Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Attestation through Chief Approval Team

Sometimes, approval decisions cannot be made for attestation cases because the attestor is not available or does not have access to One Identity Manager tools. To complete the attestation case, however, you can define a chief approval team whose members are authorized to intervene in the approval process at any time.

The chief approval team is authorized to approve, deny, abort attestations in special cases or to authorize other attestors.

IMPORTANT:

  • The four-eye principle can be broken like this because chief approval team members can make approval decisions for Attestation cases at any time! Specify, on a custom basis, in which special cases the chief approval team may intervene in the approval process.
  • Specify in the approval step, how many attestors must approve this approval step. This limit is not valid for the chief approval team. The approval step is considered approved once one member of the chief approval team has granted or denied approval for the attestation.

The chief approval team can approve attestations for all manual approval steps. The chief approvals are not permitted for approval steps with the approval procedures CD, EX and WC . If a member of the chief approval team is identified as a regular attestor for an approval step, he or she can only make an approval decision for this step as a regular attestor.

To add members to the chief approval team

  1. Select the category Attestation | Basic configuration data | Chief approval team.
  2. Select Assign employees in the task view.
  3. Assign employee authorized to approve attestations in Add assignments.

    - OR -

    Remove the assignments of employee to chief approval team in Remove assignments.

  4. Save the changes.
Related Topics

Attestation Sequence

Attestation Sequence

Once attestation is automatically or manually started, the One Identity Manager creates an attestation case for each attestation object. Attestation cases record the entire attestation sequence. Each attestation step in the attestation case can be audit-proof reconstructed.

You can view the attestation cases in the navigation view under the menu item Attestation runs | <attestation policy>. This is where you can monitor the status of the attestation cases. Attestation cases that were not yet subject to approval are grouped under Pending attestations. You can see the attestation cases that have been closed by attestors or One Identity Manager grouped under Closed attestations.

NOTE: Attestation cases are edited in the Web Portal. For more detailed information, see the .One Identity Manager Web Portal User Guide

Attestation is complete when the attestation case has been granted or denied approval. You specify how to deal with granted or denied attestations on a company basis.

TIP: The One Identity Manager provides various default attestation procedures for different data situations and default attestation procedures. If you use these default attestation procedures, you can configure how you deal with denied attestations.

For more information, see Default Attestation and Withdrawal of Entitlements.

Starting Attestation

Starting Attestation

There are two ways for you to add attestation cases in the One Identity Manager. You can trigger attestation through a scheduled task or start selected objects individually.

Prerequisite

  • The attestation policy for this attestation is set.

To start attestation using a scheduled task

  1. Select the category Attestation | Attestation policies.
  2. Select the attestation policy in the result list. Select Change master data in the task view.
  3. Enable the schedule entered in Calculation schedule.
    1. Select Attestation | Basic configuration data | Schedules in the navigation view.
    2. Select the schedule in the result list. Select Change master data in the task view.
    3. Set the option Enabled.
    4. Save the changes.

To start attestation for the selected objects

  1. Select the category Attestation | Attestation policies.
  2. Select the attestation policy in the result list. Select Change master data in the task view.
  3. Select Run attestation cases for single objects... in the task view.

    This opens a separate window.

  4. Set Attestation for every object you want to include in the attestation.
  5. Click Run.

    Attestation cases are generated for the selected attestation objects. After the DBQueue Processor has processed the task, you see the newly created attestation cases in the navigation under the menu item Attestation cases | <attestation policy> | Pending attestations | Attestation runs | <year> | <month> | <day> | Pending attestations.

  6. Click Close.

NOTE: Under certain circumstances, closed attestation cases are deleted from the One Identity Manager database when new attestation cases are added!

For more detailed information about configuring schedules, see the One Identity Manager Configuration Guide.

Detailed information about this topic
Related Topics

Additional Tasks for Attestation Cases

Once you have started attestation for an attestation policy, you can monitor the attestation case in the One Identity Manager. The task view contains different forms with which you can run the following tasks.

Related Documents