Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Modifying an Attestation Mail

Table 65: Configuration Parameters for Approval by Mail
Configuration Parameter Meaning
QER\Attestation\MailApproval\ExchangeURI Specifies the Exchange Web Service URL. AutoDiscover mode is used to find the URL if it is not given.

The schedule "Processes attestation mail approvals" starts the process VI_ITShop_Process Approval Inbox. This process runs the script VI_MailApproval_ProcessInBox, which searches the mailbox for new attestation mails and updates the attestation cases in the One Identity Manager database. Then the contents of the attestation mail are processed.

NOTE: The validity of the email certificate is checked with the script VID_ValidateCertificate. You can customize this script to suit your security requirements. Take into account that this script is also used for IT Shop request approvals by mail.

If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.

TIP: The script VI_MailApproval_ProcessInBox finds the Exchange Web Service URL which uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.

If this is not possible, enter the URL in the configuration parameter "QER\Attestation\MailApproval\ExchangeURI".

Attestation mails are processed with the script VI_MailApproval_ProcessMail. The script finds the matching approval, sets the option Approved and stores the reason for the approval decision with the attestation case. The attestor is found through the sender address. Then the attestation mail is removed from the mailbox depending on the selected clean up method.

NOTE: If you use a custom mail template for an attestation mail, check the script and modify it as required. Take into account that this script is also used for attestations by mail.

Default Attestation and Withdrawal of Entitlements

Default Attestation and Withdrawal of Entitlements

Table 66: Configuration Parameter for Withdrawing Entitlements
Configuration parameter Meaning
QER\Attestation\AutoRemovalScope General configuration parameter for defining automatic withdrawal of memberships/assignments if attestation approval is not granted.

The One Identity Manager provide various default attestation procedures for different data situations and default attestation procedures.

Data Situations for Default Attestation

  • System entitlements owned by an employee
  • System entitlements assigned to system entitlements
  • Business and application role memberships
  • System roles assigned to en employee
  • Employee master data for a new One Identity Manager user
  • Employee master data for an existing One Identity Manager user

The attestation polices required for attesting employee master data are also supplied by default. You can also use the default supplied attestation policies without modifying them. For information about prerequisites and the attestation sequence for employee data, see User Attestation and Recertification.

You can set up attestation policies easily in Web Portal using default attestation procedures for other data situations. You can also use the default attestation policies supplied without customizing them. Furthermore, you can configure how to deal with denied attestations that are based on these default attestation procedures. If your specific data situation allows, denied entitlements can be removed by the One Identity Manager following the attestation.

To remove denied permissions automatically

  • Set the configuration parameter "QER\Attestation\AutoRemovalScope" in the Designer.

IMPORTANT: If role memberships or system roles are removed from an employee they lose the unapproved entitlement. They also lose all other company resources inherited through this role. These may be other system entitlements or account definitions. If necessary, system entitlements are removed and company resources are deleted from the employee.

Check whether your data situation allows automatic withdrawal of entitlements before you enable configuration parameters under "QER\Attestation\AutoRemovalScope".

Automatic removal of entitlements is triggered by an additional approval step with the approval procedure "EX" in the default approval workflows.

Attestation Sequence with Subsequence Removal of a Denied Entitlement

  1. Attestation with one of the following attestation procedures is carried out.
    • Attestation of system entitlement memberships
    • Attestation of system entitlement assignments to system entitlements
    • Attestation of system role memberships
    • Attestation of application role memberships
    • Attestation of business role memberships
  2. The attestator denies attestation. The approval step is not granted approval and approval is passed on the next approval level with the approval procedure "EX".
  3. The approval step triggers the event AUTOREMOVE. This runs the process VI_Attestation_AttestationCase_AutoRemoveMembership.
  4. The process runs the script VI_AttestationCase_RemoveMembership. This removes the affected entitlement depending on which configuration parameters are set.
  5. The script sets the approval step status to "denied". This means the entire attestation case is finally denied.
  6. Tasks to recalculate inheritance are entered in the DBQueue.
Detailed information about this topic

System Entitlements Attestation

System Entitlements Attestation

Installed Module: Target System Base Module
Table 67: Configuration Parameters for Removing System Entitlements
Configuration parameter Meaning
QER\Attestation\AutoRemovalScope\GroupMembership Determines default behavior for automatic removing of united namespace system entitlements if attestation approval is not granted.
QER\Attestation\AutoRemovalScope\UNSGroupInUNSGroup Specifies the default behavior for removing assignments from system entitlements to system entitlement is attestation approval is not granted.

When you use the default attestation policy "System entitlement membership attestation" or have set up attestation policies with the default attestation procedure "System entitlement memberships", you can configure automatic removal of system entitlements through the configuration parameter "QER\Attestation\AutoRemovalScope\GroupMembership". After attestation approval has been denied, the One Identity Manager checks which type of assignment was used for the user account to become a member in the system entitlement.

Table 68: Effect of Configuration Parameters when Attestation Denied
Configuration parameter

Meaning

Advice
QER\Attestation\AutoRemovalScope\GroupMembership\RemoveDirect

Direct membership of the user account in the system entitlement, is removed.

 
QER\Attestation\AutoRemovalScope\GroupMembership\RemovePrimaryRole

If membership in the system entitlement was inherited through a primary role, the role is withdrawn from the employee.

This removes all indirect assignments the employee obtained through this role.

QER\Attestation\AutoRemovalScope\GroupMembership\RemoveRequestedRole

If membership in the system entitlement was inherited through a requested role, the role is canceled.

This removes all indirect assignments the employee obtained through this role.

QER\Attestation\AutoRemovalScope\GroupMembership\RemoveDelegatedRole

If membership in the system entitlement was inherited through role delegation, delegation of the role is ended.

This removes all indirect assignments the employee obtained through this role.

QER\Attestation\AutoRemovalScope\GroupMembership\RemoveRequested

If membership in the system entitlements was inherited through a the IT Shop, it is canceled.

 
QER\Attestation\AutoRemovalScope\GroupMembership\RemoveSystemRole

System roles with system entitlements are withdrawn from the employee.

This removes all indirect assignments the employee obtained through this system role.

NOTE: This configuration parameter is only available if the System Roles Module is installed.
QER\Attestation\AutoRemovalScope\GroupMembership\RemoveDirectRole

The system entitlement assignment to hierarchical roles is removed.

This removes the system entitlement assignment to all user accounts whose associated employees are members of these roles.

IMPORTANT: Employees whose attestation has been approved can lose the system entitlement through this.

Check the side-effects of this configuration parameter in your situation before you set it.

When you use the default attestation policy "System entitlement assignment membership attestation" or have set up attestation policies with the default attestation procedure "System entitlement assignment membership attestation", you can configure automatic removal of system entitlements through the configuration parameter "QER\Attestation\AutoRemovalScope\UNSGroupInUNSGroup".

Table 69: Effect of Configuration Parameters when Attestation Denied
Configuration parameter Meaning
QER\Attestation\AutoRemovalScope\UNSGroupInUNSGroup\RemoveDirect Assignment of the system entitlement to a system entitlement,is removed.

System Role Attestation

System Role Attestation

Installed Module: System Roles Module
Table 70: Configuration Parameters for Removing System Roles
Configuration parameter Meaning
QER\Attestation\AutoRemovalScope\ESetAssignment Determines default behavior for automatic removal of system role memberships if attestation approval is not granted.

When you use the default attestation policy "Attestation of system role membership" or have set up attestation policies with the default attestation procedure "Attestation of system role membership", you can configure automatic removal of system roles through the configuration parameter "QER\Attestation\AutoRemovalScope\ESetAssignment". After attestation approval has been denied, the One Identity Manager checks which type of assignment was used for the user account to become a member in the system role.

Table 71: Effect of Configuration Parameters when Attestation Denied
Configuration parameter

Meaning

Advice
QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveDirect

Direct membership in the system role is removed.

This removes all indirect assignments the employee obtained through this role.

QER\Attestation\AutoRemovalScope\ESetAssignment\RemovePrimaryRole

If the system role was inherited through a primary role, the role is withdrawn.

This removes all indirect assignments the employee obtained through this role.

QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveRequestedRole

If the system was inherited through a requested role, the role is canceled.

This removes all indirect assignments the employee obtained through this role.

QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveDelegatedRole

If the system role was inherited through a delegated role, the role is ended.

This removes all indirect assignments the employee obtained through this role.

QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveRequested

If the system role was requested through the IT Shop, it is removed.

This removes all indirect assignments the employee obtained through this role.

QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveDirectRole

The system role assignment to hierarchical roles is removed.

This removes the system entitlement assignment to all user accounts whose associated employees are members of these roles.

IMPORTANT: Employees whose attestation has been approved can lose the system role through this.

Check the side-effects of this configuration parameter in your situation before you set it.

Related Documents