Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Reminding attestors

If an attestor has not made a decision by the time the reminder timeout expires, notification can be sent by email as a reminder. The attestors working hours are taken into account when the time is calculated.

Prerequisite

  • The QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is not set.

To set up the notification procedure

  • Enter the following data for the approval step.

    • Reminder after (minutes):

      Number of minutes to elapse after which the attestor is notified by mail that there are still pending attestation cases for attestation. The input is converted into working hours and displayed additionally.

      The reminder interval is set to 30 minutes, by default. To change this interval, modify the Checks reminder interval and timeout of attestation cases schedule.

      NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

      TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

      If more than one attestor was found, each attestor will be notified. The same applies if an additional attestor has been assigned.

      If an attestor delegated the approval, the time point for reminding the delegation recipient is recalculated. The delegation recipient and all the other attestors are notified. The original attestor is not notified.

      If an attestor has made an inquiry, the time point for reminding the queried employee is recalculated. As long as the inquiry has not been answered, only this employee is notified.

    • Mail template reminder: Select the Attestation - remind approver mail template.

      TIP: To allow approval by email, select the Attestation - remind approver (by email) mail template.

NOTE: You can schedule requests for attestation to send a general notification if there are attestations pending. This replaces single requests for attestation at each approval step.

Related topics

Scheduling attestation requests

Attestors can be regularly notified of attestation cases that are pending. These regular notifications replace the individual prompts and attestation reminders that are configured in the approval step.

To send regular notifications about pending attestations

  1. Enable the QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter in the Designer.

    By default, a notification is sent with the Attestation - pending requests for approver mail template.

    TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter in the Designer.

  2. In the Designer, configure and enable the Inform approver about pending attestations schedule.

    For more information about this, see the One Identity Manager Operational Guide.

Reminding attestors about attestation objects

The hierarchical role manager and those responsible for system entitlements or system roles can view all pending attestation cases for this object in the Web Portal. If necessary, they can also send reminders to attestors of selected attestation objects.

To send notification about a specific attestation object

  • In the Designer, set the QER | Attestation | MailTemplateIdents | RemindApproverByObject configuration parameter.

    By default, notification is sent using the Attestation - remind approver of all open object attestations template.

TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter in the Designer.

Use the Web Portal to send notifications. For more information about this, see the One Identity Manager Web Designer Web Portal User Guide.

Granting or denying attestation cases

When an attestation case is granted approval or denied it, other employees receive notification. Notification may occur after approval or denial of a single approval step or once the entire approval process is complete. You can specify the recipient of the notification as required by the company.

Attestation cases can be automatically granted or denied approval once a specified time period has been exceeded. Notification is sent in the same way in this case.

To set up the notification procedure

  1. Create custom mail templates for sending notification if attestation cases have been granted or denied approval.

  2. Create company-specific processes for notifications.

  3. If notification should be sent immediately after an approval decision is made for a single approval step, enter the following data on the Mail templates tab of the approval step.

    Table 37: Properties of the approval step for notification

    Property

    Meaning

    Mail template approved

    Mail template to be used for email notification when an approval step is approved.

    Mail template denied

    Mail template to be used for email notification when an approval step is denied.

    - OR -

    If notification should be sent after the entire approval procedure is complete, enter the following data in the approval policy.

    Table 38: Properties of an approval policy for notifications

    Property

    Meaning

    Mail template approved

    Mail template to be used for email notifications when an attestation case is approved.

    Mail template denied

    Mail template to be used for email notifications when an attestation case is denied.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating