If you want to attest compliance rules, rule violations, company policies, policy violations or company resource assignments to departments, location or business roles, use the approval procedures "AR", "AY" or "AT". The procedure "AT" is also suitable for attesting assignments to IT Shop structures (shops, shopping centers or shelves). Use the approval procedures "AA" or "AN" to attest system entitlement or system role assignments to departments, locations, cost centers or IT Shop structures. The attestors found are members of the application role Attestor.
Attestation Base Objects | Available in Module | |
---|---|---|
AR |
Rules (ComplianceRule) Rule violations (PersonInNonCompliance) |
Compliance Rules Module |
AY |
Company policies (QERPolicy) Policy violations (QERPolicyHasObject) |
Company Policies Module |
AT |
Departments (Department) IT Shop Structures (ITShopOrg) Locations (Locality) Business roles (Org) Cost centers (ProfitCenter) IT Shop Templates (ITShopSrc) |
|
AA, AN |
System entitlement or target system group assignments to roles (<BaseTree>HasUNSGroupB, <BaseTree>HasADSGroup, <BaseTree>HasEBSResp, ...) System role assignments to roles (<BaseTree>HasESet) |
Target System Base Module |
These approval procedures determine the attestors to which the attestation object is assigned. The approval procedure "AA" finds the attestor using the role (departments, IT Shop structures, locations, business roles, cost centers, IT Shop templates). The approval procedure "AN" finds the attestor using the service item assigned to the system entitlement or target system group.
Furthermore, the following also applies to the approval procedures "AT" and "AA":If an attestor is not directly assigned to the attestation object, the approval procedure finds the attestor of the parent roles/IT Shop structures. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.
|
NOTE: When the attestation base object is a business role, IT Shop structure or IT Shop template or rather the assignment to a business role, IT Shop structure or IT Shop template and "bottom-up" inheritance is defined for the associated role classes.
|
If you want to allow company resource assignments for your employees, roles or role memberships, system roles or system entitlements for employees, roles or IT Shop structures through their managers, use the approval procedures "CM", "DM", "LM", "MO", "RM", "RR" or "RE".
Approval procedure | Attestation Base Objects | Available in Module |
---|---|---|
CM | Employees (Person) | |
DM |
Employees (Person) Employees: department memberships (PersonInDepartment) |
|
LM |
Employees (Person) Employees: location memberships (PersonInLocality) |
|
MO |
Employees (Person) Employees: business role memberships (PersonInOrg) |
Business Roles Module |
PM |
Employees (Person) Employees: cost center memberships (PersonInProfitCenter) |
|
RE |
System roles (ESet) Employees: system role assignments (PersonHasESet) Departments: system role assignments(DepartmentHasESet) Business roles: system role assignments (OrgHasESet) IT Shop structures: system role assignments (ITShopOrgHasESet) IT Shop templates: system role assignments (ITShopSrcOrgHasESet) Cost centers: system role assignments (ProfitCenterHasESet) Locations: system role assignments (LocalityHasESet) |
System Roles Module |
RM |
Employees: department memberships (PersonInDepartment) Employees: IT Shop structure memberships (PersonInITShopOrg) Employees: location memberships (PersonInLocality) Employees: business role memberships (PersonInOrg) Employees: cost center memberships (PersonInProfitCenter) |
|
RR |
Departments (Department) IT Shop Structures (ITShopOrg) Locations (Locality) Business roles (Org) Cost centers (ProfitCenter) IT Shop Templates (ITShopSrc) All system entitlement or system role assignments to roles; for example "Roles and organizations: Active Directory group assignments" (BaseTreeHasADSGroup) or "Locations: EBS entitlement assignments" (LocalityHasEBSResp) |
These approval procedures find the manager associated with every attestation object. In the case of the approval procedure "RE", the system role manager is determined as attestor, for the approval procedures "RM" and "RR" the role/IT Shop structure manager. The approval procedures "DM", "LM", "MO" and "PO" find the department manager and deputy manager in which the employee to attest is a member.
If you want to attest system entitlements and the user account assigned to them, use the approval policies "ED", "EM", "EN", "EO" or "SO".
Attestation objects are system entitlements and the user accounts assigned to them as well as system roles which have system entitlements or system roles assigned to them. The approval procedures determine the following attestors:
Attestation Base Objects | Attestors | Available in Module | |
---|---|---|---|
ED | User accounts: system entitlement assignments (UNSAccountInUNSGroup) | Employee’s department manager (and deputy manager) to which the user account is connected. The primary department assigned in this case. | Target System Base Module |
EM | User accounts: system entitlement assignments (UNSAccountInUNSGroup) | Employee’s department manager to which the user account is connected. | Target System Base Module |
EN | User accounts: system entitlement assignments (UNSAccountInUNSGroup)
System entitlements (UNSGroup) |
Target system manager of the target system area to which the system entitlement belongs. | Target System Base Module |
EO |
System roles: assignments (ESetHasEntitlement) All user account assignments to system entitlements; for example "User accounts: system entitlement assignments" (UNSAccountInUNSGroup) or "SAP user accounts: assignments to groups" (SAPUserInSAPGroup) All system entitlement or system role assignments to roles; for example "Roles and organizations: Active Directory group assignments" (BaseTreeHasADSGroup) or "Locations: EBS entitlement assignments" (LocalityHasEBSResp) |
Product owner of the service item to which the system entitlement or system role is assigned. | Target System Base Module or System Roles Module |
SO |
User accounts: system entitlement assignments (UNSAccountInUNSGroup) User accounts (UNSAccount) System entitlements: assignments to system entitlements (UNSGroupInUNSGroup) |
Target system manager for the target system to which the system entitlement or user account belongs. | Target System Base Module |
If the attestors for any object in a certain role are specified, use the approval procedure "OR" or "OM". You can allow any objects to be attested by employees from any role using these approval procedures. Specify a role in the approval step with which the attestors can be determined. The approval procedures determine the following attestors:
Selectable Roles | Attestors | |
---|---|---|
OM |
Departments (Department) Cost centers (ProfitCenter) Locations (Locality) Business roles (Org) |
Manager and deputy manager of the role specified in the approval step. |
OR |
Departments (Department) Cost centers (ProfitCenter) Locations (Locality) Business roles (Org) Application roles (AERole) |
All secondary members of the role specified in the approval step. |
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy