Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Attesting New Users

Attesting New Users

Attestation of new users is divided into 3 use cases by the One Identity Manager:

  1. Adding a new user by logging into the Web Portal
  2. Adding New Employees in the Manager
  3. Adding a new employee by importing employee master data

The result of attestation is the same in all three cases.

  • Certified, enabled employees that can access all entitlements in the One Identity Manager assigned to them and the connected target systems.

    Company resources are inherited. Account definitions are assigned.

    - OR -

  • Denied and permanently deactivated employees.

    Disable employees cannot log onto One Identity Manager tools. Company resources are not inherited. Account definitions are not automatically assigned. User accounts associated with the employee are also locked or deleted. You can customize the behavior to meet your requirements.

Adding New Users in Web Portal

Adding New Users in Web Portal

New users can register on the Web Portal home page. These users can log into the One Identity Manager once the manager in charge of the employee’s master data has completed attestation.

Attestation Sequence

  1. The new user enters his or her own master data in the Web Portal.

    A new employee object is added to the One Identity Manager database with the properties:

    Table 78: Properties of New Employee
    Property Value
    Certification status New
    Permanently disabled Enabled
    No inheritance Enabled
  2. Attestation is started automatically.
    Attestation policy used: "Certification of new users"

    NOTE: Attestation is only started automatically if the configuration parameter "QER\Attestation\UserApproval" is set. Otherwise the new user remains disabled permanently until the manager in charge of the employee’s master data changes it manually.
  3. Attestors are found.
    Effective Approval Policy "User certification"

Figure 4: Approval Workflow "Certification of Users" Adding in Web Portal

  1. When a new user is added to the Web Portal, there is no manager assigned to them. Therefore, the process is passed on to One Identity Manager users with the application role Identity Management | Employees | Administrators (called "employee administrators" in the following) for approval.
  2. An employee administrator checks your master data and also assigns a manager to you.
    1. The employee administrator assigns a manager and approves attestation. The attestation case is assigned to the manager for approval.
    2. If the employee administrator does not assign a manager and approves attestation, the attestation case is closed. Your employee properties are updated in the database.
      Table 79: Properties of an Employee with Approved Attestation
      Property Value Explanation
      Certification status Certified  
      Permanently disabled Disabled The user can log on to the Web Portal.
      No inheritance Disabled Company resources are inherited.
    3. If an employee administrator denies attestation approval, the attestation case is closed. Your employee properties are updated in the database.
      Table 80: Properties of an Employee with Denied Attestation
      Property Value Explanation
      Certification status Denied  
      Permanently disabled Enabled The user cannot log in to the Web Portal.
      No inheritance Enabled

      Company resources are not inherited.

      User accounts are not created automatically.

  3. The manager can deny attestation approval if they are not the manager in charge of the employee.
    1. The manager can assign another person as manager. The attestation case is immediately assigned to this manager.
    2. If the manager does not know who is your manager, approval is returned to the employee administrators. These can either:
      • Assign another manager (5 a)
      • Not assign a new manager and approve attestation (5 b)
      • Deny attestation approval (5 c).
  4. If the manager approves attestation, the attestation case is closed. Your employee properties are updated in the database.
    Table 81: Properties of an Employee with Approved Attestation
    Property Value Explanation
    Certification status Certified  
    Permanently disabled Disabled The user can log on to the Web Portal.
    No inheritance Disabled Company resources are inherited.

NOTE: Only employee administrators can ultimately deny attestation approval. If a manager denies attestation, the case is returned to the employee administrators for approval in any case.

Employee administrators and managers use the Web Portal for attestation.

Related Topics
  • One Identity Manager Web Portal User Guide

Adding New Employees in the One Identity Manager

Adding New Employees in the One Identity Manager

Table 82: Configuration Parameters for Attesting New One Identity Manager Users
Configuration parameter Meaning
QER\Attestation\UserApproval\InitialApprovalState Certification status for new employees. If an employee is added with the certification status "1=new", data attestation by the employee’s manager is started.

You can also attest new users if employees are added with the Manager. You specify which behavior you require with the configuration parameter "QER\Attestation\UserApproval\InitialApprovalState". This configuration parameter has the default value "0". This gives each new employee the certification status "certified". Automatic attestation is not carried out.

This allows new users to be attested through the assigned manager.

  • Set the configuration parameter "QER\Attestation\UserApproval\InitialApprovalState" to "1" in the Designer.

    All employees added to the database from this point on, are given the certification status "new". This means automatic attestation of these employees is carried out.

Attestation Sequence

  1. Enter the master data of the new users in the category Employees | Employees and assign a manager.

    The certification status corresponds to the value of the configuration parameter "QER\Attestation\UserApproval\InitialApprovalState". If the configuration parameter has the value "1", certification status is set to "New".

    The employee is enabled by default and can log in immediately to One Identity Manager.

    • If new users are allowed to log in to One Identity Manager for the first time, if their master data has been attested, run the task Disable employee permanently.
  2. Once the employee master data has been saved, attestation starts.
    Attestation policy used: "Certification of new users"
  3. Attestors are found.
    Effective Approval Policy "User certification"

The attestation takes place as described below. Employee administrators and managers use the Web Portal for attestation.

Figure 5: Approval Workflow "Certification of Users" Adding in Manager

  1. One Identity Manager checks whether you have assigned a manager to the employee.
    1. If you have assigned a manager to the employee, the case is immediately passed on to them for approval.
    2. If there is no manager assigned to the employee the case is allocated to the employee administrators for approval.
  2. An employee administrator checks your master data and also assigns a manager to you.
    1. The employee administrator assigns a manager and approves attestation. The attestation case is assigned to the manager for approval.
    2. If the employee administrator does not assign a manager and approves attestation, the attestation case is closed. Your employee properties are updated in the database.
      Table 83: Properties of an Employee with Approved Attestation
      Property Value Explanation
      Certification status Certified  
      Permanently disabled Disabled  
      No inheritance Disabled Company resources are inherited.
    3. If an employee administrator denies attestation approval, the attestation case is closed. Your employee properties are updated in the database.
      Table 84: Properties of an Employee with Denied Attestation
      Property Value Explanation
      Certification status Denied  
      Permanently disabled Enabled  
      No inheritance Enabled

      Company resources are not inherited.

      User accounts are not created automatically.

  3. The manager can deny attestation approval if they are not the manager in charge of the employee.
    1. The manager can assign another person as manager. The attestation case is immediately assigned to this manager.
    2. If the manager does not know who is your manager, approval is returned to the employee administrators. These can either:
      • Assign another manager (5 a)
      • Not assign a new manager and approve attestation (5 b)
      • Deny attestation approval (5 c).
  4. If the manager approves attestation, the attestation case is closed. Your employee properties are updated in the database.
    Table 85: Properties of an Employee with Approved Attestation
    Property Value Explanation
    Certification status Certified  
    Permanently disabled Disabled  
    No inheritance Disabled Company resources are inherited.

NOTE: Only employee administrators can ultimately deny attestation approval. If a manager denies attestation, the case is returned to the employee administrators for approval in any case.
Related Topics
  • One Identity Manager Web Portal User Guide

Importing New Employee Master Data

Importing New Employee Master Data

Table 86: Configuration Parameters for Attesting New One Identity Manager Users
Configuration parameter Meaning
QER\Attestation\UserApproval\InitialApprovalState Certification status for new employees. If an employee is added with the certification status "1=new", data attestation by the employee’s manager is started.

You can request attestation of new employees if the master data is imported from other system in the One Identity Manager database. To ensure that new employees are automatically attested, the employee’s certification status must be set to "new" (Person.ApprovalState = '1'). There are two possible ways to do this:

  1. The configuration parameter "QER\Attestation\UserApproval\InitialApprovalState" is evaluated to find the certification status. If the configuration parameter has the value "1", certification status is set to "New".

    Prerequisite: The import does not alter the property Person.ApprovalState.

    NOTE: The configuration parameter "QER\Attestation\UserApproval\InitialApprovalState" is set to "0" by default. This gives each new employee the certification status "certified". Automatic attestation is not carried out.

    If you want employees to be attested immediately, change the value of the configuration parameter to "1".

  2. The import sets the property Person.ApprovalState explicitly.
    • Import sets ApprovalState = '1' ("new").

      Employees are automatically attested by their manager.

    • Import sets ApprovalState = '0' ("certified").

      Imported employee master data has already been authorized. It should not be attested again.

    • Import sets ApprovalState = '3' ("denied").

      Employees are disabled permanently and not attested.

Attestation of new users is triggered when:

  • The configuration parameter "QER\Attestation\UserApproval" is set
  • New employee master data is imported into the One Identity Manager database
  • Certification status for new employees is set to "new"
  • No data source import is stored with the employee.

Attestation is the same as described in Adding New Employees in the One Identity Manager, steps 4 to 7. The attestation policy "Certification of new users" is run.

Related Documents