Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

User attestation and recertification

Use the One Identity Manager attestation functionality to regularly check and authorize employees' master data, target system entitlement and assignments. Furthermore, One Identity Manager provides default procedures for managers to quickly attest and certify the master data of newly added One Identity Manager users in the One Identity Manager database. This functionality can be used, for example, if external employees, such as contract workers, should be provided with temporary access to the One Identity Manager. Regular recertification can be run through scheduled tasks.

In the context of an attestation, a manager can check and update the master data for the user to be certified, if necessary. Use the Web Portal for attestation.

To enable use of attestation and recertification functions for new users

  1. In Designer, set the configuration parameter QER | Attestation | UserApproval.

  2. Assign at least one employee to the Identity Management | Employees | Administrators application role.

Users for attestation and recertification

The following user are involved in attestation and recertification of employees.

Table 49: Users

Users

Task

Employee administrators

Employee administrators must be assigned to the application role Identity Management | Employees| Administrators.

Users with this application role:

  • Can edit master data for all employees
  • Can assign a manager.
  • Can assign company resources to employees.
  • Check and authorize employee master data.
  • Create and edit risk index functions.
  • Edit password policies for employee passwords

Manager

  • Check employee master data of the user to be certified.
  • Update employee master data as required.
  • Assign another manager if required.
  • Attests the master data.

Administrators for attestation cases

Administrators must be assigned to the Identity & Access Governance | Attestation | Administrators application role.

Users with this application role:

  • Modify the attestation policies if necessary.

  • Create more schedules if required.

Web Portal users

  • Log on to the Web Portal and enter their master data,

Attesting new users

Attestation of new users is divided into three use cases by One Identity Manager:

  1. Adding a new user by logging into the Web Portal

  2. Adding New Employees in the Manager

  3. Adding a new employee by importing employee master data

The result of attestation is the same in all three cases.

  • Certified, enabled employees that can access all entitlements assigned to them in One Identity Manager and the connected target systems.

    Company resources are inherited. Account definitions are assigned.

    - OR -

  • Denied and permanently deactivated employees.

    Disable employees cannot log onto One Identity Manager tools. Company resources are not inherited. Account definitions are not automatically assigned. User accounts associated with the employee are also locked or deleted. You can customize the behavior to meet your requirements.

Creating new users in Web Portal

New users can register on the Web Portal home page. These users can log into One Identity Manager once the manager in charge of the employee’s master data has completed attestation.

Attestation sequence:

  1. The new user enters his or her own master data in the Web Portal.

    A new employee object is created in the One Identity Manager database with the properties:

    Table 50: Properties of a newly created person

    Property

    Value

    Certification status

    New

    Permanently disabled

    enabled

    No inheritance

    enabled

  2. Attestation is started automatically.

    Attestation policy used: New user certification

    Note: The attestation only starts automatically if the configuration parameter QER | Attestation | UserApproval is set. Otherwise the new user remains disabled permanently until a manager changes the employee master data manually.
  3. Attestors are found.

    Effective approval policy: Certification of users

Figure 4: Approval workflow Certification of users on adding in Web Portal

  1. When a new user is added to the Web Portal, no manager is yet assigned to them. The process is therefore assigned to One Identity Manager users with the Identity Management | Employees | Administrators application role (employee administrators) for approval.

  2. An employee administrator checks your master data and also assigns a manager to you.

    1. The employee administrator assigns a manager and approves attestation. The attestation case is assigned to the manager for approval.

    2. If the employee administrator does not assign a manager and approves attestation, the attestation case is closed. Your employee properties are updated in the database.

      Table 51: Properties of an employee with approved attestation

      Property

      Value

      Explanation

      Certification status

      Certified

       

      Permanently disabled

      Disabled

      The user can log on to Web Portal.

      No inheritance

      Disabled

      Company resources are inherited.

    3. If an employee administrator denies attestation approval, the attestation case is closed. Your employee properties are updated in the database.

      Table 52: Properties of an employee with rejected attestation

      Property

      Value

      Explanation

      Certification status

      Denied

       

      Permanently disabled

      enabled

      The user cannot log on to Web Portal.

      No inheritance

      enabled

      Company resources are not inherited.

      User accounts are not created automatically.

  3. The manager can deny attestation approval if they are not the manager in charge of the employee.

    1. The manager can assign another person as manager. The attestation case is immediately assigned to this manager.

    2. If the manager does not know who is your manager, approval is returned to the employee administrators. These can either:

      • assign another manager (5 a)

      • not assign a new manager and approve attestation (5 b), or

      • reject the attestation (5 c).

  4. If the manager approves attestation, the attestation case is closed. Your employee properties are updated in the database.

    Table 53: Properties of an employee with approved attestation

    Property

    Value

    Explanation

    Certification status

    Certified

     

    Permanently disabled

    Disabled

    The user can log on to Web Portal.

    No inheritance

    Disabled

    Company resources are inherited.

NOTE: Only employee administrators can ultimately deny attestation approval. If a manager denies attestation, the case is returned to the employee administrators for approval in any case.

Employee administrators and managers use the Web Portal for attestation. For more detailed information, see the One Identity Manager Web Portal User Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating