Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

The Attestation Procedure Overview

The Attestation Procedure Overview

To obtain an overview of an approval procedure

  1. Select the category Attestation | Basic configuration data | Approval procedures.
  2. Select an approval procedure from the result list.
  3. Select Approval procedure overview in the task view.

Specifying Permitted Approval Procedures for Tables

Specifying Permitted Approval Procedures for Tables

You can only assign selected approval policies to attestation procedures. The approval policies permitted depend on the approval procedures applied in the approval policies and on the table which forms the attestation base object for an attestation procedure. You must specify which tables are permitted for use with custom approval procedures.

To specify the tables which permit this approval procedure

  1. Select the category Attestation | Basic configuration data | Approval procedures.
  2. Select an approval procedure from the result list.
  3. Select the task Assign tables.
  4. Double-click on the table to which the approval procedure can be assigned in Add assignments.

    – OR –

    Double-click on the tables no longer permitted to be assigned to the approval procedure in Remove assignments.

  5. Save the changes.

You can see which tables allow an approval procedure on the approval procedure overview form.

Related Topics

Deleting Approval Procedures

Deleting Approval Procedures

To delete an approval procedure

  1. Remove all assignments to approval steps.
    1. Check on the approval procedure overview form, which approval steps are assigned to the approval procedure.
    2. Switch to the approval workflow and assign another approval procedure to the approval step.
  2. Select the category Attestation | Basic configuration data | Custom defined | Approval procedures.
  3. Select an approval procedure from the result list.
  4. Click .
  5. Confirm the security prompt with Yes.
Related Topics

Finding Attestors

Finding Attestors

Table 32: Configuration Parameters for Recalculating and Attestors
Configuration parameter Description
QER\Attestation\ReducedApproverCalculation This configuration parameter specifies, which approval steps are recalculated if the Attestor must be recalculated.

The DBQueue Processor calculates, which employee is authorized as approver in which approval level. Once a attestation is triggered, the attestors are determined for every approval step of the approval workflow to be processed. Changes to responsibilities may lead to an employee no longer being authorized as approver for a attestation that is not yet finally approved. In this case, attestors must be recalculated. The following changes can trigger recalculation of pending attestations:

  • Approval policy, workflow, step or procedure changes.
  • An authorized approver loses their responsibility in the One Identity Manager, for example, if a department manager, the attestation policy approver or the target system manager is changed.
  • An employee obtains responsibilities in One Identity Manager and therefore is authorized as an approver, for example the manager of the employee to be attested.

Once an employee's responsibilities have change in the One Identity Manager, an attestor recalculation task is queued in the DBQueue. By default, all approval steps of the pending attestation cases are recalculated at the same time. Approval steps that have already been approved, remain approved, even if their attestor has changed. Recalculating attestors may take a long time depending on the configuration of the system environment and the amount of data that has changed. To optimize this processing time, you can specify which approval steps the attestors are recalculated for.

To configure recalculation of attestors

  • Set the configuration parameter "QER\Attestation\ReducedApproverCalculation" in the Designer and select one of the following options as a value.
    Table 33: Options for Recalculating Attestors
    Option Description
    No All approval steps are recalculated. This behavior also applies if the configuration parameter is not set.

    Advantage: All valid attestors are displayed in the approval sequence. The rest of the approval sequence is transparent.

    Disadvantage: Recalculating attestors can take a long time.

    CurrentLevel Only attestors for the approval level currently being processed are recalculated. Once an approval level has been approved, the attestors are determined for the next approval level.

    Advantage: The number of approval levels to calculate is lower. Calculating attestors is probably faster.

    TIP: Use this option if performance problems within your system have occurred in connection with recalculating attestors.

    Disadvantage: In the approval sequence, the originally calculated attestors are displayed for the subsequent approval steps although they may no longer be authorized. The rest of the approval sequence is not correctly represented.

    NoRecalc Attestors are not recalculated. The previous attestors remain authorized to approve the current approval levels. Once an approval level has been approved, the attestors are determined for the next approval level.

    Advantage: The number of approval levels to calculate is lower. Calculating attestors is probably faster.

    TIP: Use this option if performance problems within your system have occurred in connection with recalculating attestors, although the "CurrentLevel" option is used.

    Disadvantage: In the approval sequence, the originally calculated attestors are displayed for the subsequent approval steps although they may no longer be authorized. The rest of the approval sequence is not correctly represented. Employees that are no longer authorized can approve the current approval level.

    In the best case, only attestors are found that do not have access to the One Identity Manager, for example because they have left the company. The approval level cannot be approved.

    To see approval steps of this type through

    • Define a timeout and timeout behavior when you set up the approval workflows on the approval steps.

      - OR -

    • Assign members to the chief approval team when you set up the attestation. These can always intervene in pending attestation cases.
Detailed information about this topic
Related Topics
Related Documents