Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Finding Attestors using Attestation Objects

Finding Attestors using Attestation Objects

If you want to attest compliance rules, rule violations, company policies, policy violations or company resource assignments to departments, location or business roles, use the approval procedures "AR", "AY" or "AT". The procedure "AT" is also suitable for attesting assignments to IT Shop structures (shops, shopping centers or shelves). Use the approval procedures "AA" or "AN" to attest system entitlement or system role assignments to departments, locations, cost centers or IT Shop structures. The attestors found are members of the application role Attestor.

  Attestation Base Objects Available in Module
AR

Rules (ComplianceRule)

Rule violations (PersonInNonCompliance)

Compliance Rules Module
AY

Company policies (QERPolicy)

Policy violations (QERPolicyHasObject)

Company Policies Module
AT

Departments (Department)

IT Shop Structures (ITShopOrg)

Locations (Locality)

Business roles (Org)

Cost centers (ProfitCenter)

IT Shop Templates (ITShopSrc)

 
AA, AN

System entitlement or target system group assignments to roles (<BaseTree>HasUNSGroupB,

<BaseTree>HasADSGroup, <BaseTree>HasEBSResp, ...)

System role assignments to roles (<BaseTree>HasESet)

Target System Base Module

These approval procedures determine the attestors to which the attestation object is assigned. The approval procedure "AA" finds the attestor using the role (departments, IT Shop structures, locations, business roles, cost centers, IT Shop templates). The approval procedure "AN" finds the attestor using the service item assigned to the system entitlement or target system group.

Furthermore, the following also applies to the approval procedures "AT" and "AA":If an attestor is not directly assigned to the attestation object, the approval procedure finds the attestor of the parent roles/IT Shop structures. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.

NOTE: When the attestation base object is a business role, IT Shop structure or IT Shop template or rather the assignment to a business role, IT Shop structure or IT Shop template and "bottom-up" inheritance is defined for the associated role classes.

  • If there is no attestor assigned to the attestation object, the approval procedure finds attestors from the attestors of subordinate roles.
Related Topics

Finding Attestors from Attestation Object Managers

Finding Attestors from Attestation Object Managers

If you want to allow company resource assignments for your employees, roles or role memberships, system roles or system entitlements for employees, roles or IT Shop structures through their managers, use the approval procedures "CM", "DM", "LM", "MO", "RM", "RR" or "RE".

Approval procedure Attestation Base Objects Available in Module
CM Employees (Person)  
DM

Employees (Person)

Employees: department memberships (PersonInDepartment)

 
LM

Employees (Person)

Employees: location memberships (PersonInLocality)

 
MO

Employees (Person)

Employees: business role memberships (PersonInOrg)

Business Roles Module
PM

Employees (Person)

Employees: cost center memberships (PersonInProfitCenter)

 
RE

System roles (ESet)

Employees: system role assignments (PersonHasESet)

Departments: system role assignments(DepartmentHasESet)

Business roles: system role assignments (OrgHasESet)

IT Shop structures: system role assignments (ITShopOrgHasESet)

IT Shop templates: system role assignments (ITShopSrcOrgHasESet)

Cost centers: system role assignments (ProfitCenterHasESet)

Locations: system role assignments (LocalityHasESet)

System Roles Module
RM

Employees: department memberships (PersonInDepartment)

Employees: IT Shop structure memberships (PersonInITShopOrg)

Employees: location memberships (PersonInLocality)

Employees: business role memberships (PersonInOrg)

Employees: cost center memberships (PersonInProfitCenter)

 
RR

Departments (Department)

IT Shop Structures (ITShopOrg)

Locations (Locality)

Business roles (Org)

Cost centers (ProfitCenter)

IT Shop Templates (ITShopSrc)

All system entitlement or system role assignments to roles; for example "Roles and organizations: Active Directory group assignments" (BaseTreeHasADSGroup) or "Locations: EBS entitlement assignments" (LocalityHasEBSResp)

 

These approval procedures find the manager associated with every attestation object. In the case of the approval procedure "RE", the system role manager is determined as attestor, for the approval procedures "RM" and "RR" the role/IT Shop structure manager. The approval procedures "DM", "LM", "MO" and "PO" find the department manager and deputy manager in which the employee to attest is a member.

Finding Attestors from those Responsible for the Attestation Object

Finding Attestors from those Responsible for the Attestation Object

If you want to attest system entitlements and the user account assigned to them, use the approval policies "ED", "EM", "EN", "EO" or "SO".

Attestation objects are system entitlements and the user accounts assigned to them as well as system roles which have system entitlements or system roles assigned to them. The approval procedures determine the following attestors:

  Attestation Base Objects Attestors Available in Module
ED User accounts: system entitlement assignments (UNSAccountInUNSGroup) Employee’s department manager (and deputy manager) to which the user account is connected. The primary department assigned in this case. Target System Base Module
EM User accounts: system entitlement assignments (UNSAccountInUNSGroup) Employee’s department manager to which the user account is connected. Target System Base Module
EN User accounts: system entitlement assignments (UNSAccountInUNSGroup)

System entitlements (UNSGroup)

Target system manager of the target system area to which the system entitlement belongs. Target System Base Module
EO

System roles: assignments (ESetHasEntitlement)

All user account assignments to system entitlements; for example "User accounts: system entitlement assignments" (UNSAccountInUNSGroup) or "SAP user accounts: assignments to groups" (SAPUserInSAPGroup)

All system entitlement or system role assignments to roles; for example "Roles and organizations: Active Directory group assignments" (BaseTreeHasADSGroup) or "Locations: EBS entitlement assignments" (LocalityHasEBSResp)

Product owner of the service item to which the system entitlement or system role is assigned. Target System Base Module or System Roles Module
SO

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

User accounts (UNSAccount)

System entitlements: assignments to system entitlements (UNSGroupInUNSGroup)

Target system manager for the target system to which the system entitlement or user account belongs. Target System Base Module

Finding Attestors using a Specified Role

Finding Attestors using a Specified Role

If the attestors for any object in a certain role are specified, use the approval procedure "OR" or "OM". You can allow any objects to be attested by employees from any role using these approval procedures. Specify a role in the approval step with which the attestors can be determined. The approval procedures determine the following attestors:

  Selectable Roles Attestors
OM

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Manager and deputy manager of the role specified in the approval step.
OR

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Application roles (AERole)

All secondary members of the role specified in the approval step.
Related Documents