Chat now with support
Chat with Support

Identity Manager 8.0.1 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Appendix: Configuration Parameters for Attestation

Attestation and Recertification

Attestation and Recertification

Table 1: General Configuration Parameter for Attestation
Configuration parameter Meaning
QER\Attestation Preprocessor relevant configuration parameter for controlling the model parts for attestation. Changes to the parameter require recompiling the database.

If the parameter is enabled you can use the attestation function.

Managers or others responsible for compliance can use the One Identity Manager attestation function to certify correctness of access permissions, authorizations, requests or exception approvals either scheduled or on demand. "Recertification" is the term generally used to describe regular certification of permissions. The One Identity Manager uses the same workflows for recertification and attestation.

Attestation policies are defined in the One Identity Manager, which you use to carry out attestations. Attestation policies specify which objects are attested when, how often and by whom. Once an attestation is performed, the One Identity Manager creates attestation cases, which contain all the necessary information about the attestation objects and the attestor responsible. The attestor checks the attestation objects. They verify the correctness of the data and initiate any changes that need to be made if the data conflicts with internal rules.

Attestation cases record the entire attestation sequence. Each attestation step in the attestation case can be audit-proof reconstructed. Attestations are run regularly using scheduled tasks. You can also trigger single attestations manually.

Attestation is complete when the attestation case has been granted or denied approval. You specify how to deal with granted or denied attestations on a company basis.

TIP: The One Identity Manager provides various default attestation procedures for different data situations and default attestation procedures. If you use these default attestation procedures, you can configure how you deal with denied attestations.

For more information, see Default Attestation and Withdrawal of Entitlements.

To use attestation functionality

  • Set the configuration parameter "QER\Attestation" in the Designer.

One Identity Manager Users for Attestation

One Identity Manager Users for Attestation

The following users are used for attestation.

Table 2: Users
User Task
Administrators for attestation cases

Administrators are assigned to the application roles Identity & Access Governance | Attestation | Administrators.

Users with this application role:

  • Define attestation procedures and attestation policies.
  • Create approval policies and approval workflows.
  • Specify which approval procedure to use to find attestors.
  • Set up attestation case notifications.
  • Configure attestation schedules.
  • Enter mitigating controls.
  • Create and edit risk index functions.
  • Monitor attestation cases.
One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
  • Create system users and permissions groups for non-role based login to administration tools, as required.
  • Enable or disable additional configuration parameters in the Designer, as required.
  • Create custom processes in the Designer, as required.
  • Create and configures schedules, as required.
  • Create and configure password policies, as required.
Attestors
  • Check attestation objects in the Web Portal.
  • Confirm data correctness.
  • Initiate changes if data conflicts with internal rules.

Attestators in charge are determined through approval procedures.

Compliance & Security Officer

Compliance and security officers must be assigned to the application role Identity & Access Governance | Compliance & Security Officer.

Users with this application role:

  • View all compliance relevant information and other analysis in the Web Portal. This includes attestation policies, company policies and policy violations, compliance rules and rule violations and risk index functions.
  • Edit attestation polices
Auditors

Auditors are assigned to the application role Identity & Access Governance | Auditors.

Users with this application role:

  • See the Web Portal all the relevant data for an audit.
Chief approval team

The chief approver must be assigned to the application role Identity & Access Governance| Attestation | Chief approval team.

Users with this application role:

  • Approve using attestation cases.
  • Assign attestation cases to other attestors.

Attestation Base Data

Attestation Base Data

The attestation framework and the objects to be attested are specified in the attestation policy. You require certain base data to define attestation policies.

Attestation types: Attestation Types
Approval policies: Approval Policies
Approval workflows: Approval Workflows
Approval procedures: Setting up Approval Procedures
Attestation procedures: Attestation procedure
Schedules: Schedules
Compliance frameworks: Compliance Frameworks
Mail templates: Creating Custom Mail Templates for Notifications
Chief approval team: Chief approval team
Standard reasons: Standard Reasons

Attestation Types

Attestation Types

Attestation types are used to group attestation procedures. These make it easier to assign a matching attestation procedure to the attestation policies.

To edit attestation types

  1. Select the category Attestation | Basic configuration data | Attestation types.
  2. Select the attestation type in the result list. Select Change master data in the task view.

    – OR –

    Click in the result list toolbar.

  3. Edit the attestation type master data.
  4. Save the changes.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents