Chat now with support
Chat with Support

Identity Manager 8.2.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

The recertification sequence

One Identity Manager uses the same method for recertification as for certification of new users. User recertification is triggered when all the following are true:

  • The QER | Attestation | UserApproval configuration parameter is set.

  • No Import data source is stored with the employee or the Import data source is not E-Business Suite.

  • The processing time in the schedule stored for the User recertification attestation policy has been reached.

Internal employees are attested by their manager. If an employee is not assigned a manager, the employee administrator assigns an initial manager for them. Only employee administrators can ultimately deny recertification. If a manager denies recertification, the case is always returned to the employee administrators to decide approval.

External employees are attested by members of the Identity & Access Governance | Attestation | Attestors for external users application role.

If the External option is not set for an employee, attestation takes place as described in the Adding new employees using a manager or employee administrator section, step 5.

If the External option is set for the employee, attestation takes place as described in the Self-registration of new users in the Web Portal section, steps 4 to 5.

The attestors are determined using the Certification of users approval policy.

Limiting attestation objects for recertification

IMPORTANT: In order to customize the User recertification default attestation policy, you must make changes to One Identity Manager objects. Always use a custom copy of the relevant object to make these changes.

All employees saved in the database are recertified using the User recertification attestation policy supplied in One Identity Manager. It may be necessary to limit recertification of new users to a certain group of employees, for example, if only employees in a specific departments should be attested. To do this, you can extend the condition attached to the attestation policy. Create a custom attestation policy for this.

The following objects must be changed so that recertification of users can be carried out with this attestation policy. Always create a copy of the respective object to do this.

  • User recertification attestation policy

  • VI_Attestation_AttestationCase_Person_Approval_Granted process

  • VI_Attestation_AttestationCase_Person_Approval_Dismissed process

IMPORTANT: In order for recertification to run correctly in the Web Portal, the default Certification of users attestation procedure and the default Certification of users approval policy must be assigned to the attestation policy.

The default attestation procedure, the default approval policy, and the default Certification of users approval workflow must not be changed.

To customize default recertification of users

  1. Copy the User recertification attestation policy and customize it.

    Table 58: Attestation policy properties

    Property

    Value

    Attestation procedure

    Certification of users.

    Approval policies

    Certification of users.

    Editing conditions

    Copy the default condition without modification so that the correct attestation object is selected.

    To limit the number of attestation objects, you can add additional partial conditions to the database query.

  2. In the Designer, copy the VI_Attestation_AttestationCase_Person_Approval_Granted process of the AttestationCase base object and customize the copy.

    Table 59: Process properties with changes

    Process property

    Change

    Pre-script for generating

    Replace the UID of the User recertification attestation policy with the UID of the new attestation policy.

    Generating condition

  3. In the Designer, copy the VI_Attestation_AttestationCase_Person_Approval_Dismissed process of the AttestationCase base object and customize the copy.

    Table 60: Process properties with changes

    Process property

    Change

    Pre-script for generating

    Replace the UID of the User recertification attestation policy with the UID of the new attestation policy.

    Generating condition

For detailed information about editing processes, see the One Identity Manager Configuration Guide.

Detailed information about this topic

Mitigating controls

Violation of regulatory requirements can harbor different risks for companies. To evaluate these risks, you can apply risk indexes to attestation policies. These risk indexes provide information about the risk involved for the company if this particular policy is violated. Once the risks have been identified and evaluated, mitigating controls can be implemented.

Mitigating controls are independent on One Identity Manager’s functionality. They are not monitored through One Identity Manager.

Mitigating controls describe controls that are implemented if an attestation rule was violated. The attestation can be approved after the next attestation run, once controls have been applied.

To edit mitigating controls

  • In the Designer, set the QER | CalculateRiskIndex configuration parameter and compile the database.

If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

General main data of mitigating controls

To create or edit mitigating controls

  1. In the Manager, select the Risk index functions > Mitigating controls category.

  2. Select a mitigating control in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the mitigating control main data.

  4. Save the changes.

Enter the following main data of mitigating controls.

Table 61: General main data of a mitigating control

Property

Description

Measure

Unique identifier for the mitigating control.

Significance reduction

When the mitigating control is implemented, this value is used to reduce the risk of denied attestation cases. Enter a number between 0 and 1.

Description

Detailed description of the mitigating control.

Functional area

Functional area in which the mitigating control may be applied.

Department

Department in which the mitigating control may be applied.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating