Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Selecting attestors

One Identity Manager can make approvals automatically in an attestation procedure or through attestors. An approver is an employee or a group of employees who can grant or deny an attestation case within an attestation procedure. It takes several approval procedures to grant or deny approval. You specify in the approval step which approval procedure should be used.

If there are several people are determined as approvers by an approval procedure, the number given in the approval step specifies how many people must approve the step. A request can only be passed up to next level afterwards. The attestation procedure is aborted if an approver cannot be found for an approval step.

One Identity Manager provides approval procedures by default. You can also define your own approval procedures.

The DBQueue Processor calculates which person has the authority to grant approval at which level. Take into account the special cases for each approval procedure when setting up the approval workflows to determine those authorized to grant approval.

Default approval procedures

To display default approval procedures

  • Select the Attestation | Basic configuration data | Approval procedures | Predefined category.

The following approval procedures are defined to select the responsible attestors, by default.

Table 23: Approval procedures for attestation

Procedure Name

Attestors

AA - Attestor for the role to attest

Attestor of the organization (department, cost center, location), business role, or IT Shop if assignments of system entitlements or system roles to roles are attested.

  • Attestors for departments, cost centers and locations must be assigned to the application role Identity Management | Organizations | Attestors.
  • Attestors for business roles must be assigned to the application role Identity Management | Business roles | Attestors.
  • Attestors for requests must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Finding attestors using attestation objects.

AD - Attestor of recipient's department

Attestor of the department to which the attestation object is primarily assigned.

  • Attestors for departments must be assigned to the Identity Management | Organizations | Attestors application role.

For more information, see Finding attestors using the role of the employee to be attested.

AL - Attestor for recipient‘s location

Attestor of the location to which the attestation object is primarily assigned.

  • Attestors for locations must be assigned to the Identity Management | Organizations | Attestors application role.

For more information, see Finding attestors using the role of the employee to be attested.

AM - Manager of account's person

Manager of the employee connected to the user account that is to be attested

For more information, see Determining attestors from persons responsible for the attestation objects.

AN - Attestor for the system entitlement to attest

Attestor of the system entitlement or system role if assignments of system entitlements or system roles to roles are attested. Attestors are determined through the assigned service item.

  • Attestors must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Finding attestors using attestation objects.

AO - Attestor for recipient's primary role

Attestor of the business role to which the attestation object is primarily assigned.

Attestors for business roles must be assigned to the application role Identity Management | Business roles | Attestors.

For more information, see Finding attestors using the role of the employee to be attested.

AP - Attestor for recipient's cost center

Attestor of the cost center to which the attestation object is primarily assigned.

  • Attestors for cost centers must be assigned to the application role Identity Management | Organizations | Attestors.

For more information, see Finding attestors using the role of the employee to be attested.

AR - Attestor for attestation compliance rule

Attestor for the compliance rule to be attested.

  • Attestors must be assigned to the Identity & Access Governance | Identity Audit | Attestors application role.

For more information, see Finding attestors using attestation objects.

AS - Approver for attestation policy

All employees assigned to the attestation policy as approver.

For more information, see Finding attestors using the attestation policy.

AT - Attestor for the organization to be attested

Attestor of the organization (department, cost center, location), business role, or IT Shop to be attested.

  • Attestors for departments, cost centers and locations must be assigned to the application role Identity Management | Organizations | Attestors.
  • Attestors for business roles must be assigned to the application role Identity Management | Business roles | Attestors.
  • Attestors for requests must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Finding attestors using attestation objects.

AY - Attestor for the company policy to be attested

Attestor of the company policy to be attested.

  • Attestors must be assigned to the Identity & Access Governance | Company policies | Attestors application role.

For more information, see Finding attestors using attestation objects.

CD - calculated approval

-

For more information, see Calculated approval.

CM - Recipient's manager

Manager of the employee to be attested.

For more information, see Finding attestors from attestation object managers.

DM - Manager of recipient's department

Department manager/deputy if employees of secondary memberships are attested in departments.

For more information, see Finding attestors from attestation object managers.

ED - Department manager for permission attestation

Employee’s department manager whose system entitlements are to be attested.

For more information, see Determining attestors from persons responsible for the attestation objects.

EM - Employee manager for permission attestation

Employee’s manager whose system entitlements are to be attested.

For more information, see Determining attestors from persons responsible for the attestation objects.

EN - Target system manager of the permission for attestation

Target system manager of the system entitlements to be attested.

For more information, see Determining attestors from persons responsible for the attestation objects.

EO - Product owner of the system entitlement to be attested

Product owner whose system entitlements or system roles are to be attested.

For more information, see Determining attestors from persons responsible for the attestation objects.

EX - Approvals to be made externally

-

For more information, see Approvals to be made externally.

LM - Manager of recipient's location

Location manager/deputy if employees of secondary memberships are attested in locations.

For more information, see Finding attestors from attestation object managers.

MD - Department manager of account's person

Manager of the main department of the employee who is connected to the user account to be attested

For more information, see Determining attestors from persons responsible for the attestation objects.

MO - Role owner

Business role manager/deputy if employees of secondary memberships are attested in roles.

For more information, see Finding attestors from attestation object managers.

OA - Product owner

All members of the assigned application role if service items, system entitlements or system roles are attested.

For more information, see Defining product owners as attestors.

OM - Manager of a specific role

Manager of the role selected in the approval workflow.

For more information, see Finding attestors using a specified role.

OP - Owner of a privileged object

All employees who can be determined as an owner of the requested privileged access request.

For more information, see Determining owners of a privileged object as attestors.

OR - Members of a certain role

All employees that are assigned to a secondary business role.

For more information, see Finding attestors using a specified role.

PA - Secondary owner of Active Directory group

All employees to be found through the additional owner of the requested Active Directory group.

For more information, see Finding attestors from additional Active Directory group owners.

PM - Manager of recipient's cost center

Cost center manager/deputy if secondary memberships in cost centers are attested.

For more information, see Finding attestors from attestation object managers.

PO - Proposed owner

Proposed owner of the attestation object

For more information, see Determining attestors from owners of the attestation objects.

RE - Manager of system roles to be attested

System role manager to be attested.

For more information, see Finding attestors from attestation object managers.

RM - Role manager for attesting memberships

Manager of role to be attested if secondary memberships in roles are attested.

For more information, see Finding attestors from attestation object managers.

RR - Role manager for attesting roles

Manager of role to be attested.

For more information, see Finding attestors from attestation object managers.

SO - Target system manager of the permission for attestation

Target system manager of system entitlement or user account to be attested.

For more information, see Determining attestors from persons responsible for the attestation objects.

WC - Waiting for further approval

-

For more information, see Waiting for further approval.

Finding attestors using the attestation policy

Use the AS approval procedure if you want to fix attestors for any object to an attestation policy. This approval procedure finds all employees that are assigned to the attestation procedure as approvers.

Use this procedure to allow any objects to be attested by any of the specified employees. These employees must be assigned to the attestation policy as approvers. The attestor can also be entered when you create attestation policies in the Web Portal. For detailed information, see One Identity Manager Web Portal User Guide.

Related Topics

Finding attestors using the role of the employee to be attested

Installed modules:

Business Roles Module (for approval procedure AO).

If you want to attest company resource assignments to employees or their requests, use the AD, AL, AO, or AP approval procedures. The attestors found are members of the Attestor application role.

Attestation objects are employees (table: Person) or request recipients (table: PersonWantsOrg). These approval procedures determine the role (department, location, business role, cost center) for each attestation object to which the attestation object is primarily assigned. If the primarily assigned role is not directly assigned an attestor, the approval procedure finds the the attestator's parents roles. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.

Note: When attestors are found using the AO approval procedure and when "bottom-up" inheritance is defined for business roles, note the following:

  • If there is no attestor given for the primary business role, attestors are taken from the child business role.

Related Topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating