Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Assigning attestation policies

Use this task to specify for which attestation policies the mitigating control is valid.

To assign attestation policies to mitigating controls

  1. In the Manager, select the Risk index functions > Mitigating controls category.

  2. Select the mitigating control in the result list.

  3. Select the Assign attestation polices task.

    Assign the attestation policies in Add assignments.

    TIP: In Remove assignments, you can remove the assignment of attestation policies.

    To remove an assignment

    • Select the approval policy and double-click .

  4. Save the changes.

Calculating mitigation

The reduction in significance of a mitigating control supplies the value by which the risk index of an attestation policy is reduced when the control is implemented.One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.

The reduced risk index is calculated from the company policy and the significance reduced sum of all assigned mitigating controls.

Risk index (reduced) = Risk index - sum significance reductions

If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.

Setting up attestation in a separate database

Scheduled attestations are often processes that generate a high load. It is possible to outsource such processes to a separate database and thus relieve the central database. To synchronize both databases, set up system synchronization using the One Identity Manager connector. You can optimize use of One Identity Manager functionality by synchronizing with a central database, containing all the data, on a regular basis.

All data required for attestation are transferred from the central database to a work database. The attestation is set up and carried out in the work database. The results of the attestation are transferred to the central database. Subsequent processes, such as the withdrawing entitlements after attestation is denied or risk index calculations, are carried out in the central database.

Detailed information about this topic

Requirements for the central database

The prerequisites and guidance for connecting a One Identity Manager database apply, as described in the One Identity Manager User Guide for the One Identity Manager Connector.

Prerequisites
  • The central database has at least version 8.2.

  • The System Synchronization Service Module (ISM) is installed in the central database.

    • Disable the ISM | PrimaryDB | AppServer configuration parameter. The central database connection parameters are configured in the work database.

  • Even if the work and central database have the same product version, it is recommended you connect the central database through an application server and enable the required plug-ins. This is the only way to use the function that automatically revokes entitlements if attestation is denied.

The Attestation Module can be present in the central database, but it does not have to be. Regardless of this, attestation configuration, such as attestation policies or approval workflows, and the attestation cases themselves, are not synchronized with the central database. Only the attestations results are transferred to enable the evaluation and further processing of the results in the central database.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating