If you want to allow user accounts to be attested by the identities assigned to them, use the EA approval procedure. This approval procedure can be used if the Target System Base Module is installed.
If you want to allow user accounts to be attested by the identities assigned to them, use the EA approval procedure. This approval procedure can be used if the Target System Base Module is installed.
An identity can attest to the correctness of their own main data to confirm that it has been entered correctly, for example. Use the CS approval procedure to do this. Identities are the base object for attestation. The approval procedure is used by default to assign managers to identities that do not have a manager assigned to them (Attestation of initial manager assignment attestation policy).
When user accounts, memberships in roles and organizations, or memberships in system entitlements are attested, the CN decision procedure determines whether the identity to whom these objects are assigned can be an attestor. The CN approval procedure is used to challenge denied attestations. For example, affected identities can prevent necessary entitlements being removed. For more information, see Setting up the challenge phase.
The PW approval procedure finds which owners are attestors of the listed attestation policy. The approval procedure can therefore be used to attest any object. It is used to perform an additional stage in approval processes. In doing so, the attestation policy owners have the opportunity to review the details of the attestation run. For more information, see Phases of attestation.
If you want to make attestation dependent on specific conditions, use the CD approval procedure. This procedure does not determine an attestor. One Identity Manager makes the decision depending on the condition that is formulated in the approval step.
You can use the procedure for any attestation base objects. You create a condition in the approval step. If the condition returns a result, the approval step is approved through One Identity Manager. If the condition does not return a result, the approval step is denied by One Identity Manager. If there are no further approval steps, the approval procedure is either finally granted or denied.
To enter a condition for the CD approval procedure
Edit the approval step properties.
In the Condition input field, enter a valid WHERE clause for database queries. You can enter the SQL query directly or with a wizard.
External identities should be attestation by their managers. If no manager is assigned, the members of a designated application role must attest the identities.
You can find all external identities, who have managers assigned to them by using the CD approval procedure and the following condition.
EXISTS
(SELECT 1 FROM
(SELECT xobjectkey FROM Person WHERE (IsExternal = 1)
AND (EXISTS
(SELECT 1 FROM
(SELECT UID_Person FROM Person WHERE 1 = 1) as X
WHERE X.UID_Person = Person.UID_PersonHead) )) as X
WHERE X.xobjectkey = AttestationCase.ObjectKeyBase)
If the condition is fulfilled, the external identity's manager can attest the identity. To do this, add an approval step in the positive approval path with the CM approval procedure.
If the condition is not fulfilled, the identity is attested by the member of a designated application role. To do this, add an approval step in the negative approval path with the OR approval procedure and assign the application role.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center