Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Editing Approval Levels

Editing Approval Levels

An approval level provides a method of grouping individual approval steps. All the approval steps in one approval level are executed in parallel. All the approval steps for different approval levels are executed one after the other. You use the connectors to specify the order of execution.

Specify the individual approval steps in the approval levels. At least one approval step is required per level. Enter the approval steps first before you add an approval level.

To add an approval level

  1. Select Toolbox | Approval levels | Add....

    This opens the properties dialog for the first approval step.

  2. Enter the approval step properties.
  3. Save the changes.

For more information, see Setting up an Approval Step.

You can edit the properties of an approval level as soon as you have added an approval level with at least one approval step.

To edit approval level properties

  1. Select the approval level.
  2. Select Toolbox | Approval levels | Add....
  3. Enter a display name for the approval level.
  4. Save the changes.

NOTE: You can define more than one approval step for each approval level. In this case, the attestors of an approval level can make a decision about an attestation case in parallel rather than sequentially. The attestation case cannot be presented to the attestors at the next approval level until all approval steps in one approval level have been completed in the attestation procedure.

To add more approval steps to an approval level

  1. Select the approval level.
  2. Select Toolbox | Approval levels | Add....
  3. Enter the approval step properties.

  4. Save the changes.

To edit approval level properties

  1. Select the approval step.
  2. Select Toolbox | Approval levels | Add....
  3. Edit the approval step properties.
  4. Save the changes.

Setting up an Approval Step

Setting up an Approval Step

The following data is requires for an approval step. If you add a new approval step, you must fill out the compulsory fields.

Table 24: Setting up an Approval Step
Property Meaning

Single step

Approval step name.

Approval Procedure

Procedure to use for determining attestors.

Mail templates

Mail template that is used for email notifications for granting or denying approval, escalation, abort, rejection or delegation of an attestation case as well as a reminder.

Condition

Condition for calculating approval with approval procedures CD, EX or WC.

Role

Hierarchical roles for determining the attestor with default approval procedures "OM" and "OR".

Number of approvers

Number of attestors required to approve an attestation case. Use this number to further restrict the maximum number of approvers of the implemented approval procedure.

If there are several people allocated as approvers, then this number specifies how many people from this group have to approve an attestation case. A request can only be passed up to next level afterwards.

If not enough attestors can be found, the approval step is presented to the fallback approvers. The approval step is considered approved the moment one fallback approver has approved the attestation case.

Enter the value -1 if approval decisions should be made for all the employees found using the applied approval procedure, for example all members of a role (default approval procedure "OR"). This overrides the maximum number of attestors defined in the approval procedure.

The number of approvers defined in an approval step is not taken into account in the approval procedures CD, EX or WC.

Description

Spare text box for additional explanation.

Fallback approver

Applications role whose members are authorized to approve attestation cases if an attestor cannot be determined through the approval procedure. Assign an application from the menu.

To create a new application role, click . Enter the application role name and assign a parent application role. For more information, see the One Identity Manager Application Roles Administration Guide.

NOTE: The number of approvers is not applied to the fallback approvers. The approval step is considered approved the moment one fallback approver has approved the request.

Reminder interval (hours)

Number of working hours to elapse after which the attestor is notified by mail that there are still pending requests for attestation cases for attestation.

NOTE: Ensure that a state and/or county is entered into the employee‘s master data for determining the correct working hours.

TimeOut (working hours)

Number of working hours to elapse after which the approval step is automatically granted or denied approval.

The approvers work time applies to the time calculation.

NOTE: Ensure that a state and/or county is entered into the employee‘s master data for determining the correct working hours.

Timeout behavior

Action, which is executed if the timeout expires.

Table 25: Possible Timeout Behavior
Method Description

Approval

The attestation case is granted approval in this approval step. The next approval step is called.

Deny

The attestation case is denied approval in this approval step. The next approval step is called.

Escalation

The attestation case is escalated. The escalation approval step is called.

Abort

The approval, and therefore the entire attestation procedure, is aborted.

Additional approver possible

Specifies whether a current attestor is allowed to instruct another employee to be an attestor. This additional attestor is authorized to make approvals for the current attestation case in parallel. The attestation case is not passed on to the next approval level until both attestors have made a decision.

This option can only be set for approval levels with a single, manual approval step.

Approval can be delegated

Specifies whether the current attestation attestor can delegate to another employee. This employee is added to the current approval step as attestor. The employee makes the approval decision instead of the attestor who made the delegation.

This option can only be set for approval levels with a single, manual approval step.

Approval by affected employee

Specifies whether the employee that is affected by the attestation case can also approve it. If this option is not set, specify whether the employee to be attested can attest themselves, in the configuration parameter "QER\Attestation\PersonToAttestNoDecide".

Do not show in approval history

Specifies whether the attestation history is visible or not. This behavior can be applied to approval steps with approval procedure "CD - calculated approval", for example, steps are only used for branching in the approval workflow. This makes it easier to follow the attestation history.

Detailed information about this topic
Related Topics

Connecting Approval Levels

Connecting Approval Levels

When you set up an approval workflow with several approval levels, you have to connect each level with another. You may create the following links:

Table 26: Links to Approval Levels
Link Description
Approval Link to next approval level if the current approval level was granted approval.
Deny Link to next approval level if the current approval level was not granted approval.
Reroute Link to another approval level to by-pass the current approval.

Attestors can pass the approval decision through another approval level, for example, if approval is required by a manager in an individual case. To do this, create a connection to the approval level to which the approval can be rerouted. This way approvals can also be rerouted to a previous approval level, for example, if an approval decision is considered not to be well founded.

It is not possible to reroute approval steps with the approval methods "EX", "CD", "SB" or "WC".

Escalation Link to another approval level when the current approval level is escalated after timing out.

If there are no further approval levels after the current one, then the attestation case is considered approved if the approval decision was to grant approval. If the approval is not granted, the attestation case is finally denied. The attestation procedure is closed in both cases.

Additional Tasks for Approval Workflows

After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.

Related Documents