Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Calculated approval

Note: Only one approval step can be defined with the CD approval procedure per approval level.

If you want to make attestation dependent on specific conditions, use the CD approval procedure. This procedure does not determine an attestor. One Identity Manager makes the decision depending on the condition that is formulated in the approval step.

You can use the procedure for any attestation base objects. You create a condition in the approval step. If the condition returns a result, the approval step is approved through the One Identity Manager. If the condition does not return a result, the approval step is denied by the One Identity Manager. If there are no further approval steps, the approval procedure is either finally granted or denied.

To enter a condition for the CD approval procedure

  1. Edit the approval step properties.

    For more information, see Editing approval levels.

  2. In the Condition, enter a valid WHERE clause for database queries. You can enter the SQL query directly or with a wizard. In the condition, you reference the actual attestation case using the variable @UID_AttestationCase.

Example of a simple approval workflow with the CD approval procedure:

Compliance should be tested when they meet the following conditions:

  1. Compliance rule is enabled

  2. A rule manager is assigned to the compliance rule

Use the CD approval procedure and the following condition to find the objects that meet this condition.


(SELECT 1 FROM (SELECT xobjectkey FROM ComplianceRule

WHERE isnull(IsWorkingCopy, 0) = 0 AND EXISTS


as X WHERE X.UID_AERole = ComplianceRule.UID_OrgResponsible))

as X WHERE X.xobjectkey = AttestationCase.ObjectKeyBase)

If the condition is met, the rule attestor should attest this compliance rule. To do this, add an approval step in the positive approval path with the AR approval procedure.

If the condition is not met, the attestation should be denied by One Identity Manager. In this case, no further approval steps are required.

Approvals to be made externally

Use external approvals (approval procedure EX) if an attestation needs to be approved as soon as a defined event from outside One Identity Manager takes place. You can also use this procedure to allow any number of objects to be attested by employees who do not have access to One Identity Manager.

Specify an event in the approval step that triggers an external approval. The event triggers a process that initiates the external approval for the attestation case and evaluates the result of the approval decision. The approval process waits for the external decision to be passed to One Identity Manager. Define the subsequent approval steps depending on the result of the external approval.

To use an approval procedure

  1. Define your own processes that:

    • Trigger an external approval

    • Analyze the results of the external approval

    • Grant or deny approval in the subsequent external approval step in One Identity Manager

  2. Define an event, which starts the process for external approval. Enter the result in Result in the approval step.

If the external event occurs, the approval step status in One Identity Manager has to be changed. Use the process task CallMethod with the MakeDecision method for this. Pass the following parameters to the process task:

MethodName: Value = "MakeDecision"

ObjectType: Value = "AttestationCase"

Param1: Value = "sa"

Param2: Value = <approval> ("true" = granted; "false" = denied)

Param3: Value = <reason for approval decision>

Param4: Value = <standard reason>

Param5: Value = <number approval steps> (PWODecisionStep.SubLevelNumber)

WhereClause: Value = "UID_AttestationCase ='"& $UID_AttestationCase$ &"'"

Use these parameters to specify which attestation case is to be approved by external approval (WhereClause). Parameter param 1 specifies the attestor. Attestor is always the sa system user. Parameter param 2 is passed to the approval. If the attestation was granted, the value True must be transferred. If the attestation was denied, the value False must be transferred. Use parameter Param3 to pass a reason text fro the approval decision; use Param4 to pass a predefined standard reason. If more than one external approval steps have been defined in an approval level, use Param5 to pass the approval step count. This ensures the approval is aligned with the correct approval step.

Use the Process Editor to define and edit processes.


All compliance rules should be checked and attested by an external assessor. The attestation object data should be made available as a PDF on an external share. The assessor should save the result of the attestation in a text file on the external share. Use this approval procedure to make external approvals and define:

  • A "P1" process that saves a PDF report with data about the attestation object data and the attestation procedure on an external share
  • An "E1" event that starts the "P1" process

    In the approval step, enter "E1" in the Event field, and enter P1 in the process as the trigger for the external decision.

  • A process "P2" process that checks the share for new text files, evaluates the content,and calls the One Identity Manager CallMethod task the method MakeDecision method
  • An "E2" event that starts the "P2" process
  • A schedule that starts the events "E2" on a regular basis

For detailed information about creating processes, see the One Identity Manager Configuration Guide. For detailed information about setting up schedules, see the One Identity Manager Operational Guide.

Detailed information about this topic

Waiting for further approval

Note: Only one approval step can be defined with the approval procedure WC per approval level.

If you want to ensure that a specific data state exists in One Identity Manager before an attestation case is finally approved, then use the WC approval procedure. Use a condition to specify which prerequisites have to be fulfilled so that attestation can take place. The condition is evaluated as a function call. The function has to accept the attestation case UID as a parameter (AttestationCase.UID_AttestationCase). Use this UID to refer to each attestation object. It must define three return values as integer values. One of the following actions is carried out depending on the function‘s return value:

Table 24: Return value for deferred approval

Return value


Return value > 0

The condition is fulfilled. Deferred approval has completed successfully. The next approval step (in case of success) is carried out.

Return value = 0

The condition is not yet fulfilled. Approval is rolled back and is retested the next time DBQueue Processor runs.

Return value < 0

The condition is not fulfilled. Deferred approval has failed. The next approval step (in case of failure) is carried out.

To use an approval procedure

  1. Create a database function which tests the condition for the attestation.

  2. Create an approval step with the approval procedure WC. Enter the function call in Condition.

    Syntax: dbo.<function name>

  3. Specify an approval step in the case of success. Use the approval procedure with which One Identity Manager can determine the attestors.

  4. Specify an approval step in the case of failure.

Setting up approval procedures

You can create your own approval procedures if the default approval procedures for finding the responsible attestors do not meet your requirements. The condition through which the attestors are determined is formulated as a database query. Several queries may be combined into one condition.

To set up an approval procedure

  1. In Manager, select the category Attestation | Basic configuration data | Approval procedures.

  2. Select an approval procedure in the result list and run Change master data.

    - OR -

    Click in the result list toolbar.

  3. Edit the approval procedure master data.

  4. Save the changes.

To edit the condition

  1. In Manager, select the category Attestation | Basic configuration data | Approval procedures.

  2. Select an approval procedure from the result list.

  3. Select Change queries for approver selection.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating