Chat now with support
Chat with Support

Identity Manager 9.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Notifications from additional attestors

The original attestor can be notified when an additional attestor or an identity who has been delegated an attestation has granted or denied the attestation. This mail is send the moment the approval step has been decided.

To send a notification when the additional attestor approves or rejects the attestation

  • In the Designer, set the QER | Attestation | MailTemplateIdents | InformAddingPerson configuration parameter.

    A notification is sent by default with the attestation - approval of added step mail template.

To send a notification when the identity who was delegated an approval approves or denies the attestation.

  • In the Designer, set the QER | Attestation | MailTemplateIdents | InformDelegatingPerson configuration parameter.

    A notification is sent by default with the attestation - approval of delegated step mail template.

TIP: To use custom mail templates for emails of this type, change the value of the configuration parameter.

Link for verifying new external users

If a new user logs in to the Web Portal or new external identities need to be certified, they receive an email containing a link to the Password Reset Portal. Using the link, identities verify their contact email address, set a password and password questions.

To send notification with a verification link

  • In the Designer, set the QER | Attestation | MailTemplateIdents | NewExternalUserVerification configuration parameter.

    By default, notification is sent using the Attestation - new external user verification link mail template.

TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter in the Designer.

Detailed information about this topic

Default mail templates

One Identity Manager supplies mail templates by default. These mail templates are available in English and German. If you require the mail body in other languages, you can add mail definitions for these languages to the default mail template.

To edit a default mail template

  • In the Manager, select the Attestation > Basic configuration data > Mail templates > Predefined category.

Related topics

Attestation by mail

To provide attestors who are temporarily unable to access One Identity Manager tools with the option of making attestation case decisions, you can set up attestation by email. In this process, attestors are notified by email when an attestation case is pending their approval. Approvers can use the links in the email to make approval decisions without having to connect to the Web Portal. This generates an email that contains the approval decision and in which attestors can state the reasons for their approval decision. This email is sent to a central mailbox. One Identity Manager checks this mailbox regularly, evaluates the incoming emails and updates the status of the attestation cases correspondingly.

IMPORTANT: An attestation cannot be sent by email if multi-factor authentication is configured for the attestation policy. Attestation emails for such attestations produce an error message.
Prerequisites
  • If you use a Microsoft Exchange mailbox, configure the Microsoft Exchange with:

    • Microsoft Exchange Client Access Server version 2007, Service Pack 1 or higher

    • Microsoft Exchange Web Service .NET API Version 1.2.1, 32-bit

  • If you use an Exchange Online mailbox, register an application in your Azure Active Directory tenant in the Microsoft Azure Management Portal. For example, One Identity Manager <Approval by mail>.

    For more information about how to register an application, see https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-application.

  • The One Identity Manager Service user account used to log into Microsoft Exchange or Exchange Online requires full access to the mailbox given in the QER | Attestation | MailApproval | Inbox configuration parameter.

  • The QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is not set.

    - OR -

    Always send notification of pending attestations is set on the attestation policy.

To set up attestation by email

  1. In the Designer, set the QER | Attestation | MailApproval | Inbox configuration parameter and enter the mailbox to which the approval mails are to be sent.

  2. Set up mailbox access.

    • If you use a Microsoft Exchange mailbox:

      • By default, One Identity Manager uses the One Identity Manager Service user account to log in to the Microsoft Exchange Server and access the mailbox.

        - OR -

      • You enter a separate user account for logging in to theMicrosoft Exchange Server for mailbox access.

        • In the Designer, set the QER | Attestation | MailApproval | Account configuration parameter and enter the user account's name.

        • In the Designer, set the QER | Attestation | MailApproval | Domain configuration parameter and enter the user account's domain.

        • In the Designer, set the QER | Attesatation | MailApproval | Password configuration parameter and enter the user account's password.

    • If you use an Exchange Online mailbox:

      • In the Designer, set the QER | Attestation | MailApproval | AppId configuration parameter and enter the application ID that was generated when the application was registered in the Azure Active Directory tenant.

      • In the Designer, set the QER | Attestation | MailApproval | Domain configuration parameter and enter the domain for logging into Azure Active Directory.

      • In the Designer, set the QER | Attestation | MailApproval | Password configuration parameter and enter the client secret (application password) for the application.

  3. In the Designer, set the QER | Attestation | MailTemplateIdents | ITShopApproval configuration parameter.

    The mail template used to create the attestation mail is stored with this configuration parameter. You can use the default mail template or add a custom mail template.

    TIP: To use a company-specific mail template for attestation mails, change the value of the configuration parameter.To use a company-specific mail template for approval decision mails, change the value of the configuration parameter. In this case, also change the VI_MailApproval_ProcessMail script.

  4. Assign the following mail templates to the approval steps.

    Table 39: Mail templates for approval by mail

    Property

    Mail template

    Mail template request

    Attestation - approval required (by mail)

    Mail template reminder

    Attestation - remind approver (by mail)

    Mail template delegation

    Attestation - delegated/additional approval (by mail)

    Mail template rejection

    Attestation - reject approval (by mail)

  5. In the Designer, configure and enable the Processes attestation mail approvals schedule.

    Based on this schedule, One Identity Manager regularly checks the mailbox for new attestation mails. The mailbox is checked every 15 minutes. You can change how frequently it checks, by altering the interval in the schedule as required.

To clean up a mail box

  • In the Designer, set the QER | Attestation | MailApproval | DeleteMode configuration parameter and select one of the following values.

    • HardDelete: The processed email is immediately deleted.

    • MoveToDeletedItems: The processed email is moved to the Deleted objects mailbox folder.

    • SoftDelete: The processed email is moved to the Active Directory recycling bin and can be restored if necessary.

    NOTE: If you use the MoveToDeletedItems or SoftDelete cleanup method, you should empty the Deleted objects folder and the Active Directory recycling bin on a regular basis.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating