Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Default mail templates

One Identity Manager supplies mail templates by default. These mail templates are available in English and German. If you require the mail body in other languages, you can add mail definitions for these languages to the default mail template.

To edit a default mail template

  • In Manager, select the Attestation | Basic configuration data | Mail templates | Predefined category.

Related Topics

Attestation by mail

To provide attestors who are temporarily unable to access One Identity Manager tools with the option of making attestation case decisions, you can set up attestation by email. In this process, attestors are notified by email when an attestation case is pending their approval. Approvers can use the links in the email to make approval decisions without having to connect to the Web Portal. This generates an email that contains the approval decision and in which attestors can state the reasons for their approval decision. This email is sent to a central Microsoft Exchange mailbox. The One Identity Manager checks this mailbox regularly, evaluates the incoming emails and updates the status of the attestation cases correspondingly.

IMPORTANT: An attestation cannot be sent by email if multi-factor authentication is configured for the attestation policy. Attestation emails for such attestations produce an error message.


  1. The Microsoft Exchange environment is configured with

    • Microsoft ExchangeClient Access Server version 2007, Service Pack 1 or higher

    • Microsoft Exchange Web Service .NET API Version 1.2.1, 32-bit

  2. The user account used by One Identity Manager to register with the Microsoft Exchange environment requires full access to the mailbox given in the configuration parameter QER | Attestation | MailApproval | Inbox.

  3. The configuration parameter QER | Attestation | MailTemplateIdents | RequestApproverByCollection is disabled.

To set up attestation by email

  1. In Designer, enable the configuration parameter QER | Attestation | MailApproval | Inbox and enter the mailbox to which the approval mails are to be sent.

  2. Set up mailbox access.

    1. By default, One Identity Manager uses the One Identity Manager Service user account to log in to the Microsoft Exchange Server and access the mailbox.

      - OR -

    2. You enter a separate user account for logging in to theMicrosoft Exchange Server for mailbox access. Enabled the following configuration parameters to do this.

      Table 38: Configuration parameters for logging in to Microsoft Exchange Server

      Configuration parameter


      QER | Attestation | MailApproval | Account

      Name of the user account.

      QER | Attestation | MailApproval | Domain

      User account's user account.

      QER | Attestation | MailApproval | Password

      Password of the user account.

  3. In Designer, enable the configuration parameter QER | Attestation | MailTemplateIdents | ITShopApproval.

    The mail template used to create the attestation mail is stored with this configuration parameter. You can use the default mail template or add a custom mail template.

    TIP: To use a company-specific mail template for attestation mails, change the value of the configuration parameter. In this case, also change the VI_MailApproval_ProcessMail script.

  4. Assign the following mail templates to the approval steps:

    Table 39: Mail templates for approval by mail


    Mail template

    Mail template request

    Attestation - approval required (by mail)

    Mail template reminder

    Attestation - remind approver (by mail)

    Mail template delegation

    Attestation - delegated/additional approval (by mail)

    Mail template rejection

    Attestation - reject approval (by mail)

  5. Configure and enable the Processes attestation approvals by mail schedule in Designer.

    Based on this schedule, One Identity Manager regularly checks the mailbox for new attestation mails. Based on this schedule, the regularly checks the mailbox every 15 minutes. You can change how frequently it checks, by altering the interval in the schedule as required.

To clean up a mail box

  • In Designer, enable the configuration parameter QER | Attestation | MailApproval | DeleteMode and select one of the following values.

    Table 40: Mailbox cleanup




    The processed e-mail is immediately deleted.


    The processed email is moved to the Deleted objects mailbox folder.


    The processed email is moved to the Active Directoryrecycling bin and can be restored if necessary.

    NOTE: If you use the MoveToDeletedItems or SoftDelete cleanup method, you should empty the Deleted objects folder and the Active Directory recycling bin on a regular basis.
Related Topics

Processing attestation mails

The Processes approvals of attestations by email schedule starts the VI_Attestation_Process Approval Inbox process. This process runs the VI_MailApproval_ProcessInBox script, which searches the mailbox for new attestation mails and updates the attestation cases in the One Identity Manager database. Then the contents of the attestation mail are processed.

NOTE: The validity of the email certificate is checked with the script VID_ValidateCertificate. You can customize this script to suit your security requirements. Take into account that this script is also used for attestations by email.

If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.

TIP: VI_MailApproval_ProcessInBox finds the Exchange Web Service URL which uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.

If this is not possible, enter the URL in the configuration parameter QER\Attestation\MailApproval\ExchangeURI.

Attestation mails are processed with the VI_MailApproval_ProcessMail script. The script finds the relevant approval decision, sets the Approved option and stores the reason for the approval decision with the attestation cases. The attestor is found through the sender address. Then the attestation mail is removed from the mailbox depending on the selected cleanup method.

NOTE: If you use a custom mail template for the attestation mail, check the script and modify it as required. Take into account that this script is also used for attestations by email.

Default attestation and withdrawal of entitlements

One Identity Manager provide various default attestation procedures for different data situations and default attestation procedures.

Data situations for default attestations:

  • System entitlements owned by an employee

  • System entitlements assigned to system entitlements

  • System entitlements assigned to hierarchical roles

  • System roles assigned to an employee

  • Company resources assigned to system roles

  • System roles assigned to hierarchical roles

  • Business and application role memberships

  • Employee master data for a new One Identity Manager user

  • Employee master data for an existing One Identity Manager user

The attestation polices required for attesting employee master data are also supplied by default. You can also use the default supplied attestation policies without modifying them. The prerequisites and the attestation sequence for employee data are described in User attestation and recertification.

You can set up attestation policies easily in Web Portal using default attestation procedures for other data situations. You can also use the default attestation policies supplied without customizing them. Furthermore, you can configure how to deal with denied attestations that are based on these default attestation procedures. If your specific data situation allows, denied entitlements can be removed by the One Identity Manager following the attestation.

To remove denied permissions automatically

  1. In Designer, set the configuration parameter QER | Attestation | AutoRemovalScope and the configuration subparameters.

  2. If the entitlements were obtained through IT Shop, specify whether these requests should be unsubscribed or canceled. To do this, enable the configuration parameter QER | Attestation | AutoRemovalScope | PWOMethodName and select a value.

    • Abort: Requests are aborted. In this case, they do not go through a cancelation workflow. The requested entitlements are withdrawn without additional checks.

    • Unsubscribe: Requests are unsubscribed. They go through the cancelation workflow defined in the approval policies. Withdrawal of the entitlement can thus be subjected to an additional check.

      If the cancelation is denied, the entitlement is not withdrawn even though the attestation has been denied.

    If the configuration parameter is not set, the requests are aborted.

IMPORTANT: If role memberships or system roles are removed from an employee they lose the unapproved entitlement. They also lose all other company resources inherited through this role. These may be other system entitlements or account definitions. If necessary, system entitlements are removed and company resources are deleted from the employee.

Check whether your data situation allows automatic withdrawal of entitlements before you enable configuration parameters under QER | Attestation | AutoRemovalScope.

Automatic removal of entitlements is triggered by an additional approval step with the EX approval procedure in the default approval workflows.

Attestation sequence with subsequence withdrawal of denied entitlements:

  1. Attestation is carried out using a default attestation procedure.

  2. The attestor denies attestation. The approval step is not granted approval and approval is passed on the next approval level with the EX approval procedure.

  3. The approval step triggers the event AUTOREMOVE. This runs the process VI_Attestation_AttestationCase_AutoRemoveMembership.

  4. The process runs the script VI_AttestationCase_RemoveMembership. This removes the affected entitlement depending on which configuration parameters are set.

  5. The script sets the approval step status to Denied. This means the entire attestation case is finally denied.

  6. Tasks to recalculate inheritance are entered in the DBQueue.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating