Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Notifications with Questions

Notifications with Questions

Table 59: Configuration Parameter for Notification of Approver Questions

Configuration Parameter

Meaning

QER\Attestation\MailTemplateIdents\
QueryFromApprover

This mail template is used to send a notification with a question from an approver to an employee.

QER\Attestation\MailTemplateIdents\
AnswerToApprover

This mail template is used to send a notification with an answer to a question from an approver.

Employees can be notified when a question about an attestation is asked. The attestor can also be notified the moment the question is answered.

To notify an employee when an attestor asks a question

  • Set the configuration parameter "QER\Attestation\MailTemplateIdents\QueryFromApprover" in the Designer.

    Notification with the mail template "Attestation - question" is sent by default.

To notify an attestor when an employee answers the question

  • Set the configuration parameter "QER\Attestation\MailTemplateIdents\AnswerToApprover" in the Designer.

    Notification with the mail template "Attestation - answer" is sent by default.

TIP: Change the value of the configuration parameter in order to use custom mail templates for these mails.

Notifications from Additional Attestors

Notifications from Additional Attestors

Table 60: Configuration Parameters for Notifying Attestors
Configuration Parameter Meaning
QER\Attestation\MailTemplateIdents\InformAddingPerson This mail template is used to notify attestors if the additional attestor has met an approval decision.
QER\Attestation\MailTemplateIdents\InformDelegatingPerson This mail template is used to notify attestors if an approval decision has been made about their delegated step.

The original attestor can be notified when an additional attestor or employee who has been delegated an attestation, has granted or denied the attestation. This mail is send the moment the approval step has been decided.

To send notification when the additional attestor approves or denies the attestation

  • Set the configuration parameter "QER\Attestation\MailTemplateIdents\InformAddingPerson" in the Designer.

    By default, notification is sent using the template "Attestation - approval of added step".

To send notification when the employee who was delegated an approval approves or denies the request

  • Set the configuration parameter "QER\Attestation\MailTemplateIdents\InformDelegatingPerson" in the Designer.

    By default, notification is sent using the template "Attestation - approval of delegated step".

TIP: Change the value of the configuration parameter in order to use custom mail templates for these mails.

Default Mail Templates

Default Mail Templates

One Identity Manager supplies mail templates by default. These mail templates are available in English and German. If you require the mail body in other languages, you can add mail definitions for these languages to the default mail template.

To edit a default mail template

  • Select the category Attestation | Basic configuration data | Approval procedures | Predefined.
Related Topics

Attestation by Mail

Attestation by Mail

Table 61: Configuration Parameters for Approval by Mail
Configuration Parameter Meaning
QER\Attestation\MailApproval\Inbox This Microsoft Exchange mailbox is used for "Approval by mail" processes.
QER\Attestation\MailApproval\Account Name of user account for authentication of "Approval by mail" mailbox.
QER\Attestation\MailApproval\Domain Domain of user account for authentication of "Approval by mail" mailbox.
QER\Attestation\MailApproval\Password Password of user account for authentication of "Approval by mail" mailbox.
QER\Attestation\MailTemplateIdents\ITShopApproval Mail template used for requests made through "Approval by mail".
QER\Attestation\MailApproval\DeleteMode Specifies the way emails are deleted from the inbox.

You can set up attestation by mail to provide an option for attestors, who are temporarily unable to access One Identity Manager tools, to make attestation case decisions. In this way, attestors are notified by email when an attestation case is pending approval. Attestors can use the links in the email to make approval decisions without having to connect to the Web Portal. This generates an email that contains the approval decision and in which attestors can state the reasons for their approval decision. This email is sent to a central Microsoft Exchange mailbox. The One Identity Manager checks this mailbox regularly, evaluates the incoming emails and updates the status of the attestation case correspondingly.

IMPORTANT: An attestation is not possible by email, if multi-factor authorization is configured for the attestation policy. Attestation emails for such requests produce an error message.

Prerequisites

  1. The Microsoft Exchange system is configured with
    • Microsoft Exchange Client Access Server version 2007, Service Pack 1 or later
    • Microsoft Exchange Web Service .NET API Version 1.2.1, 32 Bit
  2. The user account used by One Identity Manager to register with Microsoft Exchange requires full access to the mailbox given in the configuration parameter "QER\Attestation\MailApprovalInbox".
  3. The configuration parameter "QER\Attestation\MailTemplateIdents\RequestApproverByCollection" is not set.

To set up attestation by email

  1. Set the configuration parameter "QER\Attestation\MailApprovalInbox" in the Designer and enter the mailbox to which to send the approval mails.
  2. Set up mailbox access.
    1. By default, One Identity Manager uses the One Identity Manager Service user account to register with Microsoft Exchange and to access the mailbox.

      – OR –

    2. You enter a separate user account for registering on the Microsoft Exchange Server for mailbox access. Enabled the following configuration parameters to do this.
      Table 62: Configuration Parameters for Logging onto a Microsoft Exchange Server
      Configuration Parameter Meaning
      QER\Attestation\MailApproval\Account User account name.
      QER\Attestation\MailApproval\Domain User account's user account.
      QER\Attestation\MailApproval\Password User account password.
  3. Set the configuration parameter "QER\Attestation\MailTemplateIdents\ITShopApproval" in the Designer.

    The mail template used to send the attestation mail is stored with this configuration parameter. You can use the default mail template or add a custom mail template.

    TIP: Change the value of the configuration parameter in order to use custom mail templates for attestation mails. Customize the script VI_MailApproval_ProcessMail in this case, as well.
  4. Assign the following mail templates to the approval steps:
    Table 63: Mail Template for Approval by Mail
    Property Mail template
    Mail template for demand Attestation - approval required (by mail)
    Mail template reminder Attestation - remind approver (by mail)
    Mail template for delegation Attestation - delegated/additional approval (by mail)
    Mail template for rejection Attestation - reject approval (by mail)
  5. Enable the schedule "Processes attestation mail approvals" in the Designer.

    Based on this schedule, the One Identity Manager regularly checks the mailbox after each for new attestation mail. Based on this schedule, the regularly checks the mailbox every 15 minutes. You can change how frequently it checks, by altering the interval in the schedule as required.

To clean up a mail box

  • Set the configuration parameter "QER\Attestation\MailApproval\DeleteMode in the Designer and select the following values.
    Table 64: Cleaning up a Mailbox
    Value Method
    HardDelete Processed emails are deleted immediately
    MoveToDeletedItems Processed emails are moved to the "Deleted objects" folder in the mailbox.
    SoftDelete Processed emails are moved to the Active Directory trash but can be restored if necessary.

    NOTE: If you apply the method MoveToDeletedItems or SoftDelete you should empty the folder "Deleted objects" or the Active Directory trash at regular intervals.
Related Topics
Related Documents