Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Setting up multi-factor authentication for attestation

You can set up additional authentication for particularly security critical attestations, which requires every attestor to enter a security code for attesting. Define which attestation policies require this authentication in your attestation policies.

Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor authentication. The authentication information required is defined in the configuration parameters under QER | Person | Starling or QER | Person | Defender. For detailed information about setting up multi-factor authentication, see the One Identity Manager Authorization and Authentication Guide.

To be able to use multi-factor authentication

  1. Set up multi-factor authentication as described in One Identity Manager Authorization and Authentication Guide.

  2. In Manager, select the attestation policies for which the multi-factor authentication will be used.

  3. Enable the Approval by multi-factor authentication option.

    Multi-factor authentication cannot be used for default attestation policies.

Once the Approval by multi-factor authentication option is set on an attestation policy, a security code is requested in each approval step of the approval process. This means that every employee who is determined to be an attestor for this attestation policy, must have a Starling 2FA token.

IMPORTANT: An attestation cannot be sent by email if multi-factor authentication is configured for the attestation policy. Attestation emails for such attestations produce an error message.

For detailed information about multi-factor authentication, see the One Identity Manager Web Portal User Guide.

Related Topics

Prevent attestation by employee awaiting attestation

The attestation object can also be determined as the attestor in an attestation case. which means the employees to be attested can attest themselves. To prevent this, set the configuration parameter QER | Attestation | PersonToAttestNoDecide.


  • Changing the configuration parameter only affects new attestation cases. Attestors are not recalculated for existing attestation cases.

  • The configuration parameter setting also applies for fallback approvers; it does not apply to the chief approval team.

  • If the Approval by affected employee option is set on an approval step, this configuration parameter has no effect.

To prevent employees from attesting themselves

  • In Designer, set the QER | Attestation | PersonToAttestNoDecide configuration parameter.

This configuration parameter affects all attestation cases in which employees included in the attestation object or in object relations, are attestors at the same time. the following employees are removed from the group of attestors.

  • Employees included in AttestationCase.ObjectKeyBase

  • Employees included in AttestationCase.UID_ObjectKey1, ObjectKey2 or ObjectKey3

  • Employees' main identities

  • All subidentities of these main identities

If the configuration parameter is not set or if Approval by affected employee is enabled for the approval step, these employees can attest themselves.

Related Topics

Properties of an approval step

Managing attestation cases

During attestation, you may find it necessary to assign someone else as default attestor responsible for the attestation because, for example, the actual attestor is absent. You may require additional information about an attestation object. The One Identity Manager offers different possibilities to intervene in an open attestation case.

Getting more information

An attestor has the option to gather more information about an attestation case.This ability does not, however, replace the granting or denying approval of an attestation case. There is no addition approval step required in the approval workflow to obtain the information.

Attestors can request information from any employee. The attestation case is put on hold while the query is pending. Hold status is removed once the employee in question has supplied the required information and the attestor has made an approval decision for the attestation case. Attestors can recall a pending query at any time. The request is taken off hold. The query and answer are logged in the approval sequence and made available to the attestors.

NOTE: Hold status is revoked if the attestor who asked a question is removed as an approver. The queried person must not answer. Attestation process will proceed.

Email notification to the employees involved can be sent using unanswered inquiries.

For detailed information about queries, see the One Identity Manager Web Portal User Guide

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating