Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Reports about attestations

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. You can use attestations to generate the following reports.

Table 41: Reports about attestations
report

Published for

Description

Overview attestation run results

Attestation policy

This report shows the results of an attestation run for the selected attestation policy.
Overview attestation run results including attestation history

Attestation policy

This report shows the results of an attestation run for the selected attestation policy including the attestation history.
Detailed status of an attestation run

Attestation policy

This report shows the detailed status of an attestation run including the estimated completion date.
Detailed status of an attestation run including approval history

Attestation policy

This report shows the detailed status of an attestation run including the estimated completion date and attestation history.

Overview attestation run results

Policy collection

This report shows the results of an attestation run for the attestation policies from the selected policy collection.

Default attestations

One Identity Manager provides various default attestation procedures for different data situations and default attestation procedures.

Data situations for default attestations:

  • System entitlements owned by an identity

  • System entitlements assigned to system entitlements

  • System entitlements assigned to hierarchical roles

  • System roles assigned to an identity

  • Company resources assigned to system roles

  • System roles assigned to hierarchical roles

  • Business and application role memberships

  • New One Identity Manager user's main data

  • Existing One Identity Manager user's main data

  • Attestation of access to OneLogin applications.

  • Attestation of unused access to OneLogin applications.

The attestation polices required for attesting identity main data are also supplied by default. You can also use the default supplied attestation policies without modifying them. The prerequisites and the attestation sequence for identity main data are described in User attestation and recertification.

Default attestation policies and default attestation procedures are provided for recertification of unused entitlements under Behavior Driven Governance. For more information on how to use these, see the One Identity Manager Administration Guide for Behavior Driven Governance.

You can set up attestation policies easily in the Web Portal using default attestation procedures for other data situations. You can also use the default attestation policies supplied without customizing them. Furthermore, you can configure how to deal with denied attestations that are based on these default attestation procedures. For more information, see Configuring withdrawal of entitlements.

A default policy collection and a default sample are provided to attest a selection of identities along with all their entitlements and memberships. The policy collection combines all default attestation policies required for this purpose. For more information, see Configuring sample attestation of identities and their entitlements.

Configuring withdrawal of entitlements

If your specific data situation allows, denied entitlements can be withdrawn by One Identity Manager following attestation.

To withdraw denied entitlements automatically

  1. In the Designer, set the QER | Attestation | AutoRemovalScope configuration parameter and the configuration subparameters.

  2. If the entitlements were obtained through IT Shop, specify whether these requests should be unsubscribed or canceled. To do this, set the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter and select a value.

    • Abort: Requests are canceled. In this case, they do not go through a cancellation workflow. The requested entitlements are withdrawn without additional checks.

    • Unsubscribe: Requests are unsubscribed. They go through the cancellation workflow defined in the approval policies. Withdrawal of the entitlement can thus be subjected to an additional check.

      If the cancellation is denied, the entitlement is not withdrawn even though the attestation has been denied.

    If the configuration parameter is not set, the requests are canceled.

IMPORTANT: If role memberships or system roles are withdrawn from an identity, the identity loses the denied entitlement. They also lose all other company resources inherited through this role. These could be other system entitlements or account definitions. This might cause valid system entitlements to be withdrawn or user accounts to be deleted from the identity!

Check whether your data situation allows automatic withdrawal of entitlements before you enable configuration parameters under QER | Attestation | AutoRemovalScope.

Automatic removal of entitlements is triggered by an additional approval step with the EX approval procedure in the default approval workflows.

Attestation sequence with subsequence withdrawal of denied entitlements:

  1. Attestation is carried out using a default attestation procedure.

  2. The attestor denies attestation. The approval step is not granted approval and approval is passed on the next approval level with the EX approval procedure.

  3. The approval step triggers the AUTOREMOVE event. This runs the VI_Attestation_AttestationCase_AutoRemoveMembership process.

  4. The process runs the VI_AttestationCase_RemoveMembership script. This removes the affected entitlement depending on which configuration parameters are set.

  5. The script sets the approval step status to Denied. This means the entire attestation case is finally denied.

  6. Tasks to recalculate inheritance are entered in the DBQueue.

Detailed information about this topic

Attesting system entitlements

Installed modules: Target System Base Module

If you attest memberships in system entitlements, you can use the QER | Attestation | AutoRemovalScope | GroupMembership configuration parameter to configure automatic removal of system entitlements. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the system entitlement.

Table 42: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDirect

Direct membership of the user account in the system entitlement, is removed.

QER | Attestation | AutoRemovalScope | GroupMembership | RemovePrimaryRole

If membership in the system entitlement was inherited through a primary role, the role is withdrawn from the identity.

This removes all indirect assignments obtained by the identity through this role.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveRequestedRole

If membership of the system entitlement was inherited through a requested role, the role request is canceled or unsubscribed.

This removes all indirect assignments obtained by the identity through this role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDelegatedRole

If membership in the system entitlement was inherited through a delegated role, delegation of this role is canceled or unsubscribed.

This removes all indirect assignments obtained by the identity through this role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveRequested

If membership of the system entitlement was requested through the IT Shop, the request is canceled or unsubscribed.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveSystemRole

System roles incorporating the system entitlements are withdrawn from the identity.

This removes all indirect assignments obtained by the identity through this system role.

This configuration parameter is only available if the System Roles Module is installed.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDirectRole

If membership in the system entitlement was inherited through a secondary role (organization or business role), the identity's membership is removed from this role.

This removes all indirect assignments obtained by the identity through this role.

QER | Attestation | AutoRemovalScope | GroupMembership | RemoveDynamicRole

If membership in the system entitlement was inherited through a dynamic role, the identity is excluded from the dynamic role.

This removes all indirect assignments obtained by the identity through this role.

If you attest assignments to system entitlements, you can use the QER | Attestation | AutoRemovalScope | UNSGroupInUNSGroup configuration parameter to configure automatic removal of system entitlements.

Table 43: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | UNSGroupInUNSGroup | RemoveDirect

Assignment of the system entitlement to a system entitlement is removed.

If you attest system entitlement assignments to hierarchical roles, you can use the following configuration parameters to configure automatic removal of system entitlements.

Table 44: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | DepartmentHasUNSGroup | RemoveDirect

The assignment of the system entitlement to a department is removed.

Therefore the system entitlement is removed from all identities that inherit assignments from this department.

QER | Attestation | AutoRemovalScope | ProfitCenterHasUNSGroup | RemoveDirect

The assignment of the system entitlement to a cost center is removed.

Therefore the system entitlement is removed from all identities that inherit assignments from this cost center.

QER | Attestation | AutoRemovalScope | LocalityHasUNSGroup | RemoveDirect

The assignment of the system entitlement to a location is removed.

Therefore the system entitlement is removed from all identities that inherit assignments from this location.

QER | Attestation | AutoRemovalScope | OrgHasUNSGroup | RemoveDirect

The assignment of a system entitlement to a business role is removed.

Therefore the system entitlement is removed from all identities that inherit assignments from this business role.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating