Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Defining product owners as attestors

If service items, system entitlements or system roles need to be attested, their product owners can be determined as attestors. Use the OA approval procedure for this purpose. The following objects can be attested with this procedure:

  • Service items

  • System entitlements

  • System entitlement assignments to user accounts or system entitlements

  • System role assignments to employees


  • A service item must be assigned to the system entitlements and system roles.
  • An application role for product owners must be assigned to the service item.

All employees who are assigned this application role are determined as attestors.

Determining owners of a privileged object as attestors

installed modules: Privileged Account Governance Module

With the OP approval procedure, the owners of privileged objects of a Privileged Account Management system, such as PAM assets, PAM asset accounts, and PAM directory accounts are determined as attestors. The owners attest the possible user accord to these privileged objects. The owners of the privileged objects must have the Privileged Account Governance | Asset and account owners application role or a child application role.

Finding attestors from additional Active Directory group owners

Installed modules:

Active Roles Module

If the Active Directory group is attested, the attestor can be determined through additional owners of this Active Directory group. Use the PA approval procedure for this purpose. This finds all employees that are:

  • A member in the assigned Active Directory group through their Active Directory user account

  • Linked to the assigned Active Directory user account

NOTE: Only use the PA approval procedure if the configuration parameter TargetSystem | ADS | ARS_SSM is enabled. The column Additional owners is only available in this case.

Determining attestors from owners of the attestation objects

When you assign new owners to devices or system entitlements in the Web Portal, the new owner should agree with this assignment. An attestation with the approval procedure PO is carried out for this purpose.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating