지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 8.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Custom mail templates for notifications
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Configuration parameters for attestation

Reports about attestation cases

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The Attestation cases report is available for attestors. The report shows all the attestor's pending and closed attestation cases. Attestors can use this report to make approval decisions in the Manager about attestation cases.

To display the Attestation cases report for an employee

  1. In the Manager, select the Employees > Employees category.

  2. Select the employee in the result list.

  3. Select the Attestation cases report.

  4. If a report has been defined for the attestation case, you can view it using the button in the View report column.

  5. (Optional) To approve pending attestation cases

    1. Select the Pending attestation cases tab.

    2. Select an attestation case and enable the Approve or the Deny option in the list.

    3. Enter the Reason for decision or select a Standard reason.

    4. Click Carry out approval.

Modifying approval workflows for pending attestation cases

When approval workflows are changed, a decision must be made as to whether these changes should be applied to pending attestation cases. Configuration parameters are used to define the desired procedure.

Scenario: Another approval workflow was stored with the approval policy

The newly stored workflow is only used in new requests. If changes have been made to the approval workflow in an approval policy, any pending approval procedures are continued by default with the original workflow. The newly stored workflow is only used in new attestation cases. You can configure different behavior.

To specify how to handle pending attestation cases

  • In the Designer, enable the QER | Attestation | OnWorkflowAssign configuration parameter and select one of the following values.

    • CONTINUE: Ongoing approval processes are continued with the originally applicable workflow. The newly stored workflow is only used in new attestation cases.

      This behavior also applies if the configuration parameter is not set.

    • RESET: In ongoing approval processes, all approval decisions already taken are reset. The approval processes are restarted with the newly stored workflow. The attestation cases are run through the approval process again.

    • ABORT: Ongoing approval processes are stopped. All pending attestation cases are closed. The next automatic or manual start of the attestation uses the new approval workflow.

A working copy of the originally applicable workflow is saved. The working copy is retained as long as it is used in ongoing approval processes. All unused working copies are regularly deleted using the Maintenance approval workflows schedule.

Scenario: A change was made to an approval workflow in use

If changes have been made to an approval workflow that is being used in pending attestation cases, any pending approval processes are continued by default with the original workflow. The changes to the approval workflow are only implemented for new attestation cases. You can configure different behavior.

To specify how to handle pending attestation cases

  • In the Designer, enable the QER | Attestation | OnWorkflowUpdate configuration parameter and select one of the following values.

    • CONTINUE: Ongoing approval processes are continued with the originally applicable approval workflow. The changes to the approval workflow are only implemented for new attestation cases.

      This behavior also applies if the configuration parameter is not set.

    • RESET: In ongoing approval processes, all approval decisions already taken are reset. The approval processes are restarted with the changed approval workflow. The attestation cases are run through the approval process again.

    • ABORT: Ongoing approval processes are stopped. All pending attestation cases are closed. The next automatic or manual start of the attestation uses the changed approval workflow.

A working copy of the approval workflow that contains the original version is saved. This working copy is retained as long as it is used in ongoing approval processes. All unused working copies are regularly deleted using the Maintenance approval workflows schedule.

Related topics

Closing attestation cases for deactivated employees

Pending attestation cases must still be processed even if they have permanently deactivated in the meantime. This is not required very often because the affected employee may have, for example, left the company. In this case, you can use the option to close an employee's pending attestation cases automatically, if the employee is permanently disabled.

To close attestation cases automatically

  • In the Designer, set the QER | Attestation | AutoCloseInactivePerson configuration parameter.

The configuration parameter only applies if the employee to be attested is deactivated after the attestation case was created.

The configuration parameter does not apply if the employee is temporarily deactivated.

TIP: Write a corresponding condition for finding the attestation object on the attestation policies to prevent attestation cases being created for deactivated employees. For more information, see General main data of attestation policies.

Deleting attestation cases

The AttestationCase table expands very quickly when attestation is performed regularly. To limit the number of attestation cases in the One Identity Manager database, you can delete obsolete, closed attestation cases from the database. The attestation case properties are logged and then the attestation cases are deleted. The same number of attestation cases remain in the database as are specified in the attestation policy. For more information about logging data changes tags, see the One Identity Manager Configuration Guide.

NOTE: Ensure that the logged request procedures are archived for audit reasons. For more information about the archiving process, see the One Identity Manager Data Archiving Administration Guide.

Prerequisites

  • The Common | ProcessState | PropertyLog configuration parameter is enabled.

  • The attestation policy is enabled.

To delete attestation cases automatically

  1. Set the Log changes when deleting option on at least three columns in the AttestationCase table.

    1. In the Designer, select the Database schema > Tables > AttestationCase category.

    2. Select the Show table definition task.

      This opens the Schema Editor.

    3. Select a column in the Schema Editor.

    4. In the edit view of the schema editor, select the More tab.

    5. Set the option Log changes when deleting.

    6. Repeat steps (c) to (e) for all columns that are to be recorded on deletion. There must be at least three.

    7. Click on Commit to database and save the changes.

      The changes take effect as soon as the DBQueue Processor has performed the calculation tasks.

  2. Set the Log changes when deleting option on at least three columns in the AttestationHistory table.

    1. In the Designer, select the Database schema > Tables > AttestationHistory category.

    2. Repeat the steps 1(b) to 1(h) for the AttestationHistory table.

  3. Enter the number of obsolete cases in the attestation policies.

    1. In the Manager, select the Attestation > Attestation policies category.

    2. Select the attestation policy in the result list whose attestation cases should be deleted.

    3. Select the Change main data task.

    4. In the Obsolete tasks limit field, enter a value greater than 0.

    5. Save the changes.
TIP: If you want to prevent attestation cases being deleted for certain attestation policies, enter the value 0 for the obsolete task limit for these attestation policies.

Attestation cases are deleted once

  • A new attestation is started for an attestation policy.

    - OR -

  • An attestation policy is disabled.

One Identity Manager tests how many closed attestation cases exists in the database for each attestation object of this attestation policy. If the number is more than the number of obsolete attestation cases:

  • The attestation case properties and their approval sequence are recorded.

    All columns are recorded, which are marked for logging on deletion.

  • The attestation cases are deleted.

    The same number of attestation cases remain in the database as are specified in the obsolete tasks limit.

NOTE: Closed attestation cases are also deleted in the case of disabled attestation policies if the Common | ProcessState | PropertyLog configuration parameter is not set. In this case, the deleted attestation cases are not logged.

If the Common | ProcessState | PropertyLog configuration parameter is deactivated later or not enough columns are marked with the Record on delete option, the value for Number of obsolete processes has no effect.

Related topics
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택