Using a specified role to find attestors
If the attestors for any object are specified in a certain role, use the OR or OM approval procedure. You can allow any objects to be attested by employees from any role using these approval procedures. In the approval step, specify the role by means of which the attestors are to be determined. The approval procedures determine the following attestors.
OM |
Departments (Department)
Cost centers (ProfitCenter)
Locations (Locality)
Business roles (Org) |
Manager and deputy manager of the role specified in the approval step. |
OR |
Departments (Department)
Cost centers (ProfitCenter)
Locations (Locality)
Business roles (Org)
Application roles (AERole) |
All secondary members of the role specified in the approval step. |
Using product owners to find attestors
Use the approval procedure OA to detemine whether product owners can be attestors. The following objects can be attested with this procedure:
Prerequisites:
- A service item must be assigned to the system entitlements and system roles.
- An application role for product owners must be assigned to the service item.
All employees who are assigned this application role are determined as attestors.
Using owners of a privileged object to find attestors
Installed modules: |
Privileged Account Governance Module |
Use the OP approval procedure if you want to allow privileged objects in a Privileged Account Management system, for example, PAM assets or PAM directory accounts, to be attested by their owners. The owners attest the possible user accord to these privileged objects. The owners of the privileged objects must have the Privileged Account Governance | Asset and account owners application role or a child application role.
Using additional Active Directory group owners to find attestors
Installed modules: |
Active Roles Module |
If the Active Directory group is attested, the attestor can be determined through additional owners of this Active Directory group. Use the PA approval procedure for this purpose. This finds all employees that are:
NOTE: Only use the PA approval procedure if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled. The column Additional owners is only available in this case.