Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Application Role Attestation

Application Role Attestation

Table 72: Configuration Parameters for Removing Application Roles
Configuration parameter Meaning
QER\Attestation\AutoRemovalScope\AERoleMembership Determines default behavior for automatic removal of application role memberships if attestation approval is not granted.

When you use the default attestation policy "Attestation of application role membership" or have set up attestation policies with the default attestation procedure "Attestation of application role membership", you can configure automatic removal of application roles through the configuration parameter "QER\Attestation\AutoRemovalScope\AERoleMembership". After attestation approval has been denied, the One Identity Manager checks which type of assignment was used for the user account to become a member in the application role.

Table 73: Effect of Configuration Parameters when Attestation Denied
Configuration Parameter

Meaning

Advice
QER\Attestation\AutoRemovalScope\AERoleMembership\RemoveDirectRole

The employee's secondary membership is removed from the application role.

This removes all indirect assignments the employee obtained through this application role.

Membership in dynamic roles is not removed by this.

QER\Attestation\AutoRemovalScope\AERoleMembership\RemoveRequestedRole

If the employee requested the application role through the IT Shop, it is canceled.

This removes all indirect assignments the employee obtained through this application role.

QER\Attestation\AutoRemovalScope\AERoleMembership\RemoveDelegatedRole

If the application role was delegated to the employee, delegation is ended.

This removes all indirect assignments the employee obtained through this application role.

Business Role Attestation

Business Role Attestation

Installed Module: Business Roles Module
Table 74: Configuration Parameters for Removing Application Roles
Configuration parameter Meaning
QER\Attestation\AutoRemovalScope\RoleMembership Determines default behavior for automatic removal of business role memberships if attestation approval is not granted.

When you use the default attestation policy "Attestation of business role membership" have set up attestation policies with the default attestation procedure "Attestation of business role membership", you can configure automatic removal of business roles through the configuration parameter "QER\Attestation\AutoRemovalScope\RoleMembership". After attestation approval has been denied, the One Identity Manager checks which type of assignment was used for the user account to become a member in the business role.

Table 75: Effect of Configuration Parameters when Attestation Denied
Configuration parameter

Meaning

Advice
QER\Attestation\AutoRemovalScope\RoleMembership\RemoveDirectRole

The employee's secondary membership in the business role is removed.

This removes all indirect assignments the employee obtained through this business role.

Membership in dynamic roles is not removed by this.

QER\Attestation\AutoRemovalScope\RoleMembership\RemoveRequestedRole

If the employee requested the business role through the IT Shop, it is canceled.

This removes all indirect assignments the employee obtained through this business role.

QER\Attestation\AutoRemovalScope\RoleMembership\RemoveDelegatedRole

If the business role was delegated to the employee, delegation is ended.

This removes all indirect assignments the employee obtained through this business role.

User Attestation and Recertification

User Attestation and Recertification

Table 76: Configuration Parameters for Attesting New One Identity Manager Users
Configuration parameter Meaning
QER\Attestation\UserApproval Supports attestation procedures for regularly checking and confirming One Identity Manager users through their Manager.

Use the One Identity Manager attestation functionality to regularly check and authorize employees' master data, target system entitlement and assignments. Furthermore, the One Identity Manager provides default procedures for quickly attesting and certifying the master data of newly added One Identity Manager users in the One Identity Manager database. This functionality can be used, for example, if external employees, such as contract workers, should be provided with temporary access to the One Identity Manager. Regular recertification can be run through scheduled tasks.

In the context of an attestation, a manager can check and update the master data for the user to be certified, if necessary. Use the Web Portal for attestation.

To enable use of attestation and recertification functions for new users

  1. Set the configuration parameter "QER\Attestation\UserApproval" in the Designer.
  2. Assign at least one employee to the application role Identity Management | Employees | Administrators.
Related Topics
  • One Identity Manager Application Roles Administration Guide
  • One Identity Manager Web Portal User Guide
  • One Identity Manager Configuration Guide

Users for Attestation and Recertification

The following user are involved in attestation and recertification of employees.

Table 77: User
User Task
Employee administrators

Employee administrators must be assigned to the application role Identity Management | Employees| Administrators.

Users with this application role:

  • Can edit master data for all employees
  • Can assign a manager.
  • Can assign company resources to employees.
  • Check and authorize employee master data.
  • Create and edit risk index functions.
  • Edit password policies for employee passwords
Managers
  • Check employee master data of the user to be certified.
  • Update employee master data as required.
  • Assign another manager if required.
  • Attests the master data.
Administrators for attestation cases

Administrators must be assigned to the application role Identity & Access Governance | Attestation | Administrators.

Users with this application role:

  • Modify the attestation policies if necessary.
  • Create more schedules if required.
Web Portal users
  • Log on to the Web Portal and enter their master data,
Related Documents