Attestation of new users is divided into 3 use cases by the One Identity Manager:
The result of attestation is the same in all three cases.
Company resources are inherited. Account definitions are assigned.
- OR -
Disable employees cannot log onto One Identity Manager tools. Company resources are not inherited. Account definitions are not automatically assigned. User accounts associated with the employee are also locked or deleted. You can customize the behavior to meet your requirements.
New users can register on the Web Portal home page. These users can log into the One Identity Manager once the manager in charge of the employee’s master data has completed attestation.
Attestation Sequence
A new employee object is added to the One Identity Manager database with the properties:
Property | Value |
---|---|
Certification status | New |
Permanently disabled | Enabled |
No inheritance | Enabled |
Attestation policy used: | "Certification of new users" |
|
NOTE: Attestation is only started automatically if the configuration parameter "QER\Attestation\UserApproval" is set. Otherwise the new user remains disabled permanently until the manager in charge of the employee’s master data changes it manually. |
Effective Approval Policy | "User certification" |
Figure 4: Approval Workflow "Certification of Users" Adding in Web Portal
Property | Value | Explanation |
---|---|---|
Certification status | Certified | |
Permanently disabled | Disabled | The user can log on to the Web Portal. |
No inheritance | Disabled | Company resources are inherited. |
Property | Value | Explanation |
---|---|---|
Certification status | Denied | |
Permanently disabled | Enabled | The user cannot log in to the Web Portal. |
No inheritance | Enabled |
Company resources are not inherited. User accounts are not created automatically. |
Property | Value | Explanation |
---|---|---|
Certification status | Certified | |
Permanently disabled | Disabled | The user can log on to the Web Portal. |
No inheritance | Disabled | Company resources are inherited. |
|
NOTE: Only employee administrators can ultimately deny attestation approval. If a manager denies attestation, the case is returned to the employee administrators for approval in any case. |
Employee administrators and managers use the Web Portal for attestation.
Configuration parameter | Meaning |
---|---|
QER\Attestation\UserApproval\InitialApprovalState | Certification status for new employees. If an employee is added with the certification status "1=new", data attestation by the employee’s manager is started. |
You can also attest new users if employees are added with the Manager. You specify which behavior you require with the configuration parameter "QER\Attestation\UserApproval\InitialApprovalState". This configuration parameter has the default value "0". This gives each new employee the certification status "certified". Automatic attestation is not carried out.
This allows new users to be attested through the assigned manager.
All employees added to the database from this point on, are given the certification status "new". This means automatic attestation of these employees is carried out.
Attestation Sequence
The certification status corresponds to the value of the configuration parameter "QER\Attestation\UserApproval\InitialApprovalState". If the configuration parameter has the value "1", certification status is set to "New".
The employee is enabled by default and can log in immediately to One Identity Manager.
Attestation policy used: | "Certification of new users" |
Effective Approval Policy | "User certification" |
The attestation takes place as described below. Employee administrators and managers use the Web Portal for attestation.
Figure 5: Approval Workflow "Certification of Users" Adding in Manager
Property | Value | Explanation |
---|---|---|
Certification status | Certified | |
Permanently disabled | Disabled | |
No inheritance | Disabled | Company resources are inherited. |
Property | Value | Explanation |
---|---|---|
Certification status | Denied | |
Permanently disabled | Enabled | |
No inheritance | Enabled |
Company resources are not inherited. User accounts are not created automatically. |
Property | Value | Explanation |
---|---|---|
Certification status | Certified | |
Permanently disabled | Disabled | |
No inheritance | Disabled | Company resources are inherited. |
|
NOTE: Only employee administrators can ultimately deny attestation approval. If a manager denies attestation, the case is returned to the employee administrators for approval in any case. |
Configuration parameter | Meaning |
---|---|
QER\Attestation\UserApproval\InitialApprovalState | Certification status for new employees. If an employee is added with the certification status "1=new", data attestation by the employee’s manager is started. |
You can request attestation of new employees if the master data is imported from other system in the One Identity Manager database. To ensure that new employees are automatically attested, the employee’s certification status must be set to "new" (Person.ApprovalState = '1'). There are two possible ways to do this:
Prerequisite: The import does not alter the property Person.ApprovalState.
|
NOTE: The configuration parameter "QER\Attestation\UserApproval\InitialApprovalState" is set to "0" by default. This gives each new employee the certification status "certified". Automatic attestation is not carried out. If you want employees to be attested immediately, change the value of the configuration parameter to "1". |
Employees are automatically attested by their manager.
Imported employee master data has already been authorized. It should not be attested again.
Employees are disabled permanently and not attested.
Attestation of new users is triggered when:
Attestation is the same as described in Adding New Employees in the One Identity Manager, steps 4 to 7. The attestation policy "Certification of new users" is run.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy