Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Predefined standard reasons for attestations

One Identity Manager provides predefined standard reasons. These are added to the attestation case by One Identity Manager during automatic approval. You can use the usage type to specify which standard reasons can be selected in the Web Portal.

To change the usage type

  1. In the Manager, select the Attestation > Basic configuration data > Standard reasons > Predefined category.

  2. Select the standard reason whose usage type you want to change.

  3. Select the Change main data task.

  4. In the Usage type menu, set all the actions where you want to display the standard reason in the Web Portal.

    Unset all the actions where you do not want to display the default reason.

  5. Save the changes.
Related topics

Attestation policies

Attestation policies specify the concrete conditions for attestation. Use the main data form to enter the attestation procedure, approval policy and the schedule. You can use a WHERE clause to limit the attestation objects.

To edit attestation polices

  1. In the Manager, select the Attestation > Attestation policies category.

  2. Select an attestation policy in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the main data of the attestation policy.

  4. Save the changes.

General main data of attestation policies

Enter the following data for attestation policies.

Table 11: General main data of attestation policies

Property

Description

Attestation policy

Name of the attestation policy.

Attestation procedure

Attestation procedure used for attesting. Attestation procedures are displayed in a menu grouped by attestation type.

Approval policies

Approval policy for determining the attestor for the attestation objects.

Owner

Creator of the attestation policy. The name of the user logged in to One Identity Manager is entered here by default. This can be changed.

Owner (application role)

Application role whose members may edit the attestation policy.

To create a new application role, click . Enter the application role name and assign a parent application role.

Policy collection

Policy collection used to start the attestation.

You can us policy collections to group together various attestation policies and run them collectively.

Sample

Sample that can be used for attestations. A sample can only be assigned to exactly one attestation policy.

To create a new sample, click . Enter the name of the sample and assign the table from which to take the data for the sample.

You cannot assign samples to default attestation policies.

Time required (days)

Number of days within which a decision must be made over the attestation. Enter 0 if you do not want to specify a particular processing period.

Weekends and holidays are included by default when calculating the due date of attestation cases. If weekends and holidays should be treated as working days, set the QER | Attestation | UseWorkingHoursDefinition, QBM | WorkingHours | IgnoreHoliday, and QBM | WorkingHours | IgnoreWeekend configuration parameters. For more information about calculating working hours, see the One Identity Manager Configuration Guide.

One Identity Manager does not stipulate which actions are carried out if processing times out. Define your own custom actions or evaluations to deal with this situation.

Description

Text field for additional explanation.

Risk index

Specifies the risk for the company if attestation for this attestation policy is denied. Use the slider to enter a value between 0 and 1.

  • 0: No risk.

  • 1: The denied attestation is a problem.

This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.

Risk index (reduced)

Show the risk index taking mitigating controls into account. The risk index for an attestation policy is reduced by the Significance reduction value for all assigned mitigating controls.

This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated. The value is calculated by One Identity Manager and cannot be edited.

Calculation schedule

Schedule for running attestation. Attestation cases are started automatically at the times specified by the schedule.

If a policy collection is assigned, the input field is disabled. The policy collection's schedule applies.

Language

Language in which the information to be attested is displayed.

If there is not language specified, the information is generated in the same language as the device that started the attestation.

Disabled

Specifies whether the attestation policy is disabled or not.

Attestation cases cannot be added to disabled attestation policies and, therefore, attestation is not carried out. Disabled attestation policies can be deleted.

Closed attestation cases can be deleted once the attestation policy is disabled.

Display objects to be attested

Specifies whether the objects affected by the attestation policy are calculated and displayed on the overview form.

No empty attestation runs

Specifies whether to generate an empty attestation run if there can be no attestation object found when calculating the attestation case.

Enabled: Does not generate an empty attestation run. This means that it is not possible to subsequently determine whether the attestation was started normally.

Disabled: An attestation run is generated without an attestation case. This means it is possible that the attestation was started but no objects to attest were found.

Always send notification of pending attestations

Specifies whether to send adaptive cards or individual emails about pending attestations even if the QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is set.

Close obsolete tasks automatically

Specifies whether pending attestation cases are canceled if new ones are added.

If attestation is started and this option is set, new attestation cases are created according to the condition. All pending, obsolete attestation cases for newly determined attestation objects of this attestation policy are stopped. Attestation cases for attestation objects that are not recalculated, remain intact.

Obsolete tasks limit

Specifies the maximum number of closed attestation cases for each attestation object that should remain in the database when closed attestation cases are deleted.

  • 0: No attestation cases are deleted.

  • > 0: The given number of closed attestation cases for each attestation object to remain in the database.

The value can be edited only if the Delete attestation cases function is configured. For more information, see Deleting attestation cases.

Terms of use

Terms of use are presented to attestors as a PDF file. For example, this can be the current policies.

Reason for decision

Reason that is given if the Close obsolete tasks automatically option is set and pending attestation cases are automatically closed.

Output format

Format in which the report is generated.

This menu is only visible if the QER | Attestation | AllowAllReportTypes configuration parameter is set. If the configuration parameter is not set, the default PDF format is used because it is the only format that is version compatible.

Reason type on approval

Specifies which type of reason is required when the attestation is granted approval.

  • Optional: A reason can be provided if required.

  • Reason required (standard or free): A standard reason must be selected or a reason given with any text.

  • Free text required: A reason must be given with freely selected text.

NOTE: In the Web Designer Web Portal this information is not used. No distinction is made between the different types of reasons.

Reason type on denial

Specifies which type of reason is required when the attestation is denied approval.

  • Optional: A reason can be provided if required.

  • Reason required (standard or free): A standard reason must be selected or a reason given with any text.

  • Free text required: A reason must be given with freely selected text.

NOTE: In the Web Designer Web Portal this information is not used. No distinction is made between the different types of reasons.

Edit connection...

Starts the WHERE clause wizard. Use this wizard to create or edit a condition to determine the attestation objects from the database table specified in the attestation procedure.

Condition

Data query for finding attestation objects.

This shows the input field for new attestation policies.

NOTE: For sample attestation, the condition must also query the sample data. There is a template to help set up the condition. This condition can be changed if necessary.

Example of attesting identities using a sample:

EXISTS (SELECT 1 FROM 
    (
    SELECT ObjectKeyItem FROM QERPickedItem 
        WHERE UID_QERPickCategory = '$UID_QERPickCategory$'
    ) as
    WHERE X.ObjectKeyItem = Person.XObjectKey) 

Example of attesting user accounts using a sample of identities:

EXISTS (SELECT 1 FROM 
    (
    SELECT UID_Person FROM Person WHERE EXISTS 
        (
        SELECT 1 FROM 
            (
            SELECT ObjectKeyItem FROM QERPickedItem 
                WHERE UID_QERPickCategory = '$UID_QERPickCategory$'
            ) as
            WHERE X.ObjectKeyItem = Person.XObjectKey
    ) ) as
    WHERE X.UID_Person = UNSAccount.UID_Person)

To show the condition for existing attestation policies, run the Show condition task.

Approval by multi-factor authentication

Attestation of this attestation policy requires multi-factor authentication.

Set certification status to "Certified"

Specifies whether the certification status of the attested object is set to Certified if the attestation case was approved in the end.

Set certification status to "Denied"

Specifies whether the certification status for the attested object is set to Denied if the attestation case was denied in the end.

NOTE: You can only edit attestation policies in the Web Portal that were created in the Web Portal. You will see a corresponding message on the main data form as to whether the attestation policy as created in the Web Portal.

If you want to edit attestation policies like this, create a copy in the Manager.

For more information about editing attestation policies in the Web Portal, see the One Identity Manager Web Designer Web Portal User Guide.

Detailed information about this topic
Related topics

Specifying risk indexes for attestation guidelines

You can use One Identity Manager to evaluate the risk of attestation cases. To do this, enter a risk index for the attestation policy. The risk index specifies the risk involved for the company in connection with the data to be attested. The risk index is given as a number in the range 0 .. 1. By doing this you specify whether data to be attested is considered not to be a risk (risk index = 0) or whether every denied attestation poses a problem (risk index = 1).

The risk that attestations will be denied approval can be reduced by using the appropriate mitigating controls. Enter these controls as mitigating controls in One Identity Manager. You reduce the risk by the value entered as the significance reduction on the mitigating control. This value is used to calculate the reduced risk index for the attestation policy.

You can create several reports with the Report Editor to evaluate attestation cases depending on the risk index. For more information, see the One Identity Manager Configuration Guide.

Risk assessments can be carried out when the QER | CalculateRiskIndex configuration parameter is enabled. For more information, see the One Identity Manager Risk Assessment Administration Guide.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating