Chat now with support
Chat with Support

Identity Manager 9.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Providing terms of use for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls for attestation policies Setting up attestation in a separate database Configuration parameters for attestation

Waiting for further approval

NOTE: Only one approval step can be defined with the WC approval procedure per approval level.

If you want to ensure that a specific data state exists in One Identity Manager before an attestation case is finally approved, then use the WC approval procedure. Use a condition to specify which prerequisites have to be fulfilled so that attestation can take place. The condition is evaluated as a function call, which must accept the attestation case UID as a parameter (AttestationCase.UID_AttestationCase). You use this UID to reference the attestation object. The function must define three return values as integer values. One of the following actions is carried out depending on the function’s return value.

Table 27: Return value for deferred approval

Return value

Action

Return value > 0

The condition is fulfilled. Deferred approval has completed successfully. The next approval step (in case of success) is carried out.

Return value = 0

The condition is not yet fulfilled. Approval is rolled back and is retested the next time DBQueue Processor runs.

Return value < 0

The condition is not fulfilled. Deferred approval has failed. The next approval step (in case of failure) is carried out.

To use an approval procedure

  1. Create a database function which tests the condition for the attestation.

  2. Create an approval step with the WC approval procedure. Enter the function call in Condition.

    Syntax: dbo.<function name>

  3. Specify an approval step in the case of success. Use the approval procedure with which One Identity Manager can determine the attestors.

  4. Specify an approval step in the case of failure.

Related topics

Setting up approval procedures

You can create your own approval procedures if the default approval procedures for finding the responsible attestors do not meet your requirements. The condition used to determine the attestors is formulated as a database query. Several queries may be combined into one condition.

To set up an approval procedure

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures category.

  2. Click in the result list.

  3. Edit the approval procedure main data.

  4. Save the changes.

To edit an approval procedure

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures > Predefined category.

  2. Select an approval procedure from the result list and run the Change main data task.

  3. Edit the approval procedure main data.

  4. Save the changes.

To edit the condition

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures > Predefined category.

  2. Select an approval procedure from the result list.

  3. Select Change queries for approver selection.

Related topics

General main data of an approval procedure

Enter the following main data of an approval procedure.

Table 28: General main data of an approval procedure

Property

Description

Approval procedure

Descriptor for the approval procedure (maximum two characters).

Short description

Short phrase to describe the approval procedure.

DBQueue Processor task

Approvals can either be made automatically through a DBQueue Processor calculation task or by specified approvers. Assign a custom DBQueue Processor task if the approval procedure should make an automatic approval decision.

You cannot assign a DBQueue Processor task if there is a query pending to determine attestors.

Max. approvers

Maximum number of attestors to be determined by the approval procedure. Specify how many identities must really make approval decisions in the approval steps used by this approval procedure.

Sort order

Value for sorting approval procedures in the drop-down.

  • Specify the value 10 to display this approval procedure at the top of the drop-down when you set up an approval step.

  • To hide the approval procedure in the drop-down, define a negative value. These approval procedures are displayed in the Manager under the Hidden in Workflow Editor filter.

TIP: It is also possible to change the order for default approval procedures. Move more frequently used approval procedures to the top; hide unused approval procedures.

Description

Detailed description of the approval procedure.

Related topics

Queries for finding attestors

The condition used to determine the attestors is formulated as a database query. Several queries may be combined into one condition. This adds all identities determined by single queries to the group of attestors.

To edit the condition

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures > Predefined category.

  2. Select an approval procedure from the result list.

  3. Select Change queries for approver selection.

To create single queries

  1. Click Add.

    This inserts a new row in the table.

  2. Mark this row. Enter the query properties.
  3. Add more queries if required.
  4. Save the changes.

To edit a single query

  1. Select the query you want to edit in the table. Edit the query's properties.
  2. Save the changes.

To remove single queries

  1. Select the query you want to remove in the table.
  2. Click Delete.
  3. Save the changes.
Table 29: Query properties

Property

Description

Approver selection

Query identifier that determines the attestors.

Query

Database query for determining the attestors.

The database query must be formulated as a select statement. The column selected by the database query must return a UID_Person. Every query must return a value for UID_PWORulerOrigin. The query returns one or more identities to whom the attestation case is presented for approval. If the query fails to return a result, the attestation procedure is canceled.

A query contains exactly one select statement. To combine several select statements, create several queries.

If a DBQueue Processor task is assigned, you cannot enter a query to determine attestors.

Query for recalculating

Database query to determine attestation transactions that require recalculation of their attestors.

You can, for example, determine predefined attestors with the query (example 1). The attestor can also be found dynamically depending on the attestation case to approve. To do this, within the database query, using the @UID_AttestationCase variable to access the attestation case (example 2).

Example 1

The attestation cases should be approved by a specific attestor.

Query:

select UID_Person, null as UID_PWORulerOrigin from Person where InternalName='User, JB'
Example 2

All active compliance rules should be attested by the respective rule supervisor.

Query:

select pia.UID_Person, null as UID_PWORulerOrigin from AttestationCase ac
    join ComplianceRule cr on cr.XObjectKey = ac.ObjectKeyBase and cr.IsWorkingCopy = '0'
    join PersonInBaseTree pia on pia.UID_Org = cr.UID_OrgResponsible and pia.XOrigin > 0
    where ac.UID_AttestationCase = @UID_AttestationCase
Taking delegation into account

To include delegation when determining attestors, use the query to also determine the identities to whom a responsibility has been delegated. If the managers of hierarchical roles are to make the approval decision, determine the attestors from the HelperHeadOrg table. This table groups together all managers, deputy managers, and all other hierarchical role managers as well as their deputies and the identities to whom a responsibility has been delegated.

If the members of business or application roles are to make the approval decision, determine the approvers from the PersonInBaseTree table. This table groups together all hierarchical role members and identities to whom a responsibility has been delegated.

To exclude deactivated identities, check the XOrigin column for a value greater than 0. For more information about values in the XOrigin column, see the One Identity Manager Identity Management Base Module Administration Guide.

Determine the UID_PWORulerOrigin in order to notify delegators when the recipient of the delegation has made a decision on an attestation case and thus allow the Web Portal to show if the attestor was originally delegated.

To determine the UID_PWORulerOrigin of the delegation

  • Determine the UID_PersonWantsOrg of the delegation and copy this value as UID_PWORulerOrigin to the query. Use the dbo.QER_FGIPWORulerOrigin table function to do this.

    select dbo.QER_FGIPWORulerOrigin(XObjectKey) as UID_PWORulerOrigin

To include all active managers and their deputies

  • Check the XOrigin column for a value greater than 0.

Modified query from example 2:

select pia.UID_Person, dbo.QER_FGIPWORulerOrigin(pia.XObjectKey) as UID_PWORulerOrigin from AttestationCase ac
    join ComplianceRule cr on cr.XObjectKey = ac.ObjectKeyBase and cr.IsWorkingCopy = '0'
    join PersonInBaseTree pia on pia.UID_Org = cr.UID_OrgResponsible and pia.XOrigin > 0
    where ac.UID_AttestationCase = @UID_AttestationCase
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating