Attestation and Recertification
One Identity Manager Users for Attestation
Attestation Base Data
Approval Processes for Attestation Cases
Attestation Types
Attestation Procedures
Attestation Policies
General Master Data for an Approval Procedure
Defining Reports for Attestation
Default Attestation Procedures
Additional Tasks for Attestation Procedures
Schedules
Compliance Frameworks
Chief Approval Team
Standard Reasons
General Master Data for Attestation Policies
Risk Assessment
Default Attestation Policies
Additional Tasks for Attestation Policies
Creating Custom Mail Templates for Notifications
The Attestation Policy Overview
Assigning Approvers
Assigning Compliance Frameworks
Mitigating Controls
Running Attestation for Single Objects
Showing and Hiding Conditions
Creating a Copy
Showing Selected Objects
Deleting Attestation Policies
Disabling Attestation Policies
Approval Policies
Attestation Sequence
General Master Data for Approval Policies
Default Attestation Approval Policies
Additional Tasks for Approval Policies
Approval Workflows
Working with the Workflow Editor
Setting Up Approval Workflows
Additional Tasks for Approval Workflows
Deleting Approval Workflows
Default Approval Workflows
Selecting Attestors
Default Approval Procedures
Setting up Multi-Factor Authentication for Attestation
Prevent Attestation by Employee Awaiting Attestation
Managing Attestation Cases
Finding Attestors using the Attestation Policy
Finding Attestors using the Role of an Employee to Attest
Finding Attestors using Attestation Objects
Finding Attestors from Attestation Object Managers
Finding Attestors from those Responsible for the Attestation Object
Finding Attestors using a Specified Role
Finding Attestors from Product Owners
Calculated approval
Making External Approvals
Deferring Attestation
Setting up Approval Procedures
Additional Tasks for Approval Procedures
Deleting Approval Procedures
Finding Attestors
Starting Attestation
Additional Tasks for Attestation Cases
Modifying Approval Workflows on Pending Attestation Cases
Close Attestation Cases for Deactivated Employees
Deleting Attestation Cases
Notifications in Attestation
Default Attestation and Withdrawal of Entitlements
Demanding Attestation
Reminding Attestors
Scheduling Attestation Demands
Reminding Attestors about an Attestation Object
Granting or Denying an Attestation Case
Aborting an Attestation Case
Attestation Case Escalation
Delegating Attestation
Approval Rejection
Notifications with Questions
Notifications from Additional Attestors
Default Mail Templates
Attestation by Mail
System Entitlements Attestation
System Role Attestation
Application Role Attestation
Business Role Attestation
User Attestation and Recertification
Users for Attestation and Recertification
Attesting New Users
Mitigating Controls
Adding New Users in Web Portal
Adding New Employees in the One Identity Manager
Importing New Employee Master Data
Scheduled Attestation
Limiting Attestation Objects for Certification
Recertifying Existing Users
General Master Data for a Mitigating Control
Additional Tasks for Mitigating Controls
Calculating Mitigation
Configuration Parameters for Attestation
Configuration Parameters for Attestation
Configuration Parameters for Attestation
The following configuration parameters are additionally available in One Identity Manager after the module has been installed. Some general configuration parameters are relevant for attestation. The following table contains a summary of all applicable configuration parameters for attestation.
| Configuration parameter | Description | ||
|---|---|---|---|
| QER\Attestation | Preprocessor relevant configuration parameter for controlling the model parts for attestation. Changes to the parameter require recompiling the database.
If the parameter is enabled you can use the attestation function. | ||
| QER\Attestation\AllowAllReportTypes | This configuration parameter specifies whether all report formats are permitted for attestation policies. By default, only PDF is allowed because it is the only audit secure format. | ||
| QER\Attestation\AutoCloseInactivePerson | If this configuration parameter is set, pending attestation cases for an employee are closed, when this employees is permanently deactivated. | ||
| QER\Attestation\AutoRemovalScope | General configuration parameter for defining automatic withdrawal of memberships/assignments if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\AERoleMembership | Determines default behavior for automatic removal of application role memberships if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\AERoleMembership\RemoveDelegatedRole | If this configuration parameter is set, ends the application role delegation if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\AERoleMembership\RemoveDirectRole | If this configuration parameter is set, employee membership in the application role will be removed if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\AERoleMembership\RemoveRequestedRole | If this configuration parameter is set, the requested application role membership is canceled if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\ESetAssignment | Determines default behavior for automatic removal of system role memberships if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveDelegatedRole | If this configuration parameter is set, ends the role delegation through which the employee obtained the system role if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this role. | ||
| QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveDirect | If this configuration parameter is set, direct user account membership in the system role will be removed if attestation approval is not granted.
This removes all indirect assignments the employee obtained through the system role. | ||
| QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveDirectRole | If this configuration parameter is set, the system role assignment to roles (organizations and business roles) is removed if attestation approval is not granted. This removes the system entitlement assignment to all user accounts whose associated employees are members of these roles.
| ||
| QER\Attestation\AutoRemovalScope\ESetAssignment\RemovePrimaryRole | If this configuration parameter is set, the primary role assignment through which the employee obtained the system role, is removed if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this role. | ||
| QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveRequested | If this configuration parameter is set, the requested system role is canceled if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this role. | ||
| QER\Attestation\AutoRemovalScope\ESetAssignment\RemoveRequestedRole | If this configuration parameter is set, the requested role through which the employee obtained the system role, is canceled if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this role. | ||
| QER\Attestation\AutoRemovalScope\GroupMembership | Determines default behavior for automatic removing of united namespace system entitlements if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\GroupMembership\RemoveDelegatedRole | If this configuration parameter is set, ends the role delegation through which the employee obtained the system role if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this role. | ||
| QER\Attestation\AutoRemovalScope\GroupMembership\RemoveDirect | If this configuration parameter is set, direct user account membership in the system entitlement will be removed if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\GroupMembership\RemoveDirectRole | If this configuration parameter is set, system entitlement assignment to roles (organizations and business roles) is removed if attestation approval is not granted. This removes the system entitlement assignment to all user accounts whose associated employees are members of these roles.
| ||
| QER\Attestation\AutoRemovalScope\GroupMembership\RemovePrimaryRole | If this configuration parameter is set, the primary role assignment through which the employee obtained the system entitlement, is removed if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this role. | ||
| QER\Attestation\AutoRemovalScope\GroupMembership\RemoveRequested | If this configuration parameter is set, the requested system entitlement is canceled if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\GroupMembership\RemoveRequestedRole | If this configuration parameter is set, the requested role through which the employee obtained the system entitlement, is canceled if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this role. | ||
| QER\Attestation\AutoRemovalScope\GroupMembership\RemoveSystemRole | If this configuration parameter is set, the system role assignment through which the employee obtained the system entitlement, is removed if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this system role.
| ||
| QER\Attestation\AutoRemovalScope\RoleMembership | Determines default behavior for automatic removal of business role memberships if attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\RoleMembership\RemoveDelegatedRole | If this configuration parameter is set, ends the business role delegation if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this business role. | ||
| QER\Attestation\AutoRemovalScope\RoleMembership\RemoveDirectRole | If this configuration parameter is set, employee secondary membership in the business role will be removed if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this business role. | ||
| QER\Attestation\AutoRemovalScope\RoleMembership\RemoveRequestedRole | If this configuration parameter is set, the requested application role membership is canceled if attestation approval is not granted.
This removes all indirect assignments the employee obtained through this business role. | ||
| QER\Attestation\AutoRemovalScope\UNSGroupInUNSGroup | Specifies the default behavior for removing assignments from system entitlements to system entitlement is attestation approval is not granted. | ||
| QER\Attestation\AutoRemovalScope\UNSGroupInUNSGroup\RemoveDirect | If this configuration parameter is set, the system entitlement assignment to a system entitlement is removed when attestation approval is not granted. | ||
| QER\Attestation\DefaultSenderAddress | This configuration parameter contains the sender email address for messages automatically generated for attestation. | ||
| QER\Attestation\MailApproval\Account | Name of user account for authentication of "Approval by mail" mailbox. | ||
| QER\Attestation\MailApproval\DeleteMode | Specifies the way emails are deleted from the inbox. | ||
| QER\Attestation\MailApproval\Domain | Domain of user account for authentication of "Approval by mail" mailbox. | ||
| QER\Attestation\MailApproval\ExchangeURI | Specifies the Microsoft Exchange Web Service URL. AutoDiscover mode is used to find the URL if it is not given. | ||
| QER\Attestation\MailApproval\Inbox | This Microsoft Exchange mailbox is used for "Approval by mail" processes. | ||
| QER\Attestation\MailApproval\Password | Password of user account for authentication of "Approval by mail" mailbox. | ||
| QER\Attestation\MailTemplateIdents\AnswerToApprover | This mail template is used to send a notification with an answer to a question from an approver. | ||
| QER\Attestation\MailTemplateIdents\AttestationApproval | This mail template is used for attestation made through "Approval by mail". | ||
| QER\Attestation\MailTemplateIdents\InformAddingPerson | This mail template is used to notify approvers that an approval decision has been made for the step they added. | ||
| QER\Attestation\MailTemplateIdents\InformDelegatingPerson | This mail template is used to notify approvers that an approval decision has been made for the step they delegated. | ||
| QER\Attestation\MailTemplateIdents\QueryFromApprover | This mail template is used to send a notification with a question from an approver to an employee. | ||
| QER\Attestation\MailTemplateIdents\RequestApproverByCollection | This mail template is used for generating an email when there are pending attestation for an approver. If this configuration parameter is not set, a "Mail template demand" or "Mail template reminder" for single attestation cases can be entered to send an email for each request. If this configuration parameter is set, single mails are not sent. | ||
| QER\Attestation\PersonToAttestNoDecide | This configuration parameter specifies whether employees to be attested are allowed to approve this attestation case. If the parameter is set, an attestation case cannot be approved by employees, which are contained in the attestation object (AttestationCase.ObjectKeyBase) or in the objects identifiers 1-3 (AttestationCase.UID_ObjectKey1, ObjectKey2 or ObjectKey3). If the parameter is not set, these employee are allowed to make approval decisions for this attestation case. | ||
| QER\Attestation\ReducedApproverCalculation | This configuration parameter specifies, which approval steps are recalculated if modifications require attestors to be redetermined. | ||
| QER\Attestation\UserApproval | Supports attestation procedures for regularly checking and confirming One Identity Manager users through their Manager. | ||
| QER\Attestation\UserApproval\InitialApprovalState | Certification status for new employees. If an employee is added with the certification status 1=new, data attestation by the employee’s manager is started. | ||
| QER\CalculateRiskIndex | Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated for the risk index. | ||
| QER\Person\Defender | This configuration parameter specifies whether Starling Two-Factor Authentication is supported. | ||
|
QER\Person\Defender\ApiEndpoint |
This configuration parameter contains the URL of the Starling 2FA API end point used to register new users. | ||
| QER\Person\Defender\ApiKey | This configuration parameter contains your company's subscription key for accessing the Starling Two-Factor Authentication interface. | ||
|
QER\Person\Defender\DisableForceParameter |
This configuration parameter specifies whether Starling 2FA is forced to send the OTP by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameter is set, Starling 2FA can disallow the request and the user must request the OPT through Starling 2FA. | ||
| QER\WebPortal\BaseURL | Web Portal URL This address is used in mail templates to add hyperlinks to the Web Portal. | ||
| Common\MailNotification\DefaultCulture | This configuration parameter contains the default language culture for email notifications if no language culture can be determined for the recipient. | ||
| Common\MailNotification\Signature | Data for the signature in email automatically generated from mail templates. | ||
| Common\MailNotification\Signature\Caption | Signature under the salutation. | ||
| Common\MailNotification\Signature\Company | Company name. | ||
| Common\MailNotification\Signature\Link | Link to company website. | ||
| Common\MailNotification\SMTPAccount | User account name for authentication on an SMTP server. | ||
| Common\MailNotification\SMTPDomain | User account domain for authentication on the SMTP server. | ||
| Common\MailNotification\SMTPPassword | User account password for authentication on the SMTP server. | ||
| Common\MailNotification\SMTPPort | Port for SMTP services on the SMTP server (default: 25). | ||
| Common\MailNotification\SMTPRelay | SMTP server for sending notifications. | ||
|
Common\MailNotification\SMTPUseDefaultCredentials |
If this configuration parameter is set, the One Identity Manager Service credentials are used for authentication on the SMTP server. If the configuration parameter is not set, the login data stored in the parameters "Common\MailNotification\SMTPDomain", "Common\MailNotification\SMTPAccount" and "Common\MailNotification\SMTPPassword" is used. | ||
| Common\ProcessState\PropertyLog | When this configuration parameter is set, changes to individual values are logged and shown in the process view. |
