Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Predefined Standard Reasons

One Identity Manager provides predefined standard reasons. These standard reasons are entered into the attestation case by automatic approval through One Identity Manager.

To display predefined standard reasons

  • Select the category Attestation | Basic configuration data | Standard reasons | Predefined.

Attestation Policies

Attestation Policies

Attestation policies specify the concrete conditions for attestation. Use the master data form to enter the attestation procedure, approval policy and the schedule. You can use a WHERE clause to limit the attestation objects.

To edit attestation polices

  1. Select the category Attestation | Attestation policies.
  2. Select an attestation policy in the result list. Select Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit the master data for the attestation policy.
  4. Save the changes.

General Master Data for Attestation Policies

General Master Data for Attestation Policies

Table 10: Configuration Parameters for Attestation Policies

Configuration parameter

Meaning

QER\Attestation\AllowAllReportTypes

This configuration parameter specifies whether all report formats are permitted for attestation policies. By default, only PDF is allowed because it is the only audit secure format.

QER\CalculateRiskIndex

Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

Enter the following data for attestation policies.

Table 11: General Master Data for Attestation Policies

Property

Description

Attestation policy

Name of the attestation policy.

Attestation procedure

Attestation procedure used for attesting. Attestation procedures are displayed in a menu grouped by attestation type.

Approval policies

Approval policy for determining the attestor for the attestation objects.

Owner

Creator of the attestation policy. The name of the user logged into One Identity Manager is entered here by default. This can be changed.

Time required (days)

Number of day within which a decision must be made over the attestation. Enter "0" if you do not want to be specific.

The One Identity Manager does not stipulate which action are carried out if processing times out. Define your own custom actions or evaluations to deal with this situation.

Description

Spare text box for additional explanation.

Risk index

Specifies the risk for the company if attestation for this attestation policy is denied. Use the slider to enter a value between 0 and 1.

0 ... no risk

1 ... the denied attestation is a problem

This property is only visible when the configuration parameter QER\CalculateRiskIndex is set.

Risk index (reduced)

Show the risk index taking mitigating controls into account. The risk index for an attestation policy is reduced by the Significance reduction value for all assigned mitigating controls.

This property is only visible when the configuration parameter QER\CalculateRiskIndex is set. The value is calculated by the One Identity Manager and cannot be edited.

Calculation schedule

Schedule for running attestation. Attestation cases are started automatically at the times specified by the schedule.

Disabled

Specifies whether the attestation policy is disabled or not.

Attestation cases cannot be added to disabled attestation policies and, therefore, no attestation is done. Disabled attestation policies can be deleted under certain circumstances.

Under certain circumstances, closed attestation cases are deleted the moment the attestation polices is disabled.

Close obsolete tasks automatically

Specifies whether pending attestation cases are aborted if new ones are added.

If attestation is started and this option is set, first, all pending attestation cases for this attestation policy are canceled. Then, new attestation cases are created according to the condition.

Obsolete tasks limit

Specifies the maximum number of closed attestation cases that should remain in the database when closed attestation cases are deleted.

Value Description
0: No attestation cases are deleted.
> 0: The given number of closed attestation cases to remain in the database.

Reason for decision

Reason which is given if the option Close obsolete tasks is set and pending attestation cases are automatically closed.

Output format

Format in which the report is generated.

This menu is only visible if the configuration parameter "QER\Attestation\AllowAllReportTypes" is set. If the configuration parameter is not set, the default PDF format is used because it is the only format that is version compatible.

Edit connection...

Starts the WHERE clause wizard. Use this wizard to create a condition to determine the attestation objects from the database table specified in the attestation procedure.

Condition

Data query for finding attestation objects.

This option is only available if the task Show condition has been run beforehand.

Attestation with multi-factor authentication

Attestation of this attestation policy requires multi-factor authentication.

NOTE: You can only edit attestation policies in the Web Portal, which were created in the Web Portal. You will see a corresponding message on the master data form as to whether the attestation policy as created in the Web Portal.

If you want to edit attestation policies like this, create a copy in the Manager.

For more detailed information about editing attestation policies in the Web Portal, see the One Identity Manager Web Portal User Guide.

Detailed information about this topic
Related Topics

Risk Assessment

Risk Assessment

Table 12: Configuration Parameter for Risk Assessment
Configuration parameter Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

You can use the One Identity Manager to evaluate the risk of attestation cases. To do this, enter a risk index for the attestation policy. The risk index specifies the risk involved for the company in connection with the data to be attested. The risk index is given as a number in the range 0-1. By doing this you specify whether data to be attested is considered not to be a risk (risk index = 0) or whether every denied attestation poses a problem (risk index = 1).

The risk that attestations will be denied approval can be reduced by using the appropriate mitigating controls. Enter these controls as mitigating controls in the One Identity Manager. You reduce the risk by the value entered as the significance reduction on the mitigating control. This value is used to calculate the reduced risk index for the attestation policy.

You can create several reports with the Report Editor to evaluate attestation cases depending on the risk index.

Detailed information about this topic
  • Mitigating Controls
  • One Identity Manager Risk Assessment Administration Guide
  • Report Editor in the One Identity Manager Configuration Guide
Related Documents