Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

General master data for an approval procedure

Enter the following master data for an approval procedure.

Table 25: General Master Data for an Approval Procedure

Property

Description

Approval procedure

Descriptor for the approval procedure (maximum two characters).

Description

Approval procedure identifier.

DBQueue Processor task

Approvals can either be made automatically through a DBQueue Processor calculation task or by specified approvers. Assign a custom DBQueue Processor task if the approval procedure should make an automatic approval decision.

You cannot assign a DBQueue Processor task if a query is entered for determining the attestors.

Max. number approvers

Maximum number of attestors to be determined by the approval procedure. Specify how many employees must really make approval decisions in the approval steps used by this approval procedure.

Sort order

Value for sorting approval procedures in the menu.

Specify the value 10 to display this approval procedure at the top of the menu when you set up an approval step.

Related Topics

Queries for finding attestors

The condition through which the attestors are determined is formulated as a database query. Several queries may be combined into one condition. This adds, to the group of attestors, all employees determined by single queries.

To edit the condition

  1. In Manager, select the category Attestation | Basic configuration data | Approval procedures.

  2. Select an approval procedure from the result list.

  3. Select Change queries for approver selection.

To create single queries

  1. Click Add.

    This inserts a new row in the table.

  2. Mark this row. Enter the query properties.
  3. Add more queries if required.
  4. Save the changes.

To edit a single query

  1. Select the query you want to edit in the table. Edit the query's properties.
  2. Save the changes.

To remove single queries

  1. Select the query you want to remove in the table.
  2. Click Delete.
  3. Save the changes.
Table 26: Query properties

Property

Description

Approver selection

Query identifier which determines the attestors

Query

Database query for determining the attestors

The database query must be formulated as a select statement. The column selected by the database query must return a UID_Person. The query returns one or more employees to whom the attestation case is presented for approval. If the query fails to return a result, the attestation procedure is aborted.

A query contains exactly one select statement. To combine several select statements, create several queries.

If a DBQueue Processor task is assigned, you cannot enter a query to determine attestors.

You can, for example, determine predefined attestors with the query (example 1). The attestor can also be found dynamically depending on the attestation case to approve. To do this, within the database query, use the @UID_AttestationCase variable to access the attestation case (example 2). Every query must return a value for UID_PWORulerOrigin.

Example 1

The attestation case should be approved by a specified attestor.

Query:

select UID_Person, null as UID_PWORulerOrigin from Person where InternalName='Bloggs, Jan'

Example 2

All active compliance rules should be attested by the respective rule supervisor.

Query:
select pia.UID_Person, null as UID_PWORulerOrigin from AttestationCase ac
   join ComplianceRule cr on cr.XObjectKey = ac.ObjectKeyBase and cr.IsWorkingCopy = '0'
   join PersonInBaseTree pia on pia.UID_Org = cr.UID_OrgResponsible and pia.XOrigin > 0
   where ac.UID_AttestationCase = @UID_AttestationCase
Taking delegation into account

To include delegation when determining attestors, use the query to also determine the employees to whom a responsibility has been delegated. If the managers of hierarchical roles are to make the attestation decision, determine the attestors from the HelperHeadOrg table. This table groups all hierarchical role managers, their deputy managers and employees to whom a responsibility has been delegated. If the members of business or application roles are to make the approval decision, determine the approvers from the PersonInBaseTree table. This table groups all hierarchical role members and employees to whom a responsibility has been delegated.

Determine the UID_PWORulerOrigin in order to notify delegators when the recipient of the delegation has made a decision on an attestation case and thus allow the Web Portal to show if the attestor was originally delegated.

To determine the UID_PWORulerOrigin of the delegation

  • Determine the UID_PersonWantsOrg of the delegation and copy this value as UID_PWORulerOrigin to the query. Use the table function dbo.QER_FGIPWORulerOrigin to do this.

    select dbo.QER_FGIPWORulerOrigin(XObjectKey) as UID_PWORulerOrigin

Modified query from example 2:

select pia.UID_Person, dbo.QER_FGIPWORulerOrigin(pia.XObjectKey) as UID_PWORulerOrigin from AttestationCase ac
   join ComplianceRule cr on cr.XObjectKey = ac.ObjectKeyBase and cr.IsWorkingCopy = '0'
   join PersonInBaseTree pia on pia.UID_Org = cr.UID_OrgResponsible and pia.XOrigin > 0
   where ac.UID_AttestationCase = @UID_AttestationCase

Additional tasks for approval procedures

After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.

Overview of the approval procedure

To obtain an overview of an approval procedure

  1. In Manager, select the category Attestation | Basic configuration data | Approval procedures.

  2. Select an approval procedure from the result list.

  3. Select Approval procedure overview in the task view.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating