Chat now with support
Chat with Support

Identity Manager 8.2.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Attestation by mail

To provide attestors who are temporarily unable to access One Identity Manager tools with the option of making attestation case decisions, you can set up attestation by email. In this process, attestors are notified by email when an attestation case is pending their approval. Approvers can use the links in the email to make approval decisions without having to connect to the Web Portal. This generates an email that contains the approval decision and in which attestors can state the reasons for their approval decision. This email is sent to a central mailbox. One Identity Manager checks this mailbox regularly, evaluates the incoming emails and updates the status of the attestation cases correspondingly.

IMPORTANT: An attestation cannot be sent by email if multi-factor authentication is configured for the attestation policy. Attestation emails for such attestations produce an error message.
Prerequisites

  • If you use a Microsoft Exchange mailbox, configure the Microsoft Exchange with:

    • Microsoft Exchange Client Access Server version 2007, Service Pack 1 or higher

    • Microsoft Exchange Web Service .NET API Version 1.2.1, 32-bit

  • If you use an Exchange Online mailbox, register an application in your Azure Active Directory tenant in the Microsoft Azure Management Portal. For example, One Identity Manager <Approval by mail>.

    For detailed information about how to register an application, see https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-application.

  • The One Identity Manager Service user account used to log into Microsoft Exchange or Exchange Online requires full access to the mailbox given in the QER | Attestation | MailApproval | Inbox configuration parameter.

  • The QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is not set.

To set up attestation by email

  1. In the Designer, set the QER | Attestation | MailApproval | Inbox configuration parameter and enter the mailbox to which the approval mails are to be sent.

  2. Set up mailbox access.

    • If you use a Microsoft Exchange mailbox:

      • By default, One Identity Manager uses the One Identity Manager Service user account to log in to the Microsoft Exchange Server and access the mailbox.

        - OR -

      • You enter a separate user account for logging in to theMicrosoft Exchange Server for mailbox access.

        • In the Designer, set the QER | Attestation | MailApproval | Account configuration parameter and enter the user account's name.

        • In the Designer, set the QER | Attestation | MailApproval | Domain configuration parameter and enter the user account's domain.

        • In the Designer, set the QER | Attesatation | MailApproval | Password configuration parameter and enter the user account's password.

    • If you use an Exchange Online mailbox:

      • In the Designer, set the QER | Attestation | MailApproval | AppId configuration parameter and enter the application ID that was generated when the application was registered in the Azure Active Directory tenant.

      • In the Designer, set the QER | Attestation | MailApproval | Domain configuration parameter and enter the domain for logging into Azure Active Directory.

      • In the Designer, set the QER | Attestation | MailApproval | Password configuration parameter and enter the client secret (application password) for the application.

  3. In the Designer, set the QER | Attestation | MailTemplateIdents | ITShopApproval configuration parameter.

    The mail template used to create the attestation mail is stored with this configuration parameter. You can use the default mail template or add a custom mail template.

    TIP: To use a company-specific mail template for attestation mails, change the value of the configuration parameter.To use a company-specific mail template for approval decision mails, change the value of the configuration parameter. In this case, also change the VI_MailApproval_ProcessMail script.

  4. Assign the following mail templates to the approval steps.

    Table 38: Mail templates for approval by mail

    Property

    Mail template

    Mail template request

    Attestation - approval required (by mail)

    Mail template reminder

    Attestation - remind approver (by mail)

    Mail template delegation

    Attestation - delegated/additional approval (by mail)

    Mail template rejection

    Attestation - reject approval (by mail)

  5. In the Designer, configure and enable the Processes attestation mail approvals schedule.

    Based on this schedule, One Identity Manager regularly checks the mailbox for new attestation mails. The mailbox is checked every 15 minutes. You can change how frequently it checks, by altering the interval in the schedule as required.

To clean up a mail box

  • In the Designer, set the QER | Attestation | MailApproval | DeleteMode configuration parameter and select one of the following values.

    • HardDelete: The processed email is immediately deleted.

    • MoveToDeletedItems: The processed email is moved to the Deleted objects mailbox folder.

    • SoftDelete: The processed email is moved to the Active Directory recycling bin and can be restored if necessary.

    NOTE: If you use the MoveToDeletedItems or SoftDelete cleanup method, you should empty the Deleted objects folder and the Active Directory recycling bin on a regular basis.

Related topics

Processing attestation mails

The Processes attestation mail approvals schedule starts the VI_Attestation_Process Approval Inbox process. This process runs the VI_MailApproval_ProcessInBox script, which searches the mailbox for new attestation mails and updates the attestation cases in the One Identity Manager database. The contents of the attestation mail are processed at the same time.

NOTE: The validity of the email certificate is checked with the VID_ValidateCertificate script. You can customize this script to suit your security requirements. Take into account that this script is also used for approval decisions for IT Shop requests by email.

If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.

TIP: The VI_MailApproval_ProcessInBox script finds the Exchange Web Service URL that uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.

If this is not possible, enter the URL in the QER | Attestation | MailApproval | ExchangeURI configuration parameter.

Attestation mails are processed with the VI_MailApproval_ProcessMail script. The script finds the relevant approval decision, sets the Approved option if approval is granted, and stores the reason for the approval decision with the attestation cases. The attestor is found through the sender address. Then the attestation mail is removed from the mailbox depending on the selected cleanup method.

NOTE: If you use a custom mail template for the attestation mail, check the script and modify it as required. Take into account that this script is also used for approval decisions for IT Shop requests by email.

Adaptive cards attestation

To allow attestors who temporarily do not have access to the One Identity Manager tools to approve attestation cases, you can send adaptive cards. Adaptive cards contain all the information required for attesting the attestation case. These include:

  • Current and next attestor

  • Attestation history

  • Link to the attestation case in the Web Portal

  • Option to select a default reason or enter your own reason

  • Message stating that the attested entitlement is automatically withdrawn if attestation is denied.

  • Message stating whether the attestation object was already attested with the same attestation policy.

One Identity Starling Cloud Assistant uses a specified channel to post the adaptive cards to the attestor, waits for a response, and send this to One Identity Manager. Currently Slack and Microsoft Teams can be used to post adaptive cards. In Starling Cloud Assistant, channels are configured and can be allocated to each recipient separately.

Prerequisites
Related topics

Using adaptive cards for attestations

Attestators must be registered as recipients in Starling Cloud Assistant to be able to make approval decisions about attestation cases. Each recipient must be allocated to a channel that will be used to post the adaptive card. One Identity Manager provides adaptive cards for requesting attestation in German and English. These can be customized if necessary.

By default, an approval decision must be made within 5 minutes. If this deadline is exceeded, the Web Portal must be used to approve the attestation case. You can configure the deadline.

To use adaptive cards for attestations

  1. In the Designer, set the QER | Person | Starling | UseApprovalAnywhere configuration parameter.

  2. Ensure that a default email address is stored in One Identity Manager for each employee that will use adaptive cards. This address must correspond to the email address that the employee uses to log in to Microsoft Teams or Slack.

    For detailed information about the default email address, see the One Identity Manager Identity Management Base Module Administration Guide.

  3. Ensure that a language can be identified for each employee that will use adaptive cards. This allows attestors to obtain adaptive cards in their own language.

    For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  4. In the Designer, disable the QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter.

  5. On the Mail template tab, assign a Mail template request the approval steps.

  6. Register all the employees, who are going to use adaptive cards for attesting, as recipients in Starling Cloud Assistant and assign them to the channel to use.

  7. Install the Starling Cloud Assistant app that matches the channel.

    Every registered employee must install this app.

    For more information, see the One Identity Starling Cloud Assistant User Guide under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-documents.

  8. (Optional) Change the timeout for adaptive cards.

    • In the Designer, set the QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire configuration parameter and adjust the value. Enter a timeout in seconds.

  9. (Optional) Provide a country-specific template for adaptive cards or make adjust the adaptive cards settings.

    If a language cannot be identified or there is no suitable template for the language found, en-US is used as fallback.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating