Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Using identities assigned to user accounts to find attestors

If you want to allow user accounts to be attested by the identities assigned to them, use the EA approval procedure. This approval procedure can be used if the Target System Base Module is installed.

Determining attested identity as attestor

An identity can attest to the correctness of their own main data to confirm that it has been entered correctly, for example. Use the CS approval procedure to do this. Identities are the base object for attestation. The approval procedure is used by default to assign managers to identities that do not have a manager assigned to them (Attestation of initial manager assignment attestation policy).

When user accounts, memberships in roles and organizations, or memberships in system entitlements are attested, the CN decision procedure determines whether the identity to whom these objects are assigned can be an attestor. The CN approval procedure is used to challenge denied attestations. For example, affected identities can prevent necessary entitlements being removed. For more information, see Setting up the challenge phase.

Determining attestation policy owners

The PW approval procedure finds which owners are attestors of the listed attestation policy. The approval procedure can therefore be used to attest any object. It is used to perform an additional stage in approval processes. In doing so, the attestation policy owners have the opportunity to review the details of the attestation run. For more information, see Phases of attestation.

Calculated approval

NOTE: Only one approval step can be defined with the CD approval procedure per approval level.

If you want to make attestation dependent on specific conditions, use the CD approval procedure. This procedure does not determine an attestor. One Identity Manager makes the decision depending on the condition that is formulated in the approval step.

You can use the procedure for any attestation base objects. You create a condition in the approval step. If the condition returns a result, the approval step is approved through One Identity Manager. If the condition does not return a result, the approval step is denied by One Identity Manager. If there are no further approval steps, the approval procedure is either finally granted or denied.

To enter a condition for the CD approval procedure

  1. Edit the approval step properties.

    For more information, see Editing approval levels.

  2. In the Condition input field, enter a valid WHERE clause for database queries. You can enter the SQL query directly or with a wizard.

Example of a simple approval workflow with the CD approval procedure:

External identities should be attestation by their managers. If no manager is assigned, the members of a designated application role must attest the identities.

You can find all external identities, who have managers assigned to them by using the CD approval procedure and the following condition.

EXISTS

(SELECT 1 FROM

(SELECT xobjectkey FROM Person WHERE (IsExternal = 1)

AND (EXISTS

(SELECT 1 FROM

(SELECT UID_Person FROM Person WHERE 1 = 1) as X

WHERE X.UID_Person = Person.UID_PersonHead) )) as X

WHERE X.xobjectkey = AttestationCase.ObjectKeyBase)

If the condition is fulfilled, the external identity's manager can attest the identity. To do this, add an approval step in the positive approval path with the CM approval procedure.

If the condition is not fulfilled, the identity is attested by the member of a designated application role. To do this, add an approval step in the negative approval path with the OR approval procedure and assign the application role.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating