Configuration Parameter | Meaning |
---|---|
Specifies the Exchange Web Service URL. AutoDiscover mode is used to find the URL if it is not given. |
The schedule "
|
NOTE: The validity of the email certificate is checked with the script VID_ValidateCertificate. You can customize this script to suit your security requirements. Take into account that this script is also used for If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate. |
|
TIP: The script VI_MailApproval_ProcessInBox finds the Exchange Web Service URL which uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running. If this is not possible, enter the URL in the configuration parameter " |
|
NOTE: If you use a custom mail template for an |
Configuration parameter | Meaning |
---|---|
QER\Attestation\AutoRemovalScope | General configuration parameter for defining automatic withdrawal of memberships/assignments if attestation approval is not granted. |
The One Identity Manager provide various default attestation procedures for different data situations and default attestation procedures.
Data Situations for Default Attestation
The attestation polices required for attesting employee master data are also supplied by default. You can also use the default supplied attestation policies without modifying them. For information about prerequisites and the attestation sequence for employee data, see User Attestation and Recertification.
You can set up attestation policies easily in Web Portal using default attestation procedures for other data situations. You can also use the default attestation policies supplied without customizing them. Furthermore, you can configure how to deal with denied attestations that are based on these default attestation procedures. If your specific data situation allows, denied entitlements can be removed by the One Identity Manager following the attestation.
To remove denied permissions automatically
|
IMPORTANT: If role memberships or system roles are removed from an employee they lose the unapproved entitlement. They also lose all other company resources inherited through this role. These may be other system entitlements or account definitions. If necessary, system entitlements are removed and company resources are deleted from the employee. Check whether your data situation allows automatic withdrawal of entitlements before you enable configuration parameters under "QER\Attestation\AutoRemovalScope". |
Automatic removal of entitlements is triggered by an additional approval step with the approval procedure "EX" in the default approval workflows.
Attestation Sequence with Subsequence Removal of a Denied Entitlement
Installed Module: | Target System Base Module |
Configuration parameter | Meaning |
---|---|
QER\Attestation\AutoRemovalScope\GroupMembership | Determines default behavior for automatic removing of united namespace system entitlements if attestation approval is not granted. |
QER\Attestation\AutoRemovalScope\UNSGroupInUNSGroup | Specifies the default behavior for removing assignments from system entitlements to system entitlement is attestation approval is not granted. |
When you use the default attestation policy "System entitlement membership attestation" or have set up attestation policies with the default attestation procedure "System entitlement memberships", you can configure automatic removal of system entitlements through the configuration parameter "QER\Attestation\AutoRemovalScope\GroupMembership". After attestation approval has been denied, the One Identity Manager checks which type of assignment was used for the user account to become a member in the system entitlement.
Configuration parameter | |||
---|---|---|---|
Meaning |
Advice | ||
QER\Attestation\AutoRemovalScope\GroupMembership\RemoveDirect | |||
Direct membership of the user account in the system entitlement, is removed. |
|||
QER\Attestation\AutoRemovalScope\GroupMembership\RemovePrimaryRole | |||
If membership in the system entitlement was inherited through a primary role, the role is withdrawn from the employee. |
This removes all indirect assignments the employee obtained through this role. | ||
QER\Attestation\AutoRemovalScope\GroupMembership\RemoveRequestedRole | |||
If membership in the system entitlement was inherited through a requested role, the role is canceled. |
This removes all indirect assignments the employee obtained through this role. | ||
QER\Attestation\AutoRemovalScope\GroupMembership\RemoveDelegatedRole | |||
If membership in the system entitlement was inherited through role delegation, delegation of the role is ended. |
This removes all indirect assignments the employee obtained through this role. | ||
QER\Attestation\AutoRemovalScope\GroupMembership\RemoveRequested | |||
If membership in the system entitlements was inherited through a the IT Shop, it is canceled. |
|||
QER\Attestation\AutoRemovalScope\GroupMembership\RemoveSystemRole | |||
System roles with system entitlements are withdrawn from the employee. |
This removes all indirect assignments the employee obtained through this system role.
| ||
QER\Attestation\AutoRemovalScope\GroupMembership\RemoveDirectRole | |||
The system entitlement assignment to hierarchical roles is removed. |
This removes the system entitlement assignment to all user accounts whose associated employees are members of these roles.
|
When you use the default attestation policy "System entitlement assignment membership attestation" or have set up attestation policies with the default attestation procedure "System entitlement assignment membership attestation", you can configure automatic removal of system entitlements through the configuration parameter "QER\Attestation\AutoRemovalScope\UNSGroupInUNSGroup".
Configuration parameter | Meaning |
---|---|
QER\Attestation\AutoRemovalScope\UNSGroupInUNSGroup\RemoveDirect | Assignment of the system entitlement to a system entitlement,is removed. |
Installed Module: | System Roles Module |
Configuration parameter | Meaning |
---|---|
QER\Attestation\AutoRemovalScope\ESetAssignment | Determines default behavior for automatic removal of system role memberships if attestation approval is not granted. |
When you use the default attestation policy "Attestation of system role membership" or have set up attestation policies with the default attestation procedure "Attestation of system role membership", you can configure automatic removal of system roles through the configuration parameter "QER\Attestation\AutoRemovalScope\ESetAssignment". After attestation approval has been denied, the One Identity Manager checks which type of assignment was used for the user account to become a member in the system role.
Configuration parameter | |||
---|---|---|---|
Meaning |
Advice | ||
QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveDirect | |||
Direct membership in the system role is removed. |
This removes all indirect assignments the employee obtained through this role. | ||
QER\Attestation\AutoRemovalScope\ESetAssignment\RemovePrimaryRole | |||
If the system role was inherited through a primary role, the role is withdrawn. |
This removes all indirect assignments the employee obtained through this role. | ||
QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveRequestedRole | |||
If the system was inherited through a requested role, the role is canceled. |
This removes all indirect assignments the employee obtained through this role. | ||
QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveDelegatedRole | |||
If the system role was inherited through a delegated role, the role is ended. |
This removes all indirect assignments the employee obtained through this role. | ||
QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveRequested | |||
If the system role was requested through the IT Shop, it is removed. |
This removes all indirect assignments the employee obtained through this role. | ||
QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveDirectRole | |||
The system role assignment to hierarchical roles is removed. |
This removes the system entitlement assignment to all user accounts whose associated employees are members of these roles.
|
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy