Chat now with support
Chat with Support

Identity Manager 9.1.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Phases of attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Certifying new roles and organizations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Editing approval levels

An approval level provides a method of grouping individual approval steps. All the approval steps in one approval level are run in parallel. All the approval steps for different approval levels are run one after the other. You use the connectors to specify the order.

Specify the individual approval steps in the approval levels. At least one approval step is required per level. Enter the approval steps first before you add an approval level.

To add an approval level

  1. Select the Toolbox > Approval levels > Add item.

    This opens the properties dialog for the first approval step.

  2. Enter the approval step properties.

  3. Save the changes.

You can edit the properties of an approval level as soon as you have added an approval level with at least one approval step.

To edit approval level properties

  1. Select the approval level.

  2. Select the Toolbox > Approval levels > Edit item.

  3. Enter a display name for the approval level.

  4. Save the changes.
NOTE: You can define more than one approval step for each approval level. In this case, the attestors of an approval level can make a decision about an attestation case in parallel rather than sequentially. The attestation case cannot be presented to the attestors at the next approval level until all approval steps in one approval level have been completed in the attestation procedure.

To add more approval steps to an approval level

  1. Select the approval level.

  2. Select the Toolbox > Approval steps > Add item.

  3. Enter the approval step properties.

  4. Save the changes.
Related topics

Editing approval steps

To edit approval level properties

  1. Select the approval step.

  2. Select the Toolbox > Approval steps > Edit item.

  3. Edit the approval step properties.

  4. Save the changes.
Detailed information about this topic

Properties of an approval step

On the General tab, enter the data described below. On the Mail templates tab, select the mail templates for generating mail notifications. If you add a new approval step, you must fill out the required fields.

Table 26: General properties of an approval step

Property

Meaning

Single step

Approval step name.

Approval procedure

Procedure to use for determining the attestors.

Role

Hierarchical role from which to determine the attestors.

The role is used in the OM and OR default approval procedures. Additionally, you can use the role if you use a custom approval procedure in the approval step.

Fallback approver

Application role whose members are authorized to approve attestation cases if an attestor cannot be determined through the approval procedure. Assign an application from the menu.

To create a new application role, click . Enter the application role name and assign a parent application role. For more information, see the One Identity Manager Authorization and Authentication Guide.

NOTE: The number of approvers is not applied to the fallback approvers. The approval step is considered approved the moment as soon as one fallback approver has approved the request.

Condition

Condition for calculating the approval decision. The condition is used in the CD, EX, or WC default approval procedures. Additionally, you can use the role if you use a custom approval procedure in the approval step.

Number of approvers

Number of attestors required to approve an attestation case. Use this number to further restrict the maximum number of approvers of the implemented approval procedure.

If there are several people allocated as approvers, then this number specifies how many people from this group have to approve an attestation case. A request can only be passed up to next level afterwards.

If you want approval decisions to be made by all the employees found using the applicable approval procedure, for example all members of a role (default approval procedure OR), enter the value -1. This overrides the maximum number of attestors defined in the approval procedure.

If not enough attestors can be found, the approval step is presented to the fallback approvers. The approval step is considered approved as soon as one fallback approver has approved the attestation case.

If an approval decision is made by the chief approval team, it overrides the approval decision of just one regular attestor. This means, if three attestors must approve an approval step and the chief approval team one of the decision, two more are still required.

The number of approvers defined in an approval step is not taken into account in the approval procedures CD, EX,or WC.

Description

Text field for additional explanation.

Approval reason

Reason entered in the attestation case if approval is automatically granted.

This field is only shown for the approval procedures CD, EX, and WC.

Reject reason

Reason entered in the attestation case and the attestation history, if approval is automatically denied.

This field is only shown for the approval procedures CD, EX, and WC.

Reminder after (minutes)

Number of minutes to elapse after which the attestor is notified by mail that there are still pending attestation cases for attestation. The input is converted into working hours and displayed additionally.

The reminder interval is set to 30 minutes, by default. To change this interval, modify the Checks reminder interval and timeout of attestation cases schedule.

NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

If more than one attestor was found, each attestor will be notified. The same applies if an additional attestor has been assigned.

If an attestor delegated the approval, the time point for reminding the delegation recipient is recalculated. The delegation recipient and all the other attestors are notified. The original attestor is not notified.

If an attestor has made an inquiry, the time point for reminding the queried employee is recalculated. As long as the inquiry has not been answered, only this employee is notified.

Timeout (minutes)

Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

The timeout is check every 30 minutes, by default. To change this interval, modify the Checks reminder interval and timeout of attestation cases schedule.

The working hours of the respective approver are taken into account when the time is calculated.

NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

Timeout behavior

Action that is run if the timeout expires.

  • Approved: The attestation case is approved in this approval step. The next approval level is called.

  • Deny: The attestation case is denied in this approval step. The approval level for denying is called.

  • Escalation: The attestation case is escalated. The escalation approval level is called.

  • Cancel: The approval step and, therefore, the entire attestation procedure, is canceled.

Reason type on approval

Specifies which type of reason is required when granting approval to this approval step.

  • Optional: A reason can be provided if required.

  • Standard reason required: A standard reason must be selected.

  • Free text required: A reason must be given. This can be any text.

Reason type on denial

Specifies which type of reason is required when denying approval to this approval step.

  • Optional: A reason can be provided if required.

  • Standard reason required: A standard reason must be selected.

  • Free text required: A reason must be given. This can be any text.

Additional approver possible

Specifies whether a current attestor is allowed to instruct another employee as an attestor. This additional attestor has parallel authorization to make approvals for the current attestation case. The attestation case is not passed on to the next approval level until both attestors have made a decision.

This option can only be set for approval levels with a single, manual approval step.

Approval can be delegated

Specifies whether a current attestor can delegate the attestation to another person. This employee is added to the current approval step as the attestor and then makes the approval decision instead of the attestor who delegated.

This option can only be set for approval levels with a single, manual approval step.

Approval by affected employee

Specifies whether the employee who is affected by the approval decision can also approve it. If this option is set, employees to be attested can attest themselves.

If this option is not set, use the QER | Attestation | PersonToAttestNoDecide configuration parameter to define whether the employees to be attested can attest themselves.

Do not show in approval history

Specifies whether or not the approval step should be displayed in the attestation history. For example, this behavior can be applied to approval steps with the CD - calculated approval procedure, which are used only for branching in the approval workflow. It It makes it easier to follow the attestation history.

Escalate if no approver found

Specifies whether the approval step is escalated if no attestor can be found and no fallback approver is assigned. In this case, the attestation case is neither canceled nor passed to the chief approval team.

This option can only be enabled if an approval level is linked to escalation.

Detailed information about this topic
Related topics

Connecting approval levels

When you set up an approval workflow with several approval levels, you have to connect each level with another. You may create the following links.

Table 27: Links to approval levels

Link

Description

Approve

Link to next approval level if the current approval level was granted approval.

Deny

Link to next approval level if the current approval level was not granted approval.

Reroute

Link to another approval level to bypass the current approval.

Attestors can pass the approval decision through another approval level, for example, if approval is required by a manager in an individual case. To do this, create a connection to the approval levels to which the approval can be rerouted. This way, approvals can also be rerouted to a previous approval level, for example, if an approval decision is considered not to be well-founded. Starting from one approval level, more than one reroute can lead to different approval levels. The attestors select, in the Web Portal, which of these approval levels to reroute the approval to.

It is not possible to reroute approval steps with the approval procedures EX, CD, SB, or WC.

Escalation

Link to another approval level when the current approval level is escalated after timing out.

If there are no further approval levels after the current approval level, the attestation case is considered approved if the approval decision was to grant approval. If approval is not granted, the attestation case is considered to be finally denied. The attestation procedure is closed in both cases.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating