Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Selecting Attestors

One Identity Manager can make approvals automatically in an attestation procedure or through attestors. An attestor is an employee or a group of employees who can grant or deny approval for an attestation case within an attestation procedure. It takes several approval procedures to grant or deny approval. You specify in the approval step which approval procedure should be used.

If there are several people are determined as approvers by an approval procedure, the number given in the approval step specifies how many people must approve the step. The attestation case can only be passed onto attestors in next level when this has been done. If an approver cannot be found for an approval step, the attestation procedure is aborted.

One Identity Manager provides approval procedures by default. You can also define your own approval procedures.

The DBQueue Processor calculates which person has the authority to grant approval at which level. Take into account the special cases for each approval procedure when setting up the approval workflows to determine those authorized to grant approval.

Default Approval Procedures

Default Approval Procedures

To display default approval procedures

  • Select the category Attestation | Basic configuration data | Approval procedures | Predefined.

The following approval procedures are defined to select the responsible attestors, by default.

Table 27: Approval Procedures for Attestation
Abbreviation Procedure Name Attestors
AA Attestor for the role to attest

Attestor of the organization (department, cost center, location), business role or IT Shop if assignments of system entitlements or system roles to roles are attested.

  • Attestors for departments, cost centers and locations must be assigned to the application role Identity Management | Organizations | Attestors.
  • Attestors for business roles must be assigned to the application role Identity Management | Business roles | Attestors.
  • Attestors for requests must be assigned to the application role Request & Fulfillment | IT Shop | Attestors.
AD Recipient‘s department attestor

Attestor of the department to which the attestation object is primarily assigned.

  • Attestors for departments must be assigned to the application role Identity Management | Organizations | Attestors.
AL Attestor for recipient‘s location

Attestor of the location to which the attestation object is primarily assigned.

  • Attestors for locations must be assigned to the application role Identity Management | Organizations | Attestors.
AN Attestor for the system entitlement to attest

Attestor of the system entitlement or system role if assignments of system entitlements or system roles to roles are attested. Attestors are determined through the assigned service item.

  • Attestors must be assigned to the application role Request & Fulfillment | IT Shop | Attestors.
AO Recipient‘s primary role attestor

Attestor of the business role to which the attestation object is primarily assigned.

Attestors for business roles must be assigned to the application role Identity Management | Business roles | Attestors.

AP Recipient‘s cost center attestor

Attestor of the cost center to which the attestation object is primarily assigned.

  • Attestors for cost centers must be assigned to the application role Identity Management | Organizations | Attestors.
AR Attestation compliance rule attestor

Attestor for the compliance rule to be attested.

  • Attestors must be assigned to the application role Identity & Access Governance | Identity Audit | Attestors.
AS Approver for attestation policy All employees assigned to the attestation policy as approver.
AT Attestation organization attestor

Attestor of the organization (department, cost center, location), business role or IT Shop to be attested.

  • Attestors for departments, cost centers and locations must be assigned to the application role Identity Management | Organizations | Attestors.
  • Attestors for business roles must be assigned to the application role Identity Management | Business roles | Attestors.
  • Attestors for requests must be assigned to the application role Request & Fulfillment | IT Shop | Attestors.
AY Attestor for attestation company policy

Attestor of the company policy to be attested.

  • Attestors must be assigned to the application role Identity & Access Governance | Company policies | Attestors.
CD Calculated approval -
CM Recipient's manager Manager of the employee to be attested.
DM Manager of recipient's department Department manager/deputy if employees of secondary memberships are attested in departments.
ED Department manager for permission attestation Employee’s department manager whose system entitlements are to be attested.
EM Employee manager for permission attestation Employee’s manager whose system entitlements are to be attested.
EN Target system manager of the permission for attestation Target system manager of the system entitlements to be attested.
EO Product owner of the permission for attestation Product owner whose system entitlements or system roles are to be attested.
EX Approvals to be made externally -
LM Location manager Location manager/deputy if employees of secondary memberships are attested in locations.
MO Role owner Business role manager/deputy if employees of secondary memberships are attested in roles.
OA Product owners All members of the assigned application role if service items or system entitlements are attested.
OM Specific role Manager Manager of the role selected in the approval workflow.
OR Members of a certain role All employees that are assigned to a secondary business role.
PA Additional owner of Active Directory group All employees to be found through the additional owner of the requested Active Directory group.
PM Manager of recipient's cost center Cost center manager/deputy if secondary memberships in cost centers are attested.
RE Manager of system roles to be attested System role manager to be attested.
RM Role manager for attesting memberships Manager of role to be attested if secondary memberships in roles are attested.
RR Role manager for attesting roles Manager of role to be attested.
SO Target system manager of the permission for attestation Target system manager of system entitlement or user account to be attested.
WC Waiting for further approval -

Finding Attestors using the Attestation Policy

Finding Attestors using the Attestation Policy

Use the approval procedure "AS" if you want to fix attestors for any object to an attestation policy. This approval procedure finds all employees that are assigned to the attestation procedure as approvers.

Use this procedure to allow any objects to be attested by any of the specified employees. These employees must be assigned to the attestation policy as approvers. The attestor can also be entered when you create attestation policies in the Web Portal. For more detailed information, see the .One Identity Manager Web Portal User Guide

Related Topics

Finding Attestors using the Role of an Employee to Attest

Finding Attestors using the Role of an Employee to Attest

Installed Module: Business Roles Module (for approval procedure "AO").

If you want to attest company resource assignments to employees or your staff‘s requests, use the approval procedures "AD", "AL", "AO" or "AP". The attestors found are members of the application role Attestor.

Attestation objects are employees (table: Person) or request recipients (table: PersonWantsOrg). These approval procedures determine the role (department, location, business role, cost center) for each attestation object to which the attestation object is primarily assigned. If the primarily assigned role is not directly assigned an attestor, the approval procedure finds the the attestator's parents roles. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.

NOTE: When attestors are found using the approval procedures "AO" and "bottom-up" inheritance is defined for business roles, note the following:

If there is no Attestor given for the primary business role, attestors are taken from the child business role.

Related Topics
Related Documents