You can set up additional authentication for particularly security critical attestations, which requires every attestor to enter a security code for attesting. Define which attestation policies require this authentication in your attestation policies.
Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor authentication. The authentication information required is defined in the configuration parameters under QER | Person | Starling or QER | Person | Defender. For detailed information about setting up multi-factor authentication, see the One Identity Manager Authorization and Authentication Guide.
To be able to use multi-factor authentication
Set up multi-factor authentication as described in One Identity Manager Authorization and Authentication Guide.
In Manager, select the attestation policies for which the multi-factor authentication will be used.
Enable the Approval by multi-factor authentication option.
Multi-factor authentication cannot be used for default attestation policies.
Once the Approval by multi-factor authentication option is set on an attestation policy, a security code is requested in each approval step of the approval process. This means that every employee who is determined to be an attestor for this attestation policy, must have a Starling 2FA token.
For detailed information about multi-factor authentication, see the One Identity Manager Web Portal User Guide.
The attestation object can also be determined as the attestor in an attestation case. which means the employees to be attested can attest themselves. To prevent this, set the configuration parameter QER | Attestation | PersonToAttestNoDecide.
To prevent employees from attesting themselves
In Designer, set the QER | Attestation | PersonToAttestNoDecide configuration parameter.
This configuration parameter affects all attestation cases in which employees included in the attestation object or in object relations, are attestors at the same time. the following employees are removed from the group of attestors.
Employees included in AttestationCase.ObjectKeyBase
Employees included in AttestationCase.UID_ObjectKey1, ObjectKey2 or ObjectKey3
Employees' main identities
All subidentities of these main identities
If the configuration parameter is not set or if Approval by affected employee is enabled for the approval step, these employees can attest themselves.
During attestation, you may find it necessary to assign someone else as default attestor responsible for the attestation because, for example, the actual attestor is absent. You may require additional information about an attestation object. The One Identity Manager offers different possibilities to intervene in an open attestation case.
Attestors can request information from any employee. The attestation case is put on hold while the query is pending. Hold status is removed once the employee in question has supplied the required information and the attestor has made an approval decision for the attestation case. Attestors can recall a pending query at any time. The request is taken off hold. The query and answer are logged in the approval sequence and made available to the attestors.
Email notification to the employees involved can be sent using unanswered inquiries.
For detailed information about queries, see the One Identity Manager Web Portal User Guide