Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Setting up Approval Procedures

Setting up Approval Procedures

You can create your own approval procedures if the default approval procedures for finding attestors do not meet your requirements. The condition through which the attestors are determined, is formulated as a database query. Several queries may be combined into one condition.

To set up an approval procedure

  1. Select the category Attestation | Basic configuration data | Approval procedures.
  2. Select an approval procedure in the result list. Select Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit the approval procedure master data.
  4. Save the changes.

To edit the condition

  1. Select the category Attestation | Basic configuration data | Approval procedures.
  2. Select an approval procedure from the result list.
  3. Select Change queries for approver selection in the task view.
Detailed information about this topic

General Master Data for an Approval Procedure

Enter the following master data for an approval procedure.

Table 30: General Master Data for an Approval Procedure
Property Description
Approval Procedure Descriptor for the approval procedure (maximum two characters).
Description Approval procedure identifier.
DBQueue Processor task Approvals can either be made automatically through a DBQueue Processor calculation task or by specified attestors. Assign a custom DBQueue Processor task if the approval procedure should make an automatic approval decision.

You cannot assign a DBQueue Processor task if a query is entered for determining the attestors.

Max. number approvers Maximum number of attestors to be determined by the approval procedure. Specify how many employees must really make approval decisions in the approval steps used by this approval procedure.
Sort order

Value for sorting approval procedures in the menu.

Specify the value 10 to display this approval procedure at the top of the menu when you set up an approval step.

Related Topics

Queries for Finding Attestors

Queries for Finding Attestors

The condition through which the attestors are determined, is formulated as a database query. Several queries may be combined into one condition. This adds all employees to the group of attestors who have been determined through single queries.

To edit the condition

  1. Select the category Attestation | Basic configuration data | Approval procedures.
  2. Select an approval procedure from the result list.
  3. Select Change queries for approver selection in the task view.

To create single queries

  1. Click Add.

    This inserts a new row in the table.

  2. Mark this row. Enter the query properties.
  3. Add more queries if required.
  4. Save the changes.

To edit a single query

  1. Select the query you want to edit in the table. Edit the query's properties.
  2. Save the changes.

To remove single queries

  1. Select the query you want to remove in the table.
  2. Click Delete.
  3. Save the changes.
Table 31: Query Properties
Approver selection Query identifier, which determines the attestors.
Query

Database query for determining attestors.

The database query must be formulated as a select statement. The column selected by the database query must return a UID_Person. The query returns one or more employees that are presented to the attestation case for approval. If the query does not return a result, the attestation case is aborted.

NOTE:

  • A query contains exactly one select statement. To combine several select statements, create several queries.
  • You cannot enter a query to determine attestors if a DBQueue Processor task is assigned.

You can, for example, determine predefined attestors with the query (example 1). The attestor can also be found dynamically depending on the attestation case to approve. To do this you access the attestation case waiting approval in the database query over the variable @UID_AttestationCase (SQL) or v_uid_attestationcase (Oracle) (example 2).

Example 1

The attestation case should be approved by a specified attestor.

Query: select UID_Person from Person where InternalName='Rippington, Dr. Rudiger von'
Example 2

All active compliance rules should be attested by the respective rule supervisor.

Query:

select pia.UID_Person from PersonInAERole pia

join ComplianceRule cr on pia.UID_AERole = cr.UID_OrgResponsible
join AttestationCase ac on ac.ObjectKeyBase = cr.XObjectKey
and ac.UID_AttestationCase = @UID_AttestationCase

where cr.IsWorkingCopy = '0'

TIP: To take delegations into account when attestors are being determined, identify the attestator from the table HelperHeadOrg. This table groups all hierarchical role managers, their deputy manager and employees delegated to the manager.

Additional Tasks for Approval Procedures

After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.

Related Documents