Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

The Recertification Sequence

The Recertification Sequence

The One Identity Manager uses the same method for recertification as for certification of new users. User recertification is triggered when:

  • The configuration parameter "QER\Attestation\UserApproval" is set
  • No data source import is stored with the employee or the data source import is not "Oracle"
  • The point in time reserved for attestation in the attestation policy "Recertification of user" has been reached.

Employees are attested through their managers. If an employee is not assigned a manager, the employee administrator assigns an initial manager for them. Employee administrators and managers use the Web Portal for attestation.

NOTE: Only employee administrators can ultimately deny recertification. If a manager denies recertification, the case is returned to the employee administrators for approval in any case.

Attestation is the same as described in Adding New Employees in the One Identity Manager, steps 4 to 7. The attestors are determined using the approval policy "Certification of users".

Related Topics
  • One Identity Manager Web Portal User Guide

Limiting Attestation Objects for Recertification

Limiting Attestation Objects for Recertification

IMPORTANT: In order to customize default the attestation policy "Recertification of users" you must make changes to One Identity Manager objects. Always use a custom copy of the respective object to make changes.

All employees in the saved in the database are recertified using the attestation policy "Recertification of users" supplied in the One Identity Manager. It may be necessary to limit recertification of new users to a certain group of employees, for example, if only employees in a specific departments should be attested. To do this, you can extend the condition attached to the attestation policy. Create a custom attestation policy for this.

The following objects must be changed so that recertification of users can be carried out with this attestation policy. Always create a copy of the respective object to do this.

  • Attestation policy "Recertification of users"
  • Process VI_Attestation_AttestationCase_Person_Approval_Granted
  • Process VI_Attestation_AttestationCase_Person_Approval_Dismissed

IMPORTANT: In order for recertification to run correctly in the Web Portal, the default attestation procedure "Certification of users" and the default approval policy "Certification of users" must be assigned to the attestation policy.

The default attestation procedure, the default approval policy and the default approval workflow "Certification of users" must not be changed.

To customize default recertification of users

  1. Copy the attestation policy "Recertification of users" and customize it.
    Table 91: Attestation Policy Properties
    Property Value
    Attestation procedure "User certification"
    Approval policies "User certification"
    Edit connection...

    The default condition must be copied without modification so that the correct attestation object is selected.

    You can customize the condition to suit your requirements.

  2. Copy the process VI_Attestation_AttestationCase_Person_Approval_Granted of the base object AttestationCase in the Designer and customize the copy.
    Table 92: Process Properties with Modifications
    Process property Modification
    Generating pre-script Replace the UID of the attestation policy "Certification of new users" with the UID of the new attestation policy.
    Generating condition:
  3. Copy the process VI_Attestation_AttestationCase_Person_Approval_Dismissed of the base object AttestationCase in the Designer and customize the copy.
    Table 93: Process Properties with Modifications
    Process property Modification
    Generating pre-script Replace the UID of the attestation policy "Certification of new users" with the UID of the new attestation policy.
    Generating condition:
Detailed information about this topic

Mitigating Controls

Mitigating Controls

Table 94: Configuration Parameter for Risk Assessment
Configuration parameter Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

Violation of regulatory requirements can harbor different risks for companies. To evaluate these risks, you can apply risk indexes to compliance rules and company policies. These risk indexes provide information about the risk involved for the company in violating the respective rule functionpolicy. Once the risks have been identified and evaluated, mitigating controls can be implemented.

Mitigating controls are independent on One Identity Manager’s functionality. They are not monitored through One Identity Manager.

Mitigating controls describe controls that are implemented if an attestation rule was violated. The attestation can be approved after the next attestation run, once controls have been applied.

To edit mitigating controls

  • Set the configuration parameter "QER\CalculateRiskIndex" in the Designer and compile the database.

For more detailed information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

General Master Data for a Mitigating Control

General Master Data for a Mitigating Control

To edit mitigating controls

  1. Select the category Risk index functions | Mitigating controls.
  2. Select a mitigating control in the result list. Select Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit the mitigating control master data.
  4. Save the changes.

Enter the following master data for mitigating controls.

Table 95: General Master Data for a Mitigating Control
Property Description
Measure Unique identifier for the mitigating control.
Significance reduction When the mitigating control is implemented, this value is used to reduce the risk of denied attestation cases. Enter a number between 0 and 1.
Description Detailed description of the mitigating control.
Functional area Functional area in which the mitigating control may be applied.
Department Department in which the mitigating control may be applied.
Related Documents