Chat now with support
Chat with Support

Identity Manager 9.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Providing terms of use for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls for attestation policies Setting up attestation in a separate database Configuration parameters for attestation

Configuring withdrawal of entitlements

If your specific data situation allows, denied entitlements can be withdrawn by One Identity Manager following attestation.

To withdraw denied entitlements automatically

  1. In the Designer, set the QER | Attestation | AutoRemovalScope configuration parameter and the configuration subparameters.

  2. If the entitlements were obtained through IT Shop, specify whether these requests should be unsubscribed or canceled. To do this, set the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter and select a value.

    • Abort: Requests are canceled. In this case, they do not go through a cancellation workflow. The requested entitlements are withdrawn without additional checks.

    • Unsubscribe: Requests are unsubscribed. They go through the cancellation workflow defined in the approval policies. Withdrawal of the entitlement can thus be subjected to an additional check.

      If the cancellation is denied, the entitlement is not withdrawn even though the attestation has been denied.

    If the configuration parameter is not set, the requests are canceled.

IMPORTANT: If role memberships or system roles are withdrawn from an identity, the identity loses the denied entitlement. They also lose all other company resources inherited through this role. These could be other system entitlements or account definitions. This might cause valid system entitlements to be withdrawn or user accounts to be deleted from the identity!

Check whether your data situation allows automatic withdrawal of entitlements before you enable configuration parameters under QER | Attestation | AutoRemovalScope.

Automatic removal of entitlements is triggered by an additional approval step with the EX approval procedure in the default approval workflows.

Attestation sequence with subsequence withdrawal of denied entitlements:

  1. Attestation is carried out using a default attestation procedure.

  2. The attestor denies attestation. The approval step is not granted approval and approval is passed on the next approval level with the EX approval procedure.

  3. The approval step triggers the AUTOREMOVE event. This runs the VI_Attestation_AttestationCase_AutoRemoveMembership process.

  4. The process runs the VI_AttestationCase_RemoveMembership script. This removes the affected entitlement depending on which configuration parameters are set.

  5. The script sets the approval step status to Denied. This means the entire attestation case is finally denied.

  6. Tasks to recalculate inheritance are entered in the DBQueue.

Detailed information about this topic

Attesting system entitlements

Installed modules: Target System Base Module

If you attest memberships in system entitlements, you can use the QER | Attestation | AutoRemovalScope | GroupMembership configuration parameter to configure automatic removal of system entitlements. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the system entitlement.

  • QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDirect

    Direct membership of the user account in the system entitlement, is removed.

  • QER | Attestation | AutoRemovalScope | GroupMembership | RemovePrimaryRole

    If membership in the system entitlement was inherited through a primary role, the role is withdrawn from the identity.

    This removes all indirect assignments obtained by the identity through this role.

  • QER | Attestation | AutoRemovalScope | GroupMembership | RemoveRequestedRole

    If membership of the system entitlement was inherited through a requested role, the role request is canceled or unsubscribed.

    This removes all indirect assignments obtained by the identity through this role.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDelegatedRole

    If membership in the system entitlement was inherited through a delegated role, delegation of this role is canceled or unsubscribed.

    This removes all indirect assignments obtained by the identity through this role.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | GroupMembership | RemoveRequested

    If membership of the system entitlement was requested through the IT Shop, the request is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | GroupMembership | RemoveSystemRole

    System roles incorporating the system entitlements are withdrawn from the identity.

    This removes all indirect assignments obtained by the identity through this system role.

    This configuration parameter is only available if the System Roles Module is installed.

  • QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDirectRole

    If membership in the system entitlement was inherited through a secondary role (organization or business role), the identity's membership is removed from this role.

    This removes all indirect assignments obtained by the identity through this role.

  • QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDynamicRole

    If membership in the system entitlement was inherited through a dynamic role, the identity is excluded from the dynamic role.

    This removes all indirect assignments obtained by the identity through this role.

If you attest assignments to system entitlements, you can use the QER | Attestation | AutoRemovalScope | UNSGroupInUNSGroup configuration parameter to configure automatic removal of system entitlements.

  • QER | Attestation | AutoRemovalScope | UNSGroupInUNSGroup | RemoveDirect

    Assignment of the system entitlement to a system entitlement is removed.

If you attest system entitlement assignments to hierarchical roles, you can use the following configuration parameters to configure automatic removal of system entitlements.

If the assignment of the system entitlement to a hierarchical role is removed after attestation is denied, the system entitlement is removed from all identities that inherit assignments from this role.

  • QER | Attestation | AutoRemovalScope | DepartmentHasUNSGroup | RemoveDirect

    The assignment of the system entitlement to a department is removed.

  • QER | Attestation | AutoRemovalScope | ProfitCenterHasUNSGroup | RemoveDirect

    The assignment of the system entitlement to a cost center is removed.

  • QER | Attestation | AutoRemovalScope | LocalityHasUNSGroup | RemoveDirect

    The assignment of the system entitlement to a location is removed.

  • QER | Attestation | AutoRemovalScope | OrgHasUNSGroup | RemoveDirect

    The assignment of a system entitlement to a business role is removed.

Related topics

System role attestation

Installed modules: System Roles Module

If you attest memberships in system roles, you can use the QER | Attestation | AutoRemovalScope | ESetAssignment configuration parameter to configure the automatic removal of system roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the system role.

If membership of the system role is removed after an attestation has been denied, all indirect assignments that the identity obtained via this system role are removed.

  • QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDirect

    Direct membership in the system role is removed.

  • QER | Attestation | AutoRemovalScope | ESetAssignment | RemovePrimaryRole

    If the system role was inherited through a primary role, the role is withdrawn.

    This removes all indirect assignments obtained by the identity through this role.

  • QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveRequestedRole

    If the system role was inherited through a requested role, the role request is canceled or unsubscribed.

    This removes all indirect assignments obtained by the identity through this role.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDelegatedRole

    If the system role was inherited through a delegated role, the delegation of this role is canceled or unsubscribed.

    This removes all indirect assignments obtained by the identity through this role.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveRequested

    If the system role was requested through the IT Shop, the request is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDirectRole

    If the system role was inherited through a secondary role (organization or business role), the identity's membership is removed from this role.

    This removes all indirect assignments obtained by the identity through this role.

  • QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDynamicRole

    If the system role was inherited through a dynamic role, the identity is excluded from the dynamic role.

    This removes all indirect assignments obtained by the identity through this role.

If you attest assignments to system roles, you can use the QER | Attestation | AutoRemovalScope | ESetHasEntitlement configuration parameter to configure automatic removal of assignments.

  • QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveDirect

    The directly assignment of the company resource to a system role is removed.

  • QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveRequested

    If the assignment of the company resource to a system role was requested through the IT Shop, the request is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

If you attest system role assignments to hierarchical roles, you can use the following configuration parameters to configure automatic removal of system roles.

If the assignment of the system role to a hierarchical role is removed after attestation is denied, the system role is removed from all identities that inherit assignments from this role. This removes all indirect assignments obtained by the identities through this system role.

  • QER | Attestation | AutoRemovalScope | DepartmentHasESet | RemoveDirect

    Direct system roles assignments to departments are removed.

  • QER | Attestation | AutoRemovalScope | DepartmentHasESet | RemoveRequested

    If the system role assignment to a department was requested via the IT Shop, the request is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | ProfitCenterHasESet | RemoveDirect

    Direct system roles assignments to cost centers are removed.

  • QER | Attestation | AutoRemovalScope | ProfitCenterHasESet | RemoveRequested

    If the system role assignment to a cost center was requested via the IT Shop, the request is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | LocalityHasESet | RemoveDirect

    Direct system roles assignments to locations are removed.

  • QER | Attestation | AutoRemovalScope | LocalityHasESet | RemoveRequested

    If the system role assignment to a location was requested via the IT Shop, the request is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | OrgHasESet | RemoveDirect

    Direct system roles assignments to business roles are removed.

  • QER | Attestation | AutoRemovalScope | OrgHasESet | RemoveRequested

    If the system role assignment to a business role was requested via the IT Shop, the request is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

Related topics

Application role attestation

If you attest memberships in application roles, you can use the QER | Attestation | AutoRemovalScope | AERoleMembership configuration parameter to configure automatic removal of application roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the application role.

If membership of the application role is removed after an attestation has been denied, all indirect assignments that the identity obtained via this application role are removed.

  • QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDirectRole

    The identity's secondary membership is removed from the application role.

    Membership in dynamic roles is not removed in this process.

  • QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveRequestedRole

    If the identity requested the application role through the IT Shop, the request is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDelegatedRole

    If the application role was delegated to the identity, delegation is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDynamicRole

    The identity is excluded from the application role's dynamic role.

    This does not remove memberships in the application role that were created in another way.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating