If service items or system entitlements need to be attested, product owners can be determined as attestors. Use the approval procedure "OA" to do this. Any number of service items and system entitlements which are assigned a service item can be attested.
Assign an application role to the service item in Product owner. This determines all employees as attestor who have the given application role.
|NOTE: Only one approval step can be defined with the approval procedure "CD" per approval level.|
If you want to make attestation dependent on specific conditions, use the approval procedure "CD". This procedure does not determine an attestor. The One Identity Manager makes the decision depending on the condition that is formulated in the approval step.
You can use the procedure for any attestation base objects. You create a condition in the approval step. If the condition returns a result, the approval step is approved through the One Identity Manager. If the condition does not return a result, the approval step is denied by the One Identity Manager. If there are no further approval steps, the approval procedure is either finally granted or denied.
To enter a condition for the approval procedure "CD"
Compliance should be tested when they meet the following conditions:
Find the objects that meet these conditions by using the approval procedure CD.
(SELECT 1 FROM (SELECT xobjectkey FROM ComplianceRule
WHERE isnull(IsWorkingCopy, 0) = 0 AND EXISTS
(SELECT 1 FROM (SELECT UID_AERole FROM AERole WHERE 1 = 1)
as X WHERE X.UID_AERole = ComplianceRule.UID_OrgResponsible))
as X WHERE X.xobjectkey = AttestationCase.ObjectKeyBase)
If the condition is met, the rule attestor should attest this compliance rule. To do this, extend the positive approval path with an approval step using approval procedure "AR".
If the condition is not met, the attestation should be denied by the One Identity Manager. In this case, no further approval steps are required.
Use external approvals (approval procedure "EX") if an attestation needs to be approved once a defined event from outside the One Identity Manager takes place. You can also use this procedure to allow any number of objects to be attested by employees that do not have access to the One Identity Manager.
Specify an event in the approval step that triggers an external approval. A process is started by the event that initiates the external approval for the
To use an approval procedure
If the external event occurs, the approval step status in One Identity Manager has to be changed. Use the process task CallMethod with the method MakeDecision for this. Pass the following parameters to the process task:
MethodName: Value = "MakeDecision"
ObjectType: Value =
Param1: Value = "sa"
Param2: Value = <approval> ("true" = granted; "false" = denied)
Param3: Value = <reason for approval decision>
Param4: Value = <standard reason>
Param5: Value = <number approval steps> (PWODecisionStep.SubLevelNumber)
WhereClause: Value = "UID_AttestationCase ='"& $UID_AttestationCase$ &"'"
Use these parameters to specify which
Use the Process Editor to define and edit processes.
All compliance rules should be checked and attested by an external assessor. The attestation object data should be made available as a PDF on an external share. The assessor should save the result of the attestation in a text file on the external share. Use this approval procedure to make external approvals and define:
Enter the event "E1" in the approval step in the Event field and in the process "P1" as a trigger event for external approval.
For more detailed information about creating processes and schedules, see the One Identity Manager Configuration Guide.
|NOTE: Only one approval step can be defined with the approval procedure "WC" per approval level.|
If you want to ensure that a specific data state exists in the One Identity Manager before attestation, then use the approval procedure "WC". Use a condition to specify which prerequisites have to be fulfilled so that attestation can take place. The condition is evaluated as a function call. The function has to accept the attestation case UID as a parameter (AttestationCase.UID_AttestationCase). Use this UID to refer to each attestation object. It must define three return values as integers. One of the following actions is carried out depending on the function‘s return value:
Return value > 0
The condition is fulfilled. Deferred approval has completed successfully. The next approval step (in case of success) is carried out.
Return value = 0
The condition is not yet fulfilled. Approval is rolled back and is retested the next time DBQueue Processor runs.
Return value < 0
The condition is not fulfilled. Deferred approval has failed. The next approval step (in case of failure) is carried out.
To use an approval procedure
<database schema name>.<function name>