Chat now with support
Chat with Support

Identity Manager On Demand Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Prevent attestation by employee awaiting attestation

The attestation object can also be determined as the attestor in an attestation case. which means the employees to be attested can attest themselves. To prevent this, set the QER | Attestation | PersonToAttestNoDecide configuration parameter.

NOTE:

  • Changing the configuration parameter only affects new attestation cases. Attestors are not recalculated for existing attestation cases.

  • The configuration parameter setting also applies for fallback approvers; it does not apply to the chief approval team.

  • If the Approval by affected employee option is set on an approval step, this configuration parameter has no effect.

To prevent employees from attesting themselves

  • In the Designer, set the QER | Attestation | PersonToAttestNoDecide configuration parameter.

This configuration parameter affects all attestation cases in which employees included in the attestation object or in object relations, are attestors at the same time. The following employees are removed from the group of attestors.

  • Employees included in AttestationCase.ObjectKeyBase

  • Employees included in AttestationCase.UID_ObjectKey1, ObjectKey2, or ObjectKey3

  • Employees' main identities

  • All subidentities of these main identities

If the configuration parameter is not set or if Approval by affected employee is enabled for the approval step, these employees can attest themselves.

Related topics

Properties of an approval step

Attestation by peer group analysis

Using peer group analysis, approval for attestation cases can be granted or denied automatically. For example, a peer group might be all employees in the same department. Peer group analysis assumes that these employees require the same system entitlements. For example, if the majority of employees belonging to a department have a system entitlement, assignment to another employee in the department can be carried out automatically. This helps to accelerate approval processes.

Peer group analysis can be used during attestation of the following memberships:

  • Assignment of system entitlements to user account (UNSAccountInUNSGroup table)
  • Secondary memberships in business role (PersonInOrg table)

Peer groups contain all employees with the same manager or belonging to the same primary or secondary department as the employee linked to the attestation object (= employee to be attested). Configuration parameters specify which employee belong to the peer group. At least one of the following configuration parameters must be set.

  • QER | Attestation | PeerGroupAnalysis | IncludeManager: Employees with the same manager as the employee being attested

  • QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Employees who belong to the same primary department as the employee being attested

  • QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the employee being attested

The number of employees in a peer group that must already own the membership to be attested is set by a threshold in the QER | Attestation | PeerGroupAnalysis | ApprovalThreshold configuration parameter. The threshold specifies the ratio of the total number of employees in the peer group to the number of employees in the peer group who already own this membership.

You can also specify that employees are not permitted to own cross-functional memberships, which means, if the membership and the employee being attested belong to different functional areas, the attestation case should be denied approval. To include this check in peer group analysis, set the QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.

Whether a membership is cross-functional or not can only be tested if the following conditions are fulfilled.

  • The employee being attested and the member of the peer group requested the membership in the IT Shop.

  • The employee being attested is assigned a primary department and this department is assigned a function area.

  • The service item that the membership is assigned to, is assigned a functional area.

Attestation cases are automatically approved for fully configured peer group analysis, if both:

  • The membership being attested is not cross-functional

  • The number of employees in the peer group who already own this membership equal or exceeds the given threshold

If this is not the case, attestation cases are automatically denied.

To use this functionality, One Identity Manager provides the QER_PersonWantsOrg_Peer group analysis process and the PeergroupAnalysis event. The process is run using an approval step with the EX approval procedure.

Detailed information about this topic

Configuring peer group analysis for attestations

To configure peer groups

  1. In the Designer, set the QER | ITShop | PeerGroupAnalysis configuration parameter.

  2. Set at least on of the following subparameters:

    • QER | Attestation | PeerGroupAnalysis | IncludeManager: Employees with the same manager as those with the employee linked to the attestation object

    • QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Employees who belong to the same primary department as those with the employee linked to the attestation object

    • QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the employee linked to the attestation object

    Thus, you specify which employees belong to the peer group. You can also set two or all of the configuration parameters.

  3. To specify a threshold for the peer group, set the QER | Attestation | PeerGroupAnalysis | ApprovalThreshold configuration parameter and specify a value between 0 and 1.

    The default value is 0.9. That means, at least 90 percent of the peer group members must already have the membership to be attested in order for the attestation case to be approved.

  4. (Optional) To check whether the membership to be attested is cross-functional, enable the QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.

    • Ensure that the following conditions are met:

      • The employee being attested and the member of the peer group requested the membership in the IT Shop.

      • The employee being attested is assigned a primary department and this department is assigned a function area.

      • The service item that the membership is assigned to, is assigned a functional area.

      Only functional areas that are primary assigned service items are taken into account.

      For more information about editing service items, see the One Identity Manager IT Shop Administration Guide. For more information about functional areas, see the One Identity Manager Identity Management Base Module Administration Guide.

  5. In the Manager, create an approval workflow with at least one approval level. For the approval step, enter at least the following data:

    • Single step: EXWithPeerGroupAnalysis.

    • Approval procedure: EX

    • Event: PeerGroupAnalysis

    The event starts the ATT_AttestationCase_Peer group analysis process, which runs the ATT_PeerGroupAnalysis_for_Attestation script.

    The script runs automatic approval and sets the approval step type to Grant or Deny.

Detailed information about this topic
Related topics

Managing attestation cases

During attestation, you may find it necessary to assign someone else as default attestor responsible for the attestation because, for example, the actual attestor is absent. You may require additional information about an attestation object. One Identity Manager offers different possibilities to intervene in an open attestation case.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating