Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Close Attestation Cases for Deactivated Employees

Table 46: Configuration Parameter for Closing Pending Attestations
Configuration parameter Effect
QER\Attestation\AutoCloseInactivePerson If this configuration parameter is set, pending attestation cases for an employee are closed, when this employees is permanently deactivated.

Pending attestation cases must still be processed even if they have permanently deactivated in the meantime. This is not required very often because the affected employee may have, for example, left the company. In this case, you can use the option to close an employee's pending attestation cases automatically, if the employee is permanently disabled.

To close attestation cases automatically

  • Set the configuration parameter "QER\Attestation\AutoCloseInactivePerson" in the Designer.

The configuration parameter only applies if the employee to be attested is deactivated after the attestation case was created.

The configuration parameter does not apply if the employee is temporarily deactivated.

TIP: Write a corresponding condition for finding the attestation object on the attestation policies to prevent attestation cases being created for deactivated employees. For more information, see General Master Data for Attestation Policies.

Deleting Attestation Cases

Deleting Attestation Cases

Table 47: Configuration Parameter for Logging Data Changes
Configuration parameter Effect
Common\ProcessState\PropertyLog When this configuration parameter is set, changes to individual values are logged and shown in the process view.

The table AttestationCase expands very quickly when attestation is performed regularly. To limit the number of attestation cases in the One Identity Manager, you can delete Obsolete, closed attestation cases from the database. The attestation case properties are logged and then the attestation cases are deleted. The same number of attestation cases remain in the database as are specified in the attestation policy. For more detailed information about logging data changes tags, see the One Identity Manager Configuration Guide.

NOTE: Ensure that the logged request procedures are archived for audit reasons. For more detailed information about the archiving process, see the One Identity Manager Data Archiving Administration Guide.

Prerequisites

  • The configuration parameter "Common\ProcessState\PropertyLog" is set.
  • The attestation policy is enabled.

To delete attestation cases automatically

  1. Set the option Log changes when deleting on at least three columns in the table AttestationCase.
    1. Start the Designer.
    2. Select the category Database Schema | Tables | AttestationCase.
    3. Select Show table definition in the task view.

      Opens the Schema Editor.

    4. Select a column in the Schema Editor.
    5. Select the More tab in the Schema Editor edit view.
    6. Set the option Set Log changes when deleting.
    7. Repeat steps d) to F) for all columns to be recorded on deletion. These must be at least three.
    8. Click Commit to database in the toolbar and save the changes.

      These changes become effective the moment the DBQueue Processor has processed the tasks.

  2. Set the option Log changes when deleting on at least three columns in the table AttestationHistory.
    1. Start the Designer.
    2. Select the category Database Schema | Tables | AttestationHistory.
    3. Repeat steps 1c) to 1h) for the table AttestationHistory.
  3. Enter the number of obsolete cases in the attestation policies.
    1. Select the category Attestation | Attestation policies in the Manager.
    2. Select the attestation policy in the result list whose attestation cases should be deleted.
    3. Select Change master data in the task view.
    4. Enter a value larger than 0 in Obsolete tasks limit.
    5. Save the changes.

TIP: If you want to prevent attestation cases being deleted for certain attestation policies, enter the value 0 for the obsolete task limit for this attestation policy.

Attestation cases are deleted once

  • A new attestation is started for an attestation policy.

    - OR -

  • An attestation policy is disabled.

The One Identity Manager tests how many closed attestation cases exists in the database for each attestation object of this attestation policy. If the number is more than the number of obsolete attestation cases:

  • The attestation case properties and their approval sequence are recorded

    All columns are recorded, which are marked for logging on deletion.

  • The attestation cases are deleted.

    The same number of attestation cases remain in the database as are specified in the obsolete tasks limit.

NOTE: Closed attestation cases are are also deleted in the case of disabled attestation policies if the configuration parameter "Common\ProcessState\PropertyLog" is not set. In this case, the deleted attestation cases are not logged.
Related Topics

Notifications in Attestation

Notifications in Attestation

Table 48: Configuration Parameter for Notifications
Configuration parameter Meaning
QER\Attestation\DefaultSenderAddress This configuration parameter contains the sender email address for automatically generated messages during attestation.

Different email notifications can be sent to attestors and other employees within an attestation case The notification procedure uses mail templates to create notifications. The mail text in a mail template is defined in several languages. This ensures that the language of the recipient is taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.

Messages are not sent ti the chief approval team by default. Fallback approvers are only notified if not enough approvers could be found for an approval step.

To use notification in the request process

  1. Ensure that the email notification system is configured in One Identity Manager. For more detailed information, see the .One Identity Manager Configuration Guide
  2. Set the configuration parameter "QER\Attestation\DefaultSenderAddress" in the Designer and enter the sender address with which the email notifications are sent.
  3. Ensure that all employees have a default email address. Notifications are sent to this address. For more detailed information, see the .One Identity Manager Identity Management Base Module Administration Guide
  4. Ensure that a language culture can be determined for all employees. Only then can they receive email notifications in their own language. For more detailed information, see the .One Identity Manager Identity Management Base Module Administration Guide
  5. Configure the notification procedure.
Related Topics

Demanding Attestation

Demanding Attestation

When a new attestation case is made, the attestor is notified by mail. Demands for attestation can be configured separately for each approval step.

Prerequisite

  • The configuration parameter "QER\Attestation\MailTemplateIdents\RequestApproverByCollection" is not set.

To set up the notification procedure

  • Enter the following data for the approval step.
    Table 49: Approval Step Properties for Notification
    Property Meaning
    Mail template for demand Select the mail template "Attestation - demand for approval (by mail)".

    TIP: If you allow approval by email, select the mail template "Attestation - demand for approval (by mail)".

NOTE: You can schedule demands for attestation to send a general notification if there are attestations pending. This replaces single demands for attesation at each approval step.
Related Topics
Related Documents