If service items, system entitlements or system roles need to be attested, their product owners can be determined as attestors. Use the OA approval procedure for this purpose. The following objects can be attested with this procedure:
System entitlement assignments to user accounts or system entitlements
System role assignments to employees
All employees who are assigned this application role are determined as attestors.
|installed modules:||Privileged Account Governance Module|
With the OP approval procedure, the owners of privileged objects of a Privileged Account Management system, such as PAM assets, PAM asset accounts, and PAM directory accounts are determined as attestors. The owners attest the possible user accord to these privileged objects. The owners of the privileged objects must have the Privileged Account Governance | Asset and account owners application role or a child application role.
Active Roles Module
If the Active Directory group is attested, the attestor can be determined through additional owners of this Active Directory group. Use the PA approval procedure for this purpose. This finds all employees that are:
A member in the assigned Active Directory group through their Active Directory user account
Linked to the assigned Active Directory user account
NOTE: Only use the PA approval procedure if the configuration parameter TargetSystem | ADS | ARS_SSM is enabled. The column Additional owners is only available in this case.
When you assign new owners to devices or system entitlements in the Web Portal, the new owner should agree with this assignment. An attestation with the approval procedure PO is carried out for this purpose.