They go through the cancellation workflow defined in the approval policies. Withdrawal of the entitlement can thus be subjected to an additional check.

      If the cancellation is denied, the entitlement is not withdrawn even though the attestation has been denied.

    If the configuration parameter is not set, the requests are canceled.

IMPORTANT: If role memberships or system roles are removed from an employee they lose the unapproved entitlement. They also lose all other company resources inherited through this role. These may be other system entitlements or account definitions. If necessary, system entitlements are removed and company resources are deleted from the employee.

Check whether your data situation allows automatic withdrawal of entitlements before you enable configuration parameters under QER | Attestation | AutoRemovalScope.

Automatic removal of entitlements is triggered by an additional approval step with the EX approval procedure in the default approval workflows.

Attestation sequence with subsequence withdrawal of denied entitlements:

  1. Attestation is carried out using a default attestation procedure.

  2. The attestor denies attestation. The approval step is not granted approval and approval is passed on the next approval level with the EX approval procedure.

  3. The approval step triggers the AUTOREMOVE event. This runs the VI_Attestation_AttestationCase_AutoRemoveMembership process.

  4. The process runs the VI_AttestationCase_RemoveMembership script. This removes the affected entitlement depending on which configuration parameters are set.

  5. The script sets the approval step status to Denied. This means the entire attestation case is finally denied.

  6. Tasks to recalculate inheritance are entered in the DBQueue.

Detailed information about this topic

Attesting system entitlements

Installed modules: Target System Base Module

When you use the System entitlement memberships attestation default attestation policy or have set up attestation policies with the System entitlement memberships attestation default attestation procedure, you can configure automatic removal of system entitlements through the QER | Attestation | AutoRemovalScope | GroupMembership configuration parameter. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the system entitlement.

Table 39: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDirect

Direct membership of the user account in the system entitlement, is removed.

QER | Attestation | AutoRemovalScope | GroupMembership | RemovePrimaryRole

If membership in the system entitlement was inherited through a primary role, the role is withdrawn from the employee.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveRequestedRole

If membership of the system entitlement was inherited through a requested role, the role request is canceled or unsubscribed.

This removes all indirect assignments obtained by the employee through this role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDelegatedRole

If membership in the system entitlement was inherited through a delegated role, delegation of this role is canceled or unsubscribed.

This removes all indirect assignments obtained by the employee through this role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveRequested

If membership of the system entitlement was requested through the IT Shop, the request is canceled or unsubscribed.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveSystemRole

System roles incorporating the system entitlements are withdrawn from the employee.

This removes all indirect assignments obtained by the employee through this system role.

This configuration parameter is only available if the System Roles Module is installed.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDirectRole

If membership in the system entitlement was inherited through a secondary role (organization or business role), the employee's membership is removed from this role.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDynamicRole

If membership in the system entitlement was inherited through a dynamic role, the employee is excluded from the dynamic role.

This removes all indirect assignments obtained by the employee through this role.

When you use the Attestation of assignments to system entitlements default attestation policy or have set up attestation policies with the Attestation of assignments to system entitlements default attestation procedure, you can configure automatic removal of system entitlements through the QER | Attestation | AutoRemovalScope | UNSGroupInUNSGroup configuration parameter.

Table 40: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | UNSGroupInUNSGroup | RemoveDirect

Assignment of the system entitlement to a system entitlement is removed.

You can configure automatic withdrawal of system entitlement assignments to hierarchical roles, if you use the following default attestation policies or procedures:

  • Attestation of system entitlement assignments to department

  • Attestation of system entitlement assignments to cost centers

  • Attestation of system entitlement assignments to locations

  • Attestation of system entitlement assignments to business roles

Enabled the following configuration parameters to do this.

Table 41: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | DepartmentHasUNSGroup | RemoveDirect

The assignment of the system entitlement to a department is removed.

Therefore the system entitlement is removed from all employees that inherit assignments from this department.

QER | Attestation | AutoRemovalScope | ProfitCenterHasUNSGroup | RemoveDirect

The assignment of the system entitlement to a cost center is removed.

Therefore the system entitlement is removed from all employees that inherit assignments from this cost center.

QER | Attestation | AutoRemovalScope | LocalityHasUNSGroup | RemoveDirect

The assignment of the system entitlement to a location is removed.

Therefore the system entitlement is removed from all employees that inherit assignments from this location.

QER | Attestation | AutoRemovalScope | OrgHasUNSGroup | RemoveDirect

The assignment of a system entitlement to a business role is removed.

Therefore the system entitlement is removed from all employees that inherit assignments from this business role.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택