To delete an approval procedure
Remove all assignments to approval steps.
On the approval procedure overview form, check which approval steps are assigned to the approval procedure.
Switch to the approval workflow and assign another approval procedure to the approval step.
In the Manager, select the Attestation > Basic configuration data > Approval procedures category.
Select an approval procedure from the result list.
Click 
The DBQueue Processor calculates which employee is authorized as an approver and in which approval level.
Approval policy, workflow, step, or procedure changes.
An authorized approver loses their responsibility in One Identity Manager, for example, if a change is made to the department manager, attestation policy approver, or target system manager.
An employee obtains responsibilities in One Identity Manager and therefore is authorized as an approver, for example as the manager of the employee to be attested.
An employee authorized as an approver is deactivated.
Once an employee's responsibilities have changed in One Identity Manager, a task for recalculating the attestors is queued in the DBQueue. All approval steps of the pending attestation cases are also recalculated by default. Approval steps that have already been approved remain approved, even if their attestor has changed. Recalculating attestors may take a long time depending on the configuration of the system environment and the amount of data to be processed. To optimize this processing time, you can specify the approval steps for which the attestors are to be recalculated.
To configure recalculation of the attestors
In the Designer, set the QER | Attestation | ReducedApproverCalculation configuration parameter and select one of the following options as the value.
| Option | Description |
|---|---|
|
No |
All approval steps are recalculated. This behavior also applies if the configuration parameter is not set. Advantage: Disadvantage: |
|
CurrentLevel |
Only the attestors for the approval level that is currently to be edited are recalculated. Once an approval level has been approved, the attestors are determined for the next approval level. Advantage: The number of approval levels to calculate is lower. TIP:
Disadvantage: |
|
NoRecalc |
No recalculation of attestors. The previous attestors remain authorized to approve the current approval level. Once an approval level has been approved, the attestors are determined for the next approval level. Advantage: The number of approval levels to calculate is lower. TIP: Disadvantage: To see approval steps of this type through
|
You can set up additional authentication for particularly security critical attestations, which requires every attestor to enter a security code for attesting. Define which attestation policies require this authentication in your attestation policies.
Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor authentication. The authentication information required is defined in the subparameters under the QER | Person | Starling or the QER | Person | Defender configuration parameter. For detailed information about setting up multi-factor authentication, see the One Identity Manager Authorization and Authentication Guide.
To be able to use multi-factor authentication
Set up multi-factor authentication as described in the One Identity Manager Authorization and Authentication Guide.
In the Manager, select the attestation policies for which the multi-factor authentication will be used.
Enable the Approval by multi-factor authentication option.
Multi-factor authentication cannot be used for default attestation policies.
Once the Approval by multi-factor authentication option is set on an attestation policy, a security code is requested in each approval step of the approval process. This means that every employee who is determined to be an attestor for this attestation policy, must have a Starling 2FA token.
For detailed information about multi-factor authentication, see the One Identity Manager Web Designer Web Portal User Guide.
The attestation object can also be determined as the attestor in an attestation case. which means the employees to be attested can attest themselves. To prevent this, set the QER | Attestation | PersonToAttestNoDecide configuration parameter.
NOTE:
Changing the configuration parameter only affects new attestation cases. Attestors are not recalculated for existing attestation cases.
The configuration parameter setting also applies for fallback approvers; it does not apply to the chief approval team.
If the Approval by affected employee option is set on an approval step, this configuration parameter has no effect.
To prevent employees from attesting themselves
In the Designer, set the QER | Attestation | PersonToAttestNoDecide configuration parameter.
This configuration parameter affects all attestation cases in which employees included in the attestation object or in object relations, are attestors at the same time. The following employees are removed from the group of attestors.
Employees included in AttestationCase.ObjectKeyBase
Employees included in AttestationCase.UID_ObjectKey1, ObjectKey2, or ObjectKey3
Employees' main identities
All subidentities of these main identities
If the configuration parameter is not set or if Approval by affected employee is enabled for the approval step, these employees can attest themselves.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 이용 약관 개인정보 보호정책 Cookie Preference Center
