Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Modifying approval workflows for pending attestation cases

When approval workflows are changed, a decision must be made as to whether these changes should be applied to pending attestation cases. Configuration parameters are used to define the desired procedure.

Scenario: Another approval workflow was stored with the approval policy

If changes have been made to the approval workflow in an approval policy, any pending approval procedures are continued by default with the original workflow. The newly stored workflow is only used in new attestation cases. You can configure different behavior.

To specify how to handle pending attestation cases

  • In Designer, enable the configuration parameter QER | Attestation | OnWorkflowAssign and select one of the following values.

    • CONTINUE: Ongoing approval processes are continued with the originally applicable workflow. The newly stored workflow is only stored in new attestation cases.

      This behavior also applies if the configuration parameter is not set.

    • RESET: In ongoing approval processes, all approval decisions already taken are reset. The approval processes are restarted with the newly stored workflow. The attestation cases are run through the approval process again.

    • ABORT: Ongoing approval processes are aborted. All pending attestation cases are closed. The next automatic or manual start of the attestation uses the new approval workflow.

A working copy of the originally applicable workflow is saved. The working copy is retained as long as it is used in ongoing approval processes. All unused working copies are regularly deleted using the Maintenance approval workflows schedule.

Scenario: A change was made to an approval workflow in use

If changes have been made to an approval workflow that is being used in pending attestation cases, any pending approval processes are continued by default with the original workflow. The changes to the approval workflow are only implemented for new attestation cases. You can configure different behavior.

To specify how to handle pending attestation cases

  • In Designer, enable the configuration parameter QER | Attestation | OnWorkflowUpdate and select one of the following values.

    • CONTINUE: Ongoing approval processes are continued with the originally applicable approval workflow. The changes to the approval workflow are only implemented for new attestation cases.

      This behavior also applies if the configuration parameter is not set.

    • RESET: In ongoing approval processes, all approval decisions already taken are reset. The approval processes are restarted with the changed approval workflow. The attestation cases are run through the approval process again.

    • ABORT: Ongoing approval processes are aborted. All pending attestation cases are closed. The next automatic or manual start of the attestation uses the changed approval workflow.

A working copy of the approval workflow is saved, which contains the original version. This working copy is retained as long as it is used in ongoing approval processes. All unused working copies are regularly deleted using the Maintenance approval workflows schedule.

Related Topics

Closing attestation cases for deactivated employees

Pending attestation cases must still be processed even if they have permanently deactivated in the meantime. This is not required very often because the affected employee may have, for example, left the company. In this case, you can use the option to close an employee's pending attestation cases automatically, if the employee is permanently disabled.

To close attestation cases automatically

  • In Designer, set the configuration parameter QER | Attestation | AutoCloseInactivePerson.

The configuration parameter only applies if the employee to be attested is deactivated after the attestation case was created.

The configuration parameter does not apply if the employee is temporarily deactivated.

TIP: Write a corresponding condition for finding the attestation object on the attestation policies to prevent attestation cases being created for deactivated employees. For more information, see General master data for attestation policies.

Deleting attestation cases

The AttestationCase table expands very quickly when attestation is performed regularly. To limit the number of attestation cases in the One Identity Manager database, you can delete obsolete, closed attestation cases from the database. The attestation case properties are logged and then the attestation cases are deleted. The same number of attestation cases remain in the database as are specified in the attestation policy. For more detailed information about logging data changes tags, see the One Identity Manager Configuration Guide.

NOTE: Ensure that the logged request procedures are archived for audit reasons. For more detailed information about the archiving process, see the One Identity Manager Data Archiving Administration Guide.

Prerequisites

  • The Common | ProcessState | PropertyLog configuration parameter is enabled.

  • The attestation policy is enabled.

To delete attestation cases automatically

  1. Set the Log changes when deleting option on at least three columns in the AttestationCase table.

    1. In Designer, select Database schema | Tables | AttestationCase.

    2. Select Show table definition in the task view.

      Opens the Schema Editor.

    3. Select a column in the Schema Editor.

    4. In the edit view of the schema editor, select the More tab.

    5. Set the option Log changes when deleting.

    6. Repeat steps (c) to (e) for all columns that are to be recorded on deletion. There must be at least three.

    7. Click on Commit to database and save the changes.

      The changes take effect as soon as the DBQueue Processor has performed the calculation tasks.

  2. Set the Log changes when deleting option on at least three columns in the AttestationHistory table.

    1. In Designer, select Database schema | Tables | AttestationHistory.

    2. Repeat the steps 1(b) to 1(h) for the AttestationHistory table.

  3. Enter the number of obsolete cases in the attestation policies.

    1. In the Manager, select Attestation | Attestation policies.

    2. Select the attestation policy in the result list whose attestation cases should be deleted.

    3. Select Change master data.
    4. In the Obsolete tasks limit field, enter a value greater than 0.

    5. Save the changes.

TIP: If you want to prevent attestation cases being deleted for certain attestation policies, enter the value 0 for the obsolete task limit for these attestation policies.

Attestation cases are deleted once

  • A new attestation is started for an attestation policy.

    - OR -

  • An attestation policy is disabled.

One Identity Manager tests how many closed attestation cases exists in the database for each attestation object of this attestation policy. If the number is more than the number of obsolete attestation cases:

  • The attestation case properties and their approval sequence are recorded

    All columns are recorded, which are marked for logging on deletion.

  • The attestation cases are deleted

    The same number of attestation cases remain in the database as are specified in the obsolete tasks limit.

Note: Closed attestation cases are also deleted in the case of disabled attestation policies if the configuration parameter Common | ProcessState | PropertyLog is not set. In this case, the deleted attestation cases are not logged.
Related Topics

Notifications in the attestation process

In an attestation process, various email notifications can be sent to attestors and other employees. The notification procedure uses mail templates to create notifications. The mail text is defined in several languages in a mail template. This ensures that the language of the recipient is taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.

Messages are not sent to the chief approval team by default. Fallback approvers are only notified if not enough approvers could be found for an approval step.

To use notification in the request process

  1. Ensure that the email notification system is configured in One Identity Manager. For detailed information, see the One Identity Manager Installation Guide.

  2. Enable the QER | Attestation | DefaultSenderAddress configuration parameter in Designer and enter the sender address used to send the email notifications.

  3. Ensure that all employees have a default email address. Notifications are sent to this address. For more detailed information, see the One Identity Manager Identity Management Base Module Administration Guide.

  4. Ensure that a language can be determined for all employees. Only then can they receive email notifications in their own language. For more detailed information, see the One Identity Manager Identity Management Base Module Administration Guide.

  5. Configure the notification procedure.

Related Topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating