Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Setting up work databases

Ensure that the minimum system requirements for installing the work database are met. For more information, see the One Identity Manager Installation Guide.

To set up the work database

  1. Install a work database with at least version 8.2.

    • Install the same modules as in the central database, including the System Synchronization Service Module.

    • In addition, install the Attestation Module (ATT).

  2. Set up a Job server to handle SQL processes for the work database.

  3. To be able to use the Web Portal for attestations

    1. Install an application server

    2. Install an API Server.

    For more information, see the One Identity Manager Installation Guide.

  4. In the work database, set the following configuration parameters and specify the credentials to connect to the central database's application server.

    Use the same settings that are used when setting up synchronization between the central and working databases.

    • ISM | PrimaryDB | AppServer | AuthenticationString:

      Authentication data for establishing a connection using the REST API of the central database's application server.

      Syntax: Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…

      All authentication modules provided by the application server being addressed are allowed. For more information about authentication modules, see the One Identity Manager Authorization and Authentication Guide.

      Recommended values are:

      • Module=DialogUser;User=<user name>;Password=<password>

      • Module=DialogUserAccountBased

      • Module=Token

        For authentication using an OAuth 2.0 access token, additionally specify ClientId, ClientSecret, and TokenEndpoint in the ConnectionString configuration parameter. For more information about OAuth 2.0/OpenID Connect authentication, see the One Identity Manager Authorization and Authentication Guide.

    • ISM | PrimaryDB | AppServer | ConnectionString:

      Connection parameters for establishing a connection using the REST API of the central database's application server.

      Syntax: Url=<application server URL>

      If Module=Token is set in the AuthenticationString configuration parameter, the following parameter are required in addition:

      • ClientId: Client ID for authentication at the token endpoint.

      • ClientSecret: Secret value for authentication at the token endpoint.

      • TokenEndpoint: URL of the token endpoint.

      Syntax: url=<application server URL>[;ClientId=<client ID>;ClientSecret=<secret>;TokenEndpoint=<token endpoint>]

Related topics

Setting up synchronization between central and work databases

Synchronization between the work and central databases is handled by the One Identity Manager connector. You can set up synchronization through individual configuration, configuring it completely manually. To ensure that all data required for attestation are transferred to the work database and the attestation results are returned, set up the system synchronization. The One Identity Manager supports you with the scripts provided.

System synchronization allows you to map selected application data from the central database to the work database. The synchronization configuration is generated completely automatically based on selected criteria. The synchronization project is set up on the work database.

To set up the system synchronization, proceed as described in the One Identity Manager User Guide for the One Identity Manager Connector.

To set up the system synchronization

  1. Provide One Identity Manager users with the necessary permissions to set up synchronization.

  2. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  3. Determine which application data to attest.

    1. In Designer, mark the tables and columns required for this purpose. You can use the scripts provided for this purpose.

      NOTE: The scripts select all tables and columns that contain application data to attest. If only a limited section of this application data requires attesting, you can also mark the required tables and columns manually.

    2. Check the automatically selected tables and columns. You can modify this selection to suit your requirements.

  4. Generate a synchronization project with the Synchronization Editor.

    When selecting the database system, use the same settings that are specified in the configuration parameters under ISM | PrimaryDB | AppServer.

  1. Start the initial synchronization.

To automatically mark the tables and columns

Run the following scripts on the given database using a suitable program for SQL queries. The scripts are located on the installation media in the ATT\dvd\AddOn\SDK\SystemSyncPreConfig directory.

  1. On the work database, run the AttestationInAnotherOneIMDB_Part1_GeneralConfig.sql script.

    The script makes some general settings.

  2. On the central database, run the AttestationInAnotherOneIMDB_Part1_GeneralConfig.sql script.

  3. On the work database, run the AttestationInAnotherOneIMDB_Part2_TableConfig.sql script.

    The script selects all the necessary tables and sets the values required in the table properties.

  4. On the work database, run the AttestationInAnotherOneIMDB_Part3_ColumnConfig.sql script.

    The script selects all required columns and sets the mapping direction.

  5. Check the selected tables and columns as well as the set properties and adjust if necessary.

NOTE:

  • If you change the tables or columns to be synchronized after the synchronization project has been generated, the synchronization project will be updated automatically.

  • Only the connection credentials for the connected systems may be changed manually in a generated synchronization project.

Related topics

Setting up and running attestations in the work database

After you have initially loaded all the data into the work database, set up the attestation and then start it. For more information, see Attestation and recertification.

The status of completed attestation cases is stored in the attestation overview (ISMObjectAttLast table) and immediately provisioned to the central database. This is where subsequent processes are carried out, such as the withdrawal of entitlements after attestation is denied or risk index calculations.

NOTE: When attestations are carried out in a work database, the risk indexes of the attested objects in the central database are calculated based on the attestation overview (ISMObjectAttLast table). Separate calculation functions are provided for this purpose.

For more information about calculating risk indexes, see the One Identity Manager Risk Assessment Administration Guide.

Related topics

Configuration parameters for attestation

The following configuration parameters are additionally available in One Identity Manager after the module has been installed. Some general configuration parameters are relevant for attestation. The following table contains a summary of all applicable configuration parameters for attestation.

Table 66: Overview of configuration parameters

Configuration parameter

Description

QER | Attestation

Preprocessor relevant configuration parameter for controlling the model parts for attestation. Changes to the parameter require recompiling the database.

If the parameter is enabled you can use the attestation function.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | Attestation | AERoleApproval

Application role certification is defined under this configuration parameter.

QER | Attestation | AERoleApproval | InitialApprovalState

Certification status for new application roles. If an application role is added with the status 1 (NEW), it triggers attestation of the data by their manager.

QER | Attestation | AllowAllReportTypes

This configuration parameter specifies whether all report formats are permitted for attestation policies. By default, only PDF is allowed because it is the only audit secure format.

QER | Attestation | ApproveNewExternalUsers

This configuration parameter specifies whether new external users must be attested before the are enabled.

QER | Attestation |
AutoCloseInactivePerson

If this configuration parameter is set, pending attestation cases for an identity are closed, when this identities is permanently deactivated.

QER | Attestation | AutoRemovalScope

General configuration parameter for defining automatic withdrawal of memberships/assignments if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
AERoleMembership

Determines default behavior for automatic removal of application role memberships if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
AERoleMembership |
RemoveDelegatedRole

If this configuration parameter is set, it ends the application role delegation if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
AERoleMembership |
RemoveDirectRole

If this configuration parameter is set, the identity’s membership of the application role is removed if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this application role!

QER | Attestation | AutoRemovalScope |
AERoleMembership |
RemoveRequestedRole

If this configuration parameter is set, the request for membership of the application role is canceled if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDynamicRole

If this configuration parameter is set, the identity is excluded from the application role's dynamic role if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this application role!

QER | Attestation | AutoRemovalScope | DepartmentHasESet

Determines default behavior for automatic removal of system role assignments to departments if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | DepartmentHasESet | RemoveDirect

If this configuration parameter is set, system role to department assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | DepartmentHasUNSGroup

Determines default behavior for automatic removal of system entitlement assignments to departments if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | DepartmentHasUNSGroup | RemoveDirect

If this configuration parameter is set, system entitlement to department assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
ESetAssignment

Determines default behavior for automatic removal of system role memberships if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
ESetAssignment |
RemoveDelegatedRole

If this configuration parameter is set, it ends the role delegation through which the identity obtained the system role if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope |
ESetAssignment | RemoveDirect

If this configuration parameter is set, the direct user account membership in the system role will be removed if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through the system role.

QER | Attestation | AutoRemovalScope |
ESetAssignment | RemoveDirectRole

If this configuration parameter is set, the secondary membership of the identity in the role (organization or business role) through which the identity obtained the system role is removed if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope |
ESetAssignment | RemoveDynamicRole

If this configuration parameter is set, the identity is excluded from the dynamic role through which the identity obtained the system role if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope |
ESetAssignment |
RemovePrimaryRole

If this configuration parameter is set, the primary role assignment through which the identity obtained the system role is removed from the identity if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope |
ESetAssignment | RemoveRequested

If this configuration parameter is set, the requested system role is canceled if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through the system role.

QER | Attestation | AutoRemovalScope |
ESetAssignment |
RemoveRequestedRole

If this configuration parameter is set, the request for the role through which the identity obtained the system role is canceled if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope | ESetHasEntitlement

Determines default behavior for automatic removal of system role assignments after attestation approval has been denied.

QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveDirect

If this configuration parameter is set, company resource assignments to system roles are removed if attestation approval is denied.

QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveRequested

If this configuration parameter is set, requested company resource assignments to system roles are unsubscribed if attestation approval is denied.

QER | Attestation | AutoRemovalScope |
GroupMembership

Determines default behavior for automatic removal of united namespace system entitlements if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveDelegatedRole

If this configuration parameter is set, it ends the role delegation through which the identity obtained the system entitlement if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope |
GroupMembership | RemoveDirect

If this configuration parameter is set, the direct user account membership in the system entitlement will be removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveDirectRole

If this configuration parameter is set, secondary membership of the identity in the role (organization or business role) through which the identity obtained the system entitlement is removed if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveDynamicRole

If this configuration parameter is set, the identity is excluded from the dynamic role through which the identity obtained the system entitlement if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemovePrimaryRole

If this configuration parameter is set, the primary role assignment through which the identity obtained the system entitlement is removed from the identity if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveRequested

If this configuration parameter is set, the requested system entitlement is canceled if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveRequestedRole

If this configuration parameter is set, the request for the role through which the identity obtained the system entitlement is canceled if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this role!

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveSystemRole

If this configuration parameter is set, the system role assignment through which the identity obtained the system entitlement is removed from the identity if attestation approval is not granted.

This removes all indirect assignments obtained by the identity through this system role.

NOTE: This configuration parameter is only available if the System Roles Module is installed.

QER | Attestation | AutoRemovalScope | LocalityHasESet

Determines default behavior for automatic removal of system role assignments to locations if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | LocalityHasESet | RemoveDirect

If this configuration parameter is set, system role to location assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | LocalityHasUNSGroup

Determines default behavior for automatic removal of system entitlement assignments to locations if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | LocalityHasUNSGroup | RemoveDirect

If this configuration parameter is set, system entitlement to location assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | OrgHasESet

Determines default behavior for automatic removal of system role assignments to business roles if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | OrgHasESet | RemoveDirect

If this configuration parameter is set, system role to business role assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | OrgHasUNSGroup

Determines default behavior for automatic removal of system entitlement assignments to business roles if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | OrgHasUNSGroup | RemoveDirect

If this configuration parameter is set, system entitlement to business role assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | ProfitCenterHasESet

Determines default behavior for automatic removal of system role assignments to system roles if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | ProfitCenterHasESet | RemoveDirect

If this configuration parameter is set, system role to cost center assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | ProfitCenterHasUNSGroup

Determines default behavior for automatic removal of system entitlement assignments to system roles if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | ProfitCenterHasUNSGroup | RemoveDirect

If this configuration parameter is set, system entitlement to cost center assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | PWOMethodName

Method to be run on requests if the requested assignment is to be deleted if attestation approval is not granted.

The requests can be unsubscribed (Unsubscribe) or canceled (Abort). If the configuration parameter is not set, the requests are canceled by default.

QER | Attestation | AutoRemovalScope |
RoleMembership

Determines default behavior for automatic removal of business role memberships if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
RoleMembership |
RemoveDelegatedRole

If this configuration parameter is set, it ends the business role delegation if attestation approval is not granted.

This removes all indirect assignments the identity obtained through this business role.

QER | Attestation | AutoRemovalScope |
RoleMembership | RemoveDirectRole

If this configuration parameter is set, the identity secondary membership in the business role will be removed if attestation approval is not granted.

This removes all indirect assignments the identity obtained through this business role.

QER | Attestation | AutoRemovalScope |
RoleMembership | RemoveDynamicRole

If this configuration parameter is set, the identity is excluded from the business role's dynamic role if attestation approval is not granted.

This removes all indirect assignments the identity obtained through this business role.

QER | Attestation | AutoRemovalScope |
RoleMembership |
RemoveRequestedRole

If this configuration parameter is set, the request for membership of the business role is canceled if attestation approval is not granted.

This removes all indirect assignments the identity obtained through this business role.

QER | Attestation | AutoRemovalScope |
UNSGroupInUNSGroup

Specifies the default behavior for removing assignments from system entitlements to system entitlement is attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
UNSGroupInUNSGroup |
RemoveDirect

If this configuration parameter is set, the system entitlement assignment to a system entitlement is removed if attestation approval is not granted.

QER | Attestation |
DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about attestation cases. Replace the default address with a valid email address.

Syntax:

sender@example.com

Example:

NoReply@company.com

You can enter the sender's display name in addition to the email address. In this case, ensure that the email address is enclosed in chevrons (<>).

Example:

One Identity <NoReply@company.com>

QER | Attestation | DepartmentApproval

Department certification is defined under this configuration parameter.

QER | Attestation | DepartmentApproval | InitialApprovalState

Certification status for new departments. If a department is added with the status 1 (NEW), it triggers attestation of the data by their manager.

QER | Attestation | LocalityApproval

Location certification is defined under this configuration parameter.

QER | Attestation | LocalityApproval | InitialApprovalState

Certification status for new locations. If a location is added with the status 1 (NEW), it triggers attestation of the data by their manager.

QER | Attestation | MailApproval |
Account

Name of the user account for authenticating the mailbox used for approval by mail.

QER | Attestation | MailApproval | AppID

Exchange Online application ID for authentication with OAuth 2.0. If the value is not set, the Basic or the NTML authentication method is used.

QER | Attestation | MailApproval |
DeleteMode

Specifies the way emails are deleted from the inbox.

QER | Attestation | MailApproval |
Domain

Domain of the user account for authenticating the mailbox used for approval by mail.

QER | Attestation | MailApproval |
ExchangeURI

URL of the Microsoft Exchange web service for accessing the mailbox. If this is not given, AutoDiscover mode is used to detect the URL.

QER | Attestation | MailApproval |
Inbox

Microsoft Exchange mailbox to which approvals by mail are sent.

QER | Attestation | MailApproval |
Password

Password of the user account for authenticating the mailbox used for approval by mail.

QER | Attestation |
MailTemplateIdents |
AnswerToApprover

This mail template is used to send a notification with an answer to a question from an approver.

QER | Attestation |
MailTemplateIdents |
AttestationApproval

Mail template used for attestation by mail.

QER | Attestation |
MailTemplateIdents |
InformAddingPerson

This mail template is used to notify approvers that an approval decision has been made for the step they added.

QER | Attestation |
MailTemplateIdents |
InformDelegatingPerson

This mail template is used to notify approvers that an approval decision has been made for the step they delegated.

QER | Attestation |
MailTemplateIdents | NewExternalUserVerification

Mail template for sending a message with a verification link to a new external user.

QER | Attestation |
MailTemplateIdents |
QueryFromApprover

This mail template is used to send a notification with a question from an approver to an identity.

QER | Attestation |
MailTemplateIdents |
RequestApproverByCollection

This mail template is used for generating an email when there are pending attestation for an approver. If this configuration parameter is not set, a Mail template request or Mail template reminder can be entered for single approval steps. This template is then sent for each individual attestation case. If this configuration parameter is set, single mails are not sent.

QER | Attestation | NewExternalUserFinalTimeoutInHours

Number of hours given for new external users to register (default: 24 hrs).

QER | Attestation | NewExternalUserTimeoutInHours

Number of hours that the passcode and verification link for new external users are valid (default: 4 hrs).

QER | Attestation | OnWorkflowAssign

This configuration parameter specifies how pending attestation cases are handled when a new approval workflow is assigned to the approval policy.

QER | Attestation | OnWorkflowUpdate

This configuration parameter specifies how pending attestations are handled when the approval workflow is changed.

QER | Attestation | OrgApproval

Business role certification is defined under this configuration parameter.

QER | Attestation | OrgApproval | InitialApprovalState

Certification status for new business roles. If a business role is added with the status 1 (NEW), it triggers attestation of the data by their manager.

QER | Attestation | PeerGroupAnalysis

This configuration parameter allows automatic approval of attestation cases by peer group analysis.

QER | Attestation | PeerGroupAnalysis | ApprovalThreshold

This configuration parameter defines a threshold for peer group analysis between 0 and 1. The default value is 0.9.

QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment

This configuration parameter specifies whether functional areas should be take into account in peer group analysis. If the parameter is set, the attestation case is only approved if the identity linked to the attestation case and the attestation object belong to the same functional area.

QER | Attestation | PeerGroupAnalysis | IncludeManager

This configuration parameter specifies whether identities can be added to the peer group who have the same manager as the identity linked to the attestation case.

QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment

This configuration parameter specifies whether identities can be added to the peer group who are primary members of the primary department of the identity linked to the attestation object.

QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment

This configuration parameter specifies whether identities can be added to the peer group who are secondary members of the secondary department of the identity linked to the attestation object.

QER | Attestation |
PersonToAttestNoDecide

This configuration parameter specifies whether identities to be attested are allowed to approve this attestation case. If the parameter is set, an attestation case cannot be approved by identities, which are contained in the attestation object (AttestationCase.ObjectKeyBase) or in the objects identifiers 1-3 (AttestationCase.UID_ObjectKey1, ObjectKey2 or ObjectKey3). If the parameter is not set, these identity are allowed to make approval decisions for this attestation case.

QER | Attestation | PrepareAttestationTimeout

Number in hours given to generate new attestation cases (default: 48). If exceeded, the process is canceled.

QER | Attestation | ProfitCenterApproval

Cost center certification is defined under this configuration parameter.

QER | Attestation | ProfitCenterApproval | InitialApprovalState

Certification status for new cost centers. If a cost center is added with the status 1 (NEW), it triggers attestation of the data by their manager.

QER | Attestation | Recommendation

Threshold values for approval recommendations are defined under this configuration parameter.

QER | Attestation | Recommendation | ApprovalRateThreshold

This configuration parameter specifies the threshold for the approval rate. The approval rate determines the proportion of approvals for this attestation object in previous attestation runs that were decided with the same approval procedure. The lower the threshold, the more likely granting approval will be recommended.

QER | Attestation | Recommendation | PeerGroupThreshold

This configuration parameter specifies the threshold for the peer group factor. The peer group factor determines the proportion of identities in the peer group that already own the system entitlement or membership to be attested. The lower the threshold, the more likely granting approval will be recommended.

QER | Attestation | Recommendation | RiskIndexThreshold

This configuration parameter specifies the threshold for the risk index of the attestation object. The higher the threshold, the more likely granting approval will be recommended.

QER | Attestation | Recommendation | UnusedDaysThreshold

The configuration parameter specifies the number of days after which a user account or system entitlement is considered to be unused. If a user account or a system entitlement is not used for a longer period of time, the recommendation is to deny attestation.

QER | Attestation | ReuseDecision

The configuration parameter specifies whether approval granted by an attestor is passed on to all approval steps the attestor can approve within an approval process. If the parameter is set, the current step is approved if an approval step is reached in the approval process for which an identity with approval authorization has already granted approval. If the parameter is not set, the attestor must separately approve each step for which they have approval authorization.

QER | Attestation |
ReducedApproverCalculation

This configuration parameter specifies, which approval steps are recalculated if modifications require attestors to be redetermined.

QER | Attestation | UserApproval

Supports attestation procedures for regularly checking and confirming One Identity Manager users through their Manager.

QER | Attestation | UserApproval |
InitialApprovalState

Certification status for new identities. If an identity is added with the certification status 1 = new, data attestation by the identity’s manager is started.

QER | Attestation | UseWorkingHoursDefinition

Specifies whether working days should be taken into account when calculating the due date of attestation cases according to the definition in the QBM | WorkingHours configuration parameter.

QER | CalculateRiskIndex

Preprocessor relevant configuration parameter controlling system components for calculating the risk index. Changes to the parameter require recompiling the database.

If the parameter is enabled, values for the risk index can be entered and calculated.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | Person | Starling

Specifies whether connecting to the One Identity Starling cloud platform is supported.

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to One Identity Starling. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com.

QER | Person | Starling | ApiEndpoint

Token endpoint for logging in to One Identity Starling The value is determined by the Starling configuration wizard.

QER | Person | Starling | ApiKey

Credential string for logging in to One Identity Starling. The value is determined by the Starling configuration wizard.

QER | Person | Starling | UseApprovalAnywhere

This configuration parameter defines whether requests and attestation cases can be approved by adaptive cards.

QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire

This configuration parameter specifies the time in seconds by which the adaptive card must be answered.

QER | WebPortal | BaseURL

API Server URL. This address is used in mail templates to add hyperlinks to the Web Portal.

QER | WebPortal | PasswordResetURL

Password Reset Portal URL. This address is used to navigate.

Common | MailNotification |
DefaultCulture

Default language used to send email notifications if a language cannot be determined for a recipient.

Common | MailNotification | Signature

Data for the signature in email automatically generated from mail templates.

Common | MailNotification | Signature | Caption

Signature under the salutation.

Common | MailNotification | Signature | Company

Company name.

Common | MailNotification | Signature | Link

Link to the company's website.

Common | MailNotification | Signature | LinkDisplay

Display text for the link to the company's website.

Common | MailNotification |
SMTPAccount

User account name for authentication on an SMTP server.

Common | MailNotification |
SMTPDomain

User account domain for authentication on the SMTP server.

Common | MailNotification |
SMTPPassword

User account password for authentication on the SMTP server.

Common | MailNotification |
SMTPPort

Port of the SMTP service on the SMTP server. Default: 25

Common | MailNotification |
SMTPRelay

SMTP server for sending email notifications. If a server is not given, localhost is used.

Common | MailNotification |
SMTPUseDefaultCredentials

Specifies which credentials are used for authentication on the SMTP server.

If this parameter is set, the One Identity Manager Service login credentials are used for authentication on the SMTP server.

If the configuration parameter is not set, the login data defined in the Common | MailNotification | SMTPDomain and Common | MailNotification | SMTPAccount or Common | MailNotification | SMTPPassword configuration parameters is used. (Default)

Common | ProcessState | PropertyLog

When this configuration parameter is set, changes to individual values are logged and shown in the process view. Changes to the parameter require recompiling the database.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QBM | WorkingHours | IgnoreHoliday

The configuration parameter specifies whether holidays are taken into account when calculating working hours. If the configuration parameter is set, holidays are not taken into account.

QBM | WorkingHours | IgnoreWeekend

The configuration parameter specifies whether weekends are included in the calculation of working hours. If the configuration parameter is set, holidays are not taken into account.

ISM

General configuration parameter for the system synchronization service module.

ISM | PrimaryDB

Information about the central database located within the corporate infrastructure.

ISM | PrimaryDB | AppServer

Connection parameter for the central database's application server.

ISM | PrimaryDB | AppServer | AuthenticationString

Authentication data for establishing a connection using the REST API of the central database's application server.

Syntax: Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…

All authentication modules provided by the application server being addressed are allowed. For more information about authentication modules, see the One Identity Manager Authorization and Authentication Guide.

ISM | PrimaryDB | AppServer | ConnectionString

Connection parameters for establishing a connection using the REST API of the central database's application server.

Syntax: url=<application server URL>[;ClientId=<client ID>;ClientSecret=<secret>;TokenEndpoint=<token endpoint>]

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating