The Recertification Sequence
The Recertification Sequence
The One Identity Manager uses the same method for recertification as for certification of new users. User recertification is triggered when:
- The configuration parameter "QER\Attestation\UserApproval" is set
- No data source import is stored with the employee or the data source import is not "Oracle"
- The point in time reserved for attestation in the attestation policy "Recertification of user" has been reached.
Employees are attested through their managers. If an employee is not assigned a manager, the employee administrator assigns an initial manager for them. Employee administrators and managers use the Web Portal for attestation.
|
|
NOTE: Only employee administrators can ultimately deny recertification. If a manager denies recertification, the case is returned to the employee administrators for approval in any case. |
Attestation is the same as described in Adding New Employees in the One Identity Manager, steps 4 to 7. The attestors are determined using the approval policy "Certification of users".
Related Topics
- One Identity Manager Web Portal User Guide
Limiting Attestation Objects for Recertification
Limiting Attestation Objects for Recertification
|
|
IMPORTANT: In order to customize default the attestation policy "Recertification of users" you must make changes to One Identity Manager objects. Always use a custom copy of the respective object to make changes. |
All employees in the saved in the database are recertified using the attestation policy "Recertification of users" supplied in the One Identity Manager. It may be necessary to limit recertification of new users to a certain group of employees, for example, if only employees in a specific departments should be attested. To do this, you can extend the condition attached to the attestation policy. Create a custom attestation policy for this.
The following objects must be changed so that recertification of users can be carried out with this attestation policy. Always create a copy of the respective object to do this.
- Attestation policy "Recertification of users"
- Process VI_Attestation_AttestationCase_Person_Approval_Granted
- Process VI_Attestation_AttestationCase_Person_Approval_Dismissed
|
|
IMPORTANT: In order for recertification to run correctly in the Web Portal, the default attestation procedure "Certification of users" and the default approval policy "Certification of users" must be assigned to the attestation policy. The default attestation procedure, the default approval policy and the default approval workflow "Certification of users" must not be changed. |
To customize default recertification of users
- Copy the attestation policy "Recertification of users" and customize it.
Table 91: Attestation Policy Properties Property Value Attestation procedure "User certification" Approval policies "User certification" Edit connection... The default condition must be copied without modification so that the correct attestation object is selected.
You can customize the condition to suit your requirements.
- Copy the process VI_Attestation_AttestationCase_Person_Approval_Granted of the base object AttestationCase in the Designer and customize the copy.
Table 92: Process Properties with Modifications Process property Modification Generating pre-script Replace the UID of the attestation policy "Certification of new users" with the UID of the new attestation policy. Generating condition: - Copy the process VI_Attestation_AttestationCase_Person_Approval_Dismissed of the base object AttestationCase in the Designer and customize the copy.
Table 93: Process Properties with Modifications Process property Modification Generating pre-script Replace the UID of the attestation policy "Certification of new users" with the UID of the new attestation policy. Generating condition:
Detailed information about this topic
- General Master Data for Attestation Policies
- Creating a Copy
- One Identity Manager Configuration Guide
Mitigating Controls
Mitigating Controls
| Configuration parameter | Active Meaning |
|---|---|
| QER\CalculateRiskIndex | Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated for the risk index. |
Violation of regulatory requirements can harbor different risks for companies. To evaluate these risks, you can apply risk indexes to compliance rules
Mitigating controls are independent on One Identity Manager’s functionality. They are not monitored through One Identity Manager.
Mitigating controls describe controls that are implemented if an attestation rule was violated. The attestation can be approved after the next attestation run, once controls have been applied.
To edit mitigating controls
- Set the configuration parameter "QER\CalculateRiskIndex" in the Designer and compile the database.
For more detailed information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.
General Master Data for a Mitigating Control
General Master Data for a Mitigating Control
To edit mitigating controls
- Select the category Risk index functions | Mitigating controls.
- Select a mitigating control in the result list. Select Change master data in the task view.
- OR -
Click
in the result list toolbar.
- Edit the mitigating control master data.
- Save the changes.
Enter the following master data for mitigating controls.
| Property | Description |
|---|---|
| Measure | Unique identifier for the mitigating control. |
| Significance reduction | When the mitigating control is implemented, this value is used to reduce the risk of denied attestation cases. Enter a number between 0 and 1. |
| Description | Detailed description of the mitigating control. |
| Functional area | Functional area in which the mitigating control may be applied. |
| Department | Department in which the mitigating control may be applied. |