Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Aborting an attestation case on timeout

Attestation cases can be automatically aborted once a specified time period has been exceeded. The abort takes place when either a single approval step or the entire approval process has exceeded the timeout.

To configure an abort after the timeout of a single approval step has been exceeded

  • Enter the following data for the approval step.

    Table 30: Properties of the approval step for abort on timeout



    TimeOut (working hours)

    Number of working hours to elapse after which the approval step is automatically granted or denied approval.

    The approvers work time applies to the time calculation.

    NOTE: Ensure that a state and/or county is entered into the employee‘s master data for determining the correct working hours.

    Timeout behavior

    Action, which is executed if the timeout expires.

    • Abort: the approval step and, therefore, the attestation case, are canceled.

To configure abort on timeout for the entire approval process

  • Enter the following data for the approval workflow.

    Table 31: Properties of the approval workflow for abort on timeout



    System abort (days)

    Number of days to elapse after which the approval workflow, and therefore the system, automatically ends the entire attestation procedure.

When an attestation case is aborted, other people can be notified by email.

Related Topics

Attestation through chief approval team

Sometimes, approval decisions cannot be made for attestation cases because an attestor is not available or does not have access to One Identity Manager tools. To complete these attestations, you can define a chief approval team whose members are authorized to intervene in the approval process at any time.

The chief approval team is authorized to approve, deny, or abort attestations in special cases or to appoint other attestors.


  • The four-eye principle can be broken like this because chief approval team members can make approval decisions for attestation cases at any time. Specify, on a custom basis, in which special cases the chief approval team may intervene in the approval process.

  • The chief approval team is authorized to attest its own members. The configuration parameter setting QER | Attestation | PersonToAttestNoDecide does not apply to the chief approval team.

  • In the approval step, you can specify how many attestors must make a decision on this approval step. This limit is not valid for the chief approval team. The approval decision is considered to be made as soon as one member of the chief approval team has decided on the attestation.

The chief approval team can approve attestations for all manual approval steps. Following applies:

  • Chief approval team decisions are not permitted for approval steps using the CD, EX and WC approval procedures.

  • If a member of the chief approval team is also named as a regular attestor for an approval step, he or she can only make an approval decision for this step as a regular attestor.

  • The chief approval team can also make an approval decision if a regular attestor has submitted a query and the attestation is in hold status.

To add members to the chief approval team

  1. In Manager, select the category Attestation | Basic configuration data | Chief approval team.

  2. Select Assign employees.

    In Add assignments, assign the employees who are authorized to approve all attestations.

    TIP: In the Remove assignments area, you can remove the assignment of employees.

    To remove an assignment

    • Select the employee and double-click .

  3. Save the changes.
Related Topics

Attestation sequence

Once attestation is automatically or manually started, One Identity Manager creates an attestation case for each attestation object. Attestation cases record the entire attestation sequence. Each attestation step in the attestation case can be audit-proof reconstructed.

You can view the attestation cases in the navigation view under the Attestation runs | <attestation policy> menu item. This is where you can monitor the status of the attestation cases. Attestation cases that were not yet subject to approval are grouped under Pending attestations. You can see the attestation cases that have been closed by attestors or One Identity Manager grouped under Completed attestations.

NOTE: Attestation cases are edited in the Web Portal. For detailed information, see One Identity Manager Web Portal User Guide.

Attestation is complete when the attestation case has been granted or denied approval. You specify how to deal with granted or denied attestations on a company basis.

TIP: One Identity Manager provides various default attestation procedures for different data situations and default attestation procedures. If you use these default attestation procedures, you can configure how you deal with denied attestations.

For more information, see Default attestation and withdrawal of entitlements.

Starting attestation

There are two ways for you to add attestation cases in the One Identity Manager. You can trigger attestation through a scheduled task or start selected objects individually.


  • The attestation policy for this attestation is set.

To start attestation using a scheduled task

  1. In Manager, select Attestation | Attestation policies.

  2. Select the attestation policy in the result list and run Change master data.

  3. Enable the schedule entered in Calculation schedule.

    1. In the navigation view, select Basic configuration data | Schedules.

    2. Select the schedule in the result list and run Change master data.

    3. Set Enabled.

    4. Save the changes.

To start attestation for the selected objects

  1. In Manager, select Attestation | Attestation policies.

  2. Select the attestation policy in the result list. Select Change master data.

  3. Select Run attestation cases for single objects....

    This opens a separate window.

  4. In the Attestation column, select every object for which attestation is to be run.

  5. Click Run.

    Attestation cases are generated for the selected attestation objects. As soon as DBQueue Processor has processed the task, you will see the newly created attestation cases in the navigation view under Attestation runs | <attestation policy> | Attestation runs | <year> | <month> | <day> | Pending attestations.

  6. Click Close.

Note: Under certain circumstances, old, closed attestation cases are deleted from the One Identity Manager database when new attestation cases are added.

For more detailed information about configuring schedules, see the One Identity Manager Operational Guide.

Detailed information about this topic
Related Topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating