Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Appointing other attestors

Once an approval level in the approval workflow has been reached, the attestors at this level can appoint another employee to handle the approval. To do this, you have the options described below. The required behavior is configured in the approval workflow.

  • Reroute approval

    The attestor appoints another approval level to carry out attestations. To do this, create a connection to the approval level to which the approval can be rerouted.

  • Appointing additional attestors

    .The attestor appoints another employee to carry out the attestation. This adds another approval step to the current approval level. The other attestor must make an approval decision in addition to the known attestors.

    The additional attestor can reject the approval and return the attestation case to the original attestor. The original attestor is informed about this by email. The original attestor can appoint another additional attestor.

  • Delegate approval

    The attestor appoints another employee with the attestation. This employee is added to the current approval step as the attestor. This employee then makes the approval decision instead of the attestor who made the delegation.

    The current attestor can reject the approval and return the attestation case to the original attestor. The original attestor can withdraw the delegation and delegate a different employee, for example, if the other attestor is not available.

Email notifications can be sent to the original attestors and the others.

Detailed information about this topic
Related Topics

Escalating an attestation case

Approval steps can be automatically escalated once the specified timeout is exceeded. The attestation case is presented again to another approval body.The attestation case can subsequently be processed again in the normal approval workflow.

To configure escalation of an approval step

  1. Open the approval workflow in the Workflow Editor.

  2. Add an additional approval level with one approval step for escalation.

  3. Connect the approval step that is going to be escalated when the time period is exceeded with the new approval step. Use the connection point for escalation to do this.

    Figure 3: Example of an Approval Workflow with Escalation

  4. Configure the behavior for the approval step to be escalated when it times out.

    Table 28: Properties for escalation on timeout
    Property Meaning
    TimeOut (working hours)

    Number of working hours to elapse after which the approval step is automatically granted or denied approval.

    The approvers work time applies to the time calculation.

    NOTE: Ensure that a state and/or county is entered into the employee‘s master data for determining the correct working hours.
    Timeout behavior

    Action, which is executed if the timeout expires.

    • Escalation: The attestation case is escalated. The escalation approval step is called.

In the event of an escalation, email notifications can be sent to the new approvers and other employees.

Related Topics

Attestors cannot be established

You can specify a fallback approver if attestation cases cannot be approved because no attestors are available. An attestation case is then always assigned to the fallback approver for attestation if no attestor can be found in an approval step in the specified approval procedure.

To specify fallback approvers, define application roles and assign these to an approval step. Different attestation groups in the approval steps may also require different fallback approvers. Specify different application role for this, to which you can assign employees who can be determined as fallback approvers in the approval process. For detailed information, see the One Identity Manager Authorization and Authentication Guide.

To specify fallback approvers for an approval step

  1. In Manager, select the category Attestation | Basic configuration data | Approval workflows.

  2. Select a workflow in the result list and run Change master data.

  3. Mark the approval step in the workflow editor.

  4. Select Toolbox | Approval steps | Edit.

  5. Assign an application in Fallback approver or create a new application role.

  6. Save the changes.

Attestation sequence with fallback approvers

  1. No attestor can be found for an approval step in an approval process. The attestation is assigned to all members of the fallback approver application role.

  2. Once a fallback approver has approved an attestation case, it is presented to the attestors at the next approval level.

    NOTE: You can specify in the approval step how many attestors are required for approval in this step. This limit is not valid for the chief approval team. The approval step is considered to be approved as soon as one fallback approver has approved the attestation.
  3. The attestation case is aborted if no fallback approver can be found.

Fallback approvers can make approval decisions on attestation cases for all manual approval steps. Fallback approvals are not permitted for approval steps using the CD, EX and WC approval procedures.

Related Topics

Automatic approval on timeout

Attestation cases can be automatically granted or denied approval once a specified time period has been exceeded.

To configure automatic approval if the timeout expires

  • Enter the following data for the approval step.

    Table 29: Properties for automatic approval on timeout
    Property Meaning

    TimeOut (working hours)

    Number of working hours to elapse after which the approval step is automatically granted or denied approval.

    The approvers work time applies to the time calculation.

    NOTE: Ensure that a state and/or county is entered into the employee‘s master data for determining the correct working hours.

    Timeout behavior

    Action, which is executed if the timeout expires.

    • Approved: The attestation case is approved in this approval step. The next approval step is called.

    • Deny: The attestation case is denied in this approval step. The next approval step is called.

When the approval decision for an attestation case is made automatically, other people can be notified by email.

Related Topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating