Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Prevent Attestation by Employee Awaiting Attestation

Prevent Attestation by Employee Awaiting Attestation

Table 36: Configuration Parameter for Attestation by Employee Awaiting Attestation
Configuration parameter Meaning

This configuration parameter specifies whether employees to be attested are allowed to approve this attestation case. If the parameter is set, an attestation case cannot be approved by employees, which are contained in the attestation object (AttestationCase.ObjectKeyBase) or in the objects identifiers 1-3 (AttestationCase.UID_ObjectKey1, ObjectKey2 or ObjectKey3). If the parameter is not set, these employee are allowed to make approval decisions for this attestation case.

The attestation object can also be determined as the attestor in an attestation case. which means the employees to be attested can attest themselves. To prevent this, set the configuration parameter "QER\Attestation\PersonToAttestNoDecide".


  • Changing the configuration parameter only affects new attestation cases. Attestors are not recalculated for existing attestation cases.
  • The configuration parameter setting also applies for fallback approvers; it does not apply to the chief approval team.
  • If the option "Approval by affected employee" is set on an approval step, the configuration parameter has no effect.

To prevent employees from attesting themselves

  • Set the configuration parameter "QER\Attestation\PersonToAttestNoDecide" in the Designer.

This configuration parameter affects all attestation cases in which employees included in the attestation object or in object relations, are attestors at the same time. the following employees are removed from the group of attestors.

  • Employees included in AttestationCase.ObjectKeyBase
  • Employees included in AttestationCase.UID_ObjectKey1, ObjectKey2 or ObjectKey3
  • Employees' main identities
  • All sub-identities of these main identities

If the configuration parameter is not set or the option "Approval by affected employee" is enabled for the approval step, these employees can attest themselves.

Related Topics

Setting up an Approval Step

Managing Attestation Cases

During attestation, you may find it necessary to assign someone else as default attestor responsible for the attestation because, for example, the actual attestor is absent. You may require additional information about an attestation object. The One Identity Manager offers different possibilities to intervene in an open attestation case.

Getting More Information

Getting More Information

An attestor has the option to gather more information about an attestation case. This inquiry option does not, however, replace the granting or denying approval of an attestation case. There is no addition approval step required in the approval workflow to obtain the information.

Attestors can request information from anyone, in the form of a question. The attestation case is put on hold for the questioning period. Hold status is removed once the employee questioned has supplied the required information and the attestor has made an approval decision for the attestation case. The attestor can recall a pending inquiry at any time The request is taken off hold. The question and answer are logged in the approval sequence and made available to the attestors.

NOTE: Hold status is revoked when the attestor who has asked a question is removed. The queried person must not answer. The attestation case is continued.

Email notification to the employees involved can be sent using unanswered inquiries.

Detailed information about this topic

Appointing Other Attestors

Appointing Other Attestors

Once an approval level in the approval workflow has been reached, attestors at this level can appoint another employee to deal with the approval. To do this, you have the options described below. The required behavior is configured in the approval workflow.

  • reroute approval

    The attestor appoints another approval level for attesting. To do this, create a connection to the approval level to which the approval can be rerouted.

  • Appoint additional attestors

    .The attestor appoints another employee with the attestation. This adds another approval step to the current approval level. The new attestor must make an approval decision in addition to the known attestors.

    The additional attestor can reject the approval and return the attestation case to the original attestor. The original attestor is informed about this by email. The original attestors can appoint another additional attestor.

  • delegate approval

    The attestor appoints another employee with attestation. This employee is added to the current approval step as attestor. The employee makes the approval decision instead of the attestor who made the delegation.

    The current attestors can reject the approval and return the attestation case to the original attestor. The original attestors can accept the refusal and delegate a different employee, for example, if another attestor is not available.

Email notification can be sent to the original attestor and the others.

Detailed information about this topic
Related Topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating