Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Scheduled Attestation

Scheduled Attestation

Users are also attested when the certification status for the respective employee in the database is set to "new" at a later data (manually or through import). The schedule "daily" is assigned to the attestation policy "Certification of new users" for this. Attestation of new users is started when the time set in the schedule is reached. Then all employees are determined that have the certification status "new" and are not already pending attestation.

You can assign a custom schedule to the attestation policy if required.

Detailed information about this topic

Limiting Attestation Objects for Certification

Limiting Attestation Objects for Certification

IMPORTANT: In order to customize default the attestation policy "Certification of new users" you must make changes to One Identity Manager objects. Always use a custom copy of the respective object to make changes.

It may be necessary to limit attestation of new users to a certain group of employees, for example, if only employees in a specific departments should be attested. To do this, you can extend the condition attached to the attestation policy. Create a custom attestation policy for this.

The following objects must be changed so that attestation of new users can be carried out with this attestation policy. Always create a copy of the respective object to do this.

  • Attestation policy "Certification of new users"
  • Process "VI_Attestation_Person_new_AttestationCase_for_Certification"
  • Process "VI_Attestation_AttestationCase_Person_Approval_Granted"
  • Process "VI_Attestation_AttestationCase_Person_Approval_Dismissed"

IMPORTANT: In order for attestation to run correctly in the Web Portal, the default attestation procedure "Certification of users" and the default approval policy "Certification of users" must be assigned to the attestation policy.

The default attestation procedure, the default approval policy and the default approval workflow "Certification of users" must not be changed.

To customize default attestation of new users

  1. Copy the attestation policy "Certification of users" and customize it.
    Table 87: Attestation Policy Properties
    Property Value
    Attestation procedure "User certification"
    Approval policies "User certification"
    Edit connection...

    The default condition must be copied without modification so that the correct attestation object is selected.

    You can customize the condition to suit your requirements.

  2. Create a copy of the process VI_Attestation_Person_new_AttestationCase_for_Certification from the base object Person in the Designer and customize it.
    Table 88: Process Properties with Modifications
    Process Step Parameter Modification
    Create attestation instance WhereClause Replace the UID of the attestation policy "Certification of new users" with the UID of the new attestation policy.
  3. Copy the process VI_Attestation_AttestationCase_Person_Approval_Granted of the base object AttestationCase in the Designer and customize the copy.
    Table 89: Process Properties with Modifications
    Process Step Modification
    Pre-script for generating Replace the UID of the attestation policy "Certification of new users" with the UID of the new attestation policy.
    Generating condition:
  4. Copy the process VI_Attestation_AttestationCase_Person_Approval_Dismissed of the base object AttestationCase in the Designer and customize the copy.
    Table 90: Process Properties with Modifications
    Process Step Modification
    Pre-script for generating Replace the UID of the attestation policy "Certification of new users" with the UID of the new attestation policy.
    Generating condition:
Detailed information about this topic

Recertifying Existing Users

Recertifying Existing Users

IMPORTANT: It is possible, that as a result of recertification, access to connected target systems is denied to One Identity Manager users. You can configure this behavior to meet your company’s requirements. Read the following section thoroughly before you use the recertification function.

The One Identity Manager provides an attestation policy for performing cyclical attestation of existing users allowing companies to regularly test and authorize employee master data stored in the One Identity Manager database. Cyclical attestation is triggered through a scheduled task. This resets the certification status for all employees stored in the database. The One Identity Manager uses the same procedure for this as for attesting new users. The case is referred to as recertification.

Result of Recertification
  • Certified, enabled employees that can access all entitlements in the One Identity Manager assigned to them and the connected target systems.

    Company resources are inherited. Account definitions are assigned.

    - OR -

  • Denied and permanently deactivated employees.

    Disable employees cannot log onto One Identity Manager tools. Company resources are not inherited. Account definitions are not automatically assigned. User accounts associated with the employee are also locked or deleted. You can customize the behavior to meet your requirements.

Preparing for Recertification

Preparing for Recertification

To set up regular user attestation

  1. Set the configuration parameter "QER\Attestation\UserApproval" in the Designer.
  2. Create a schedule and assign it to the attestation policy "Recertification of users". By doing this, you replace the schedule assigned by default.
    • Enable the schedule.
  3. Assign at least one employee to the application role Identity Management | Employees | Administrators.

    All employees with this application role can assign a manager to the employee being attested during the attestation process.

Related Topics
Related Documents