Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

User attestation and recertification

Use the One Identity Manager attestation functionality to regularly check and authorize identities' main data and target system entitlements and assignments. In addition, One Identity Manager provides default procedures for managers to quickly attest and certify the main data of newly added One Identity Manager users in the One Identity Manager database. This functionality can be used, for example, if external identities, such as contract workers, are provided with temporary access to One Identity Manager. The sequence is different for internal and external identities.

Regular recertification can be run through scheduled tasks.

In the context of an attestation, a manager can check and update the main data of the user to be certified, if necessary. Use the Web Portal for attestation.

Detailed information about this topic
Related topics

One Identity Manager users for attesting and recertifying users

The following users are used for attesting and recertifying identities.

Table 50: Users

Users

Tasks

Identity administrators

Identity administrators must be assigned to the Identity Management | Identities | Administrators application role.

Users with this application role:

  • Can edit any identity's main data

  • Assign managers to identities.

  • Can assign company resources to identities.

  • Check and authorize identity main data.

  • Create and edit risk index functions.

  • Edit password policies of identities' passwords.

  • Delete identity's security keys (WebAuthn)

  • Can see everyone's requests, attestations, and delegations and edit delegations in the Web Portal.

Manager

  • Check identity main data of the internal user to be certified.
  • Update identity main data as required.
  • Assign another manager if required.
  • Attests the main data.

Attestors for external users

Attestors for external users must be assigned to the Identity & Access Governance | Attestation | Attestors for external users application role.

Users with this application role:

  • Attests new, external identities.

Administrators for attestation cases

Administrators must be assigned to the Identity & Access Governance | Attestation | Administrators application role.

Users with this application role:

  • Modify the attestation policies if necessary.

  • Create more schedules if required.

Web Portal users

  • Log on to the Web Portal and enter their main data,

Self-registered identities

External identities, who have registered themselves in the Web Portal, are assigned to the Base roles | Self-registered identities application role through a dynamic role.

Users with this application role:

  • Specify their password and password questions for logging in to One Identity Manager tools.

Configuring user attestation and recertification

To use the attestation and recertification function for new internal users

  1. In the Designer, set the QER | Attestation | UserApproval configuration parameter.

  2. Assign at least one identity to the Identity Management | Identities | Administrators application role.

    All identities with this application role can assign a manager to the identity being attested during the attestation run.

To use the attestation and recertification function for new external users

  1. In the Designer, set the following configuration parameters:

    • QER | Attestation | ApproveNewExternalUsers: Select the value 1.

    • QER | WebPortal | PasswordResetURL: Enter the URL for the Password Reset Portal.

    • QER | Attestation | MailTemplateIdents | NewExternalUserVerification: Mail template sending verification links.

    • QER | Attestation | NewExternalUserTimeoutInHours: For new external users, specify the duration of the verification link in hours.

      The default is 4 hours. If logging in to the Password Reset Portal fails because the timeout has expired, the user can ask for a new verification link to be sent. To change the duration of the verification link, change the value in the configuration parameter.

    • QER | Attestation | NewExternalUserFinalTimeoutInHours: Specify the duration in hours, within which self-registration must be successfully completed.

      If the user does not complete registration with 24 hours, the attestation case quits. To register anyway, the user must log in again to the Web Portal from the beginning. To change the checkout duration of registration, change the value of the configuration parameter.

  2. Assign at least one identity to the Identity & Access Governance | Attestation | Attestor for external users application role.

Detailed information about this topic

Attesting new users

Attestation of new users is divided into three use cases by One Identity Manager:

  1. Registration of new external users logging in to the Web Portal.

  2. Adding new identities in the Manager or using a manager in the Web Portal.

  3. Adding new identities by importing identity main data.

The result of attestation is the same in all three cases.

  • Certified, activated identities who can access all entitlements assigned to them in One Identity Manager and the connected target systems.

    Company resources are inherited. Account definitions are assigned to internal identities.

    - OR -

  • Denied and permanently deactivated identities.

    Disable identities cannot log in to One Identity Manager tools. Company resources are not inherited. Account definitions are not automatically assigned. User accounts associated with the identity are also locked or deleted. You can customize the behavior to meet your requirements.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating