Chat now with support
Chat with Support

Identity Manager 9.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Attestation history

The attestation history displays each step of an attestation case. Here you can follow all the approvals in the approval process in a chronological sequence. The attestation history is displayed for pending and closed attestations.

To display an attestation case in the attestation history

  1. In the Manager, select the category

    • Attestation > Attestation runs > Attestation policies > <attestation policy> > Attestation runs > <year> > <month> > <day> - OR -

    • Attestation > Attestation run > Policy collections > <policy collection> > Attestation runs > <year> > <month> > <day>.

  2. Select the Pending attestations or the Closed attestations filter.

  3. Select an attestation case from the result list.

  4. Select the Attestation history report.

These elements are colored. The color code reflects the status of the approval steps.

Table 35: Meaning of colors in the attestation history

Color

Meaning

Yellow

Attestation case set up.

Green

Attestor has approved.

Red

Attestor has denied.

Attestation has been escalated.

Attestor has recalled the approval decision

Gray

Attestation has been canceled.

Case has been assigned to an extra attestor.

Additional attestor has withdrawn approval decision.

Approval has been delegated.

New attestor has withdrawn the delegation.

Orange

Attestor has a question.

The query has been answered.

Query was canceled due to change of approver.

Blue

Attestor has rerouted approval.

The approval step was reset automatically.

Modifying approval workflows for pending attestation cases

When approval workflows are changed, a decision must be made as to whether these changes should be applied to pending attestation cases. Configuration parameters are used to define the desired procedure.

Scenario: Another approval workflow was stored with the approval policy

The newly stored workflow is only used in new requests. If changes have been made to the approval workflow in an approval policy, any pending approval processes are continued by default with the original workflow. The newly stored workflow is only used in new attestation cases. You can configure different behavior.

To specify how to handle pending attestation cases

  • In the Designer, enable the QER | Attestation | OnWorkflowAssign configuration parameter and select one of the following values.

    • CONTINUE: Ongoing approval processes are continued with the originally applicable workflow. The newly stored workflow is only used in new attestation cases.

      This behavior also applies if the configuration parameter is not set.

    • RESET: In ongoing approval processes, all approval decisions already taken are reset. The approval processes are restarted with the newly stored workflow. The attestation cases are run through the approval process again.

    • ABORT: Ongoing approval processes are stopped. All pending attestation cases are closed. The next automatic or manual start of the attestation uses the new approval workflow.

A working copy of the originally applicable workflow is saved. The working copy is retained as long as it is used in ongoing approval processes. All unused working copies are regularly deleted using the Maintenance approval workflows schedule.

Scenario: A change was made to an approval workflow in use

If changes have been made to an approval workflow that is being used in pending attestation cases, any pending approval processes are continued by default with the original workflow. The changes to the approval workflow are only implemented for new attestation cases. You can configure different behavior.

To specify how to handle pending attestation cases

  • In the Designer, enable the QER | Attestation | OnWorkflowUpdate configuration parameter and select one of the following values.

    • CONTINUE: Ongoing approval processes are continued with the originally applicable approval workflow. The changes to the approval workflow are only implemented for new attestation cases.

      This behavior also applies if the configuration parameter is not set.

    • RESET: In ongoing approval processes, all approval decisions already taken are reset. The approval processes are restarted with the changed approval workflow. The attestation cases are run through the approval process again.

    • ABORT: Ongoing approval processes are stopped. All pending attestation cases are closed. The next automatic or manual start of the attestation uses the changed approval workflow.

A working copy of the approval workflow that contains the original version is saved. This working copy is retained as long as it is used in ongoing approval processes. All unused working copies are regularly deleted using the Maintenance approval workflows schedule.

Related topics

Closing attestation cases for deactivated identities

Pending attestation cases must still be processed even if they have permanently deactivated in the meantime. This is not required very often because the affected identity may have, for example, left the company. In this case, you can use the option to close an identity's pending attestation cases automatically, if the identity is permanently disabled.

To close attestation cases automatically

  • In the Designer, set the QER | Attestation | AutoCloseInactivePerson configuration parameter.

The configuration parameter only applies if the identity to be attested is deactivated after the attestation case was created.

The configuration parameter does not apply if the identity is temporarily deactivated.

TIP: Write a corresponding condition for finding the attestation object on the attestation policies to prevent attestation cases being created for deactivated identities. For more information, see General main data of attestation policies.

Deleting attestation cases

The AttestationCase table expands very quickly when attestation is performed regularly. To limit the number of attestation cases in the One Identity Manager database, you can delete obsolete, closed attestation cases from the database. The attestation case properties are logged and then the attestation cases are deleted. The same number of attestation cases remain in the database as are specified in the attestation policy. For more information about logging data changes tags, see the One Identity Manager Configuration Guide.

NOTE: Ensure that the logged request procedures are archived for audit reasons. For more information about the archiving process, see the One Identity Manager Data Archiving Administration Guide.

Prerequisites

  • The Common | ProcessState | PropertyLog configuration parameter is enabled.

  • The attestation policy is enabled.

To delete attestation cases automatically

  1. Set the Log changes when deleting option on at least three columns in the AttestationCase table.

    1. In the Designer, select the Database schema > Tables > AttestationCase category.

    2. Select the Show table definition task.

      This opens the Schema Editor.

    3. Select a column in the Schema Editor.

    4. In the edit view of the schema editor, select the More tab.

    5. Set the option Log changes when deleting.

    6. Repeat steps (c) to (e) for all columns that are to be recorded on deletion. There must be at least three.

    7. Click on Commit to database and save the changes.

      The changes take effect as soon as the DBQueue Processor has performed the calculation tasks.

  2. Set the Log changes when deleting option on at least three columns in the AttestationHistory table.

    1. In the Designer, select the Database schema > Tables > AttestationHistory category.

    2. Repeat the steps 1(b) to 1(h) for the AttestationHistory table.

  3. Enter the number of obsolete cases in the attestation policies.

    1. In the Manager, select the Attestation > Attestation policies category.

    2. Select the attestation policy in the result list whose attestation cases should be deleted.

    3. Select the Change main data task.

    4. In the Obsolete tasks limit field, enter a value greater than 0.

    5. Save the changes.
TIP: If you want to prevent attestation cases being deleted for certain attestation policies, enter the value 0 for the obsolete task limit for these attestation policies.

Attestation cases are deleted as soon as a new attestation is started for an attestation policy.

One Identity Manager tests how many closed attestation cases exists in the database for each attestation object of this attestation policy. If the number is more than the number of obsolete attestation cases:

  • The attestation case properties and their approval sequence are recorded.

    All columns are recorded, which are marked for logging on deletion.

  • The attestation cases are deleted.

    The same number of attestation cases remain in the database as are specified in the obsolete tasks limit.

If the Common | ProcessState | PropertyLog configuration parameter is deactivated later or not enough columns are marked with the Record on delete option, the value for Number of obsolete processes has no effect.

Notes for disabling attestation policies
  • Disabling an attestation policy always deletes all attestation cases.

  • The number of obsolete cases is not taken into account.

  • The attestation case are also deleted if the Common | ProcessState | PropertyLog configuration parameter is disabled. In this case, the deleted attestation cases are not logged.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating