Configuration parameter | Meaning |
---|---|
QER\Attestation\AutoRemovalScope\AERoleMembership | Determines default behavior for automatic removal of application role memberships if attestation approval is not granted. |
When you use the default attestation policy "Attestation of application role membership" or have set up attestation policies with the default attestation procedure "Attestation of application role membership", you can configure automatic removal of application roles through the configuration parameter "QER\Attestation\AutoRemovalScope\AERoleMembership". After attestation approval has been denied, the One Identity Manager checks which type of assignment was used for the user account to become a member in the application role.
Configuration Parameter | |
---|---|
Meaning |
Advice |
QER\Attestation\AutoRemovalScope\AERoleMembership\RemoveDirectRole | |
The employee's secondary membership is removed from the application role. |
This removes all indirect assignments the employee obtained through this application role. Membership in dynamic roles is not removed by this. |
QER\Attestation\AutoRemovalScope\AERoleMembership\RemoveRequestedRole | |
If the employee requested the application role through the IT Shop, it is canceled. |
This removes all indirect assignments the employee obtained through this application role. |
QER\Attestation\AutoRemovalScope\AERoleMembership\RemoveDelegatedRole | |
If the application role was delegated to the employee, delegation is ended. |
This removes all indirect assignments the employee obtained through this application role. |
Installed Module: | Business Roles Module |
Configuration parameter | Meaning |
---|---|
QER\Attestation\AutoRemovalScope\RoleMembership | Determines default behavior for automatic removal of business role memberships if attestation approval is not granted. |
When you use the default attestation policy "Attestation of business role membership" have set up attestation policies with the default attestation procedure "Attestation of business role membership", you can configure automatic removal of business roles through the configuration parameter "QER\Attestation\AutoRemovalScope\RoleMembership". After attestation approval has been denied, the One Identity Manager checks which type of assignment was used for the user account to become a member in the business role.
Configuration parameter | |
---|---|
Meaning |
Advice |
QER\Attestation\AutoRemovalScope\RoleMembership\RemoveDirectRole | |
The employee's secondary membership in the business role is removed. |
This removes all indirect assignments the employee obtained through this business role. Membership in dynamic roles is not removed by this. |
QER\Attestation\AutoRemovalScope\RoleMembership\RemoveRequestedRole | |
If the employee requested the business role through the IT Shop, it is canceled. |
This removes all indirect assignments the employee obtained through this business role. |
QER\Attestation\AutoRemovalScope\RoleMembership\RemoveDelegatedRole | |
If the business role was delegated to the employee, delegation is ended. |
This removes all indirect assignments the employee obtained through this business role. |
Configuration parameter | Meaning |
---|---|
QER\Attestation\UserApproval | Supports attestation procedures for regularly checking and confirming One Identity Manager users through their Manager. |
Use the One Identity Manager attestation functionality to regularly check and authorize employees' master data, target system entitlement and assignments. Furthermore, the One Identity Manager provides default procedures for quickly attesting and certifying the master data of newly added One Identity Manager users in the One Identity Manager database. This functionality can be used, for example, if external employees, such as contract workers, should be provided with temporary access to the One Identity Manager. Regular recertification can be run through scheduled tasks.
In the context of an attestation, a manager can check and update the master data for the user to be certified, if necessary. Use the Web Portal for attestation.
To enable use of attestation and recertification functions for new users
The following user are involved in attestation and recertification of employees.
User | Task |
---|---|
Employee administrators |
Employee administrators must be assigned to the application role Identity Management | Employees| Administrators. Users with this application role:
|
Managers |
|
Administrators for attestation cases |
Administrators must be assigned to the application role Identity & Access Governance | Attestation | Administrators. Users with this application role:
|
Web Portal users |
|
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy