Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Finding attestors using attestation objects

Use the AR, AY or AT approval procedures if you want to attest the validity of compliance rules, rule violations, company policies, policy violations, or of departments, locations, cost centers, or business roles. The AT procedure is also suitable for attesting assignments to IT Shop structures (shops, shopping centers or shelves). Use the AA or AN approval procedures to attest system entitlement or system role assignments to departments, locations, cost centers, business roles or IT Shop structures. The attestors found are members of the Attestor application role.

 

Attestation Base Objects

Available in Module

AR

Rules (ComplianceRule)

Rule violations (PersonInNonCompliance)

Compliance Rules Module

AY

Company policies (QERPolicy)

Policy violations (QERPolicyHasObject)

Company Policies Module

AT

Departments (Department)

IT Shop Structures (ITShopOrg)

Locations (Locality)

Business roles (Org)

Cost centers (ProfitCenter)

IT Shop Templates (ITShopSrc)

 

AA, AN

System entitlement or target system group assignments to roles (<BaseTree>HasUNSGroupB,

<BaseTree>HasADSGroup, <BaseTree>HasEBSResp, ...)

System role assignments to roles (<BaseTree>HasESet)

Target System Base Module

These approval procedures determine the attestors to which the attestation object is assigned. The AA approval procedure finds the attestor using the role (departments, locations, business roles, cost centers) or IT Shop structures (IT Shop templates). The AN approval procedure finds the attestor using the service item assigned to the system entitlement or target system group.

Furthermore, the following also applies to the AT and AA approval procedures: If an attestor is not directly assigned to the attestation object, the approval procedure finds the attestor of the parent roles/IT Shop structures. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.

Note: When the attestation base object is a business role, IT Shop structure or IT Shop template or rather the assignment to a business role, IT Shop structure or IT Shop template and "bottom-up" inheritance is defined for the associated role classes, note the following:

  • If there is no attestor assigned to the attestation object, the approval procedure finds attestors from the attestors of subordinate roles.
Related Topics

Finding attestors from attestation object managers

If you want to have employees, user accounts, roles, system roles, role memberships, assignments of system roles or entitlements for employees, roles or IT Shop structures attested through their managers, use the CM, DM, LM, MO, RM, RR, or RE approval procedures.

Approval procedure

Attestation Base Objects

Available in Module

CM

Employees (Person)

Employees: memberships in roles and organizations (PersonInBaseTree)

 

DM

Employees (Person)

Employees: department memberships (PersonInDepartment)

 

LM

Employees (Person)

Employees: location memberships (PersonInLocality)

 

MO

Employees (Person)

Employees: business role memberships (PersonInOrg)

Business Roles Module

PM

Employees (Person)

Employees: cost center memberships (PersonInProfitCenter)

 

RE

System roles (ESet)

Employees: system role assignments (PersonHasESet)

Departments: system role assignments(DepartmentHasESet)

Business roles: system role assignments (OrgHasESet)

IT Shop structures: system role assignments (ITShopOrgHasESet)

IT Shop templates: system role assignments (ITShopSrcOrgHasESet)

Cost centers: system role assignments (ProfitCenterHasESet)

Locations: system role assignments (LocalityHasESet)

System Roles Module

RM

Employees: department memberships (PersonInDepartment)

Employees: IT Shop structure memberships (PersonInITShopOrg)

Employees: location memberships (PersonInLocality)

Employees: business role memberships (PersonInOrg)

Employees: cost center memberships (PersonInProfitCenter)

 

RR

Departments (Department)

IT Shop Structures (ITShopOrg)

Locations (Locality)

Business roles (Org)

Cost centers (ProfitCenter)

IT Shop Templates (ITShopSrc)

All system entitlement or system role assignments to roles; for example Roles and organizations: Active Directory group assignments (BaseTreeHasADSGroup) or Locations: EBS entitlement assignments (LocalityHasEBSResp)

 

These approval procedures find the manager associated with every attestation object. In the RE approval procedure, the system role manager is determined as attestor; in the RM and RR approval procedures, the role/IT Shop structure manager is determined. The approval procedures CM, DM, LM, MO and PM find the department manager and deputy manager of the role in which the attesting employee is a member.

Determining attestors from persons responsible for the attestation objects

If you want to attest system entitlements and the user accounts assigned to them, use the ED, EM, EN, EO, or SO approval policies. Use the approval procedures AM, MD or SO to attest user accounts.

Attestation objects are user accounts or system entitlements and the user accounts assigned to them as well as system roles that have system entitlements or system roles assigned to them. The approval procedures determine the following attestors:

 

Attestation Base Objects

Attestors

Available in Module

AM

User accounts (UNSAccount)

Employee’s department manager to whom the user account is connected.

Target System Base Module

ED

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

Employee’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case.

Target System Base Module

EM

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

Employee’s department manager to whom the user account is connected.

Target System Base Module

EN

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

System entitlements (UNSGroup)

Target system manager of the target system area to which the system entitlement belongs.

Target System Base Module

EO

System roles: assignments (ESetHasEntitlement)

All user account assignments to system entitlements; for example User accounts: system entitlement assignments (UNSAccountInUNSGroup) or SAP user accounts: assignments to groups (SAPUserInSAPGroup)

All system entitlement or system role assignments to roles; for example Roles and organizations: Active Directory group assignments (BaseTreeHasADSGroup) or Locations: EBS entitlement assignments (LocalityHasEBSResp)

Product owner of the service item to which the system entitlement or system role is assigned.

Target System Base Module or System Roles Module

MD

User accounts (UNSAccount)

Employee’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case.

Target System Base Module

SO

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

User accounts (UNSAccount)

System entitlements: assignments to system entitlements (UNSGroupInUNSGroup)

Target system manager for the target system to which the system entitlement or user account belongs.

Target System Base Module

Finding attestors using a specified role

If the attestors for any object are specified in a certain role, use the approval procedure OR or OM. You can allow any objects to be attested by employees from any role using these approval procedures. In the approval step, specify the role by means of which the attestors are to be determined. The approval procedures determine the following attestors:

 

Selectable Roles

Attestors

OM

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Manager and deputy manager of the role specified in the approval step.

OR

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Application roles (AERole)

All secondary members of the role specified in the approval step.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating