Chat now with support
Chat with Support

Identity Manager 9.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Processing attestation mails

The Processes attestation mail approvals schedule starts the VI_Attestation_Process Approval Inbox process. This process runs the VI_MailApproval_ProcessInBox script, which searches the mailbox for new attestation mails and updates the attestation cases in the One Identity Manager database. The contents of the attestation mail are processed at the same time.

NOTE: The validity of the email certificate is checked with the VID_ValidateCertificate script. You can customize this script to suit your security requirements. Take into account that this script is also used for approval decisions for IT Shop requests by email.

If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.

TIP: The VI_MailApproval_ProcessInBox script finds the Exchange Web Service URL that uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.

If this is not possible, enter the URL in the QER | Attestation | MailApproval | ExchangeURI configuration parameter.

Attestation mails are processed with the VI_MailApproval_ProcessMail script. The script finds the relevant approval decision, sets the Approved option if approval is granted, and stores the reason for the approval decision with the attestation cases. The attestor is found through the sender address. Then the attestation mail is removed from the mailbox depending on the selected cleanup method.

NOTE: If you use a custom mail template for the attestation mail, check the script and modify it as required. Take into account that this script is also used for approval decisions for IT Shop requests by email.

Adaptive cards attestation

To allow attestors who temporarily do not have access to the One Identity Manager tools to approve attestation cases, you can send adaptive cards. Adaptive cards contain all the information required for attesting the attestation case. These include:

  • Current and next attestor

  • Attestation history

  • Link to the attestation case in the Web Portal

  • Option to select a default reason or enter your own reason

  • Message stating that the attested entitlement is automatically withdrawn if attestation is denied.

  • Message stating whether the attestation object was already attested with the same attestation policy.

One Identity Starling Cloud Assistant uses a specified channel to post the adaptive cards to the attestor, waits for a response, and send this to the One Identity Manager. Currently Slack and Microsoft Teams can be used to post adaptive cards. In Starling Cloud Assistant, channels are configured and can be allocated to each recipient separately.

Prerequisites
Related topics

Using adaptive cards for attestations

Attestators must be registered as recipients in Starling Cloud Assistant to be able to make approval decisions about attestation cases. Each recipient must be allocated to a channel that will be used to post the adaptive card. One Identity Manager provides adaptive cards for requesting attestation in German and English. These can be customized if necessary.

By default, an approval decision must be made within 1 day. If this deadline is exceeded, the Web Portal must be used to approve the attestation case. You can configure the deadline.

To use adaptive cards for attestations

  1. In the Designer, set the QER | Person | Starling | UseApprovalAnywhere configuration parameter.

  2. Ensure that a default email address is stored in One Identity Manager for each identity that will use adaptive cards. This address must correspond to the email address that the identity uses to log in to Microsoft Teams or Slack.

    For detailed information about the default email address, see the One Identity Manager Identity Management Base Module Administration Guide.

  3. Ensure that a language can be identified for each identity that will use adaptive cards. This allows attestors to obtain adaptive cards in their own language.

    For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  4. In the Designer, disable the QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter.

    - OR -

    Enable the Always send notification of pending attestations attestation policy. This allows adaptive cards to also be sent for certain attestation policies if the scheduled request for attestation by email notification is configured.

  5. On the Mail template tab, assign a Mail template request the approval steps.

  6. Register all the identities, who are going to use adaptive cards for attesting, as recipients in Starling Cloud Assistant and assign them to the channel to use.

  7. Install the Starling Cloud Assistant app that matches the channel.

    Every registered identity must install this app.

    For more information, see the One Identity Starling Cloud Assistant User Guide under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-documents.

  8. (Optional) Change the timeout for adaptive cards.

    • In the Designer, set the QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire configuration parameter and adjust the value. Enter a timeout in seconds.

  9. (Optional) Provide a country-specific template for adaptive cards or make adjust the adaptive cards settings.

    If a language cannot be identified or there is no suitable template for the language found, en-US is used as fallback.

Detailed information about this topic

Adding and deleting recipients and channels

Attestors can be registered in Starling Cloud Assistant as recipients through an IT Shop request and allocated to a channel. By default, the requests are approved immediately by self-service. Then the recipients are registered and the requested channel is assigned to them. Once the attestor has installed the Starling Cloud Assistant app, they can use adaptive cards to attest.

To add a recipient in Starling Cloud Assistant

  • In the Web Portal, request the New Starling Cloud Assistant recipient product.

To allocate Microsoft Teams as a channel in Starling Cloud Assistant

  1. In the Web Portal, request the Teams channel for Starling Cloud Assistant recipient product.

  2. Install the Starling Cloud Assistant app for Microsoft Teams.

    For more information, see the One Identity Starling Cloud Assistant User Guide under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-documents.

To allocate Slack as a channel in Starling Cloud Assistant

  1. In the Web Portal, request the Slack channel for Starling Cloud Assistant recipient product.

  2. Install the Starling Cloud Assistant app for Slack.

    For more information, see the One Identity Starling Cloud Assistant User Guide under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-documents.

To delete a recipient in Starling Cloud Assistant

  • Cancel the New Starling Cloud Assistant recipient product.

To remove a channel

  • Cancel the respective product.

For more information about requesting and unsubscribing products, see the One Identity Manager Web Portal User Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating