Using product owners to find attestors
Use the approval procedure OA to determine whether product owners can be attestors. The following objects can be attested with this procedure:
- A service item must be assigned to the system entitlements and system roles.
- There must be an application role for product owners assigned to the service item.
All identities assigned to the assigned application role are determined as attestors.
Using owners of a privileged object to find attestors
||Privileged Account Governance Module |
Use the OP approval procedure if you want to allow privileged objects in a Privileged Account Management system, for example, PAM assets or PAM directory accounts, to be attested by their owners. The owners attest the possible user accord to these privileged objects. The owners of the privileged objects must have the Privileged Account Governance | Asset and account owners application role or a child application role.
Using additional Active Directory group owners to find attestors
Active Roles Module
If the Active Directory group is attested, the attestor can be determined through additional owners of this Active Directory group. Use the PA approval procedure for this purpose. This finds all identities that are:
NOTE: Only use the PA approval procedure if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled. The column Additional owners is only available in this case.
Using owners of the attestation objects to find attestors
When you assign new owners to devices or system entitlements in the Web Portal, the new owner should agree with this assignment. An attestation with the PO approval procedure is carried out for this purpose.