Chat now with support
Chat with Support

Identity Manager 8.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Creating custom mail templates for notifications
Approval processes for attestation cases
Approval policies Approval workflows Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Appendix: Configuration parameters for attestation

Assigning attestation policies

Use this task to specify for which attestation policies the mitigating control is valid.

To assign attestation policies to mitigating controls

  1. In Manager, select Risk index functions | Mitigating control.

  2. Select the mitigating control in the result list.

  3. Select Assign attestation polices.

    Assign the attestation policies in Add assignments.

    TIP: In Remove assignments, you can remove the assignment of attestation policies.

    To remove an assignment

    • Select the approval policy and double-click .

  4. Save the changes.

Calculating mitigation

The significance reduction of a mitigating control supplies the value by which the risk index of an attestation policy is reduced when the control is implemented.One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.

The reduced risk index is calculated from the company policy and the significance reduced sum of all assigned mitigating controls.

Risk index (reduced) = Risk index - sum significance reductions

If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.

The significance reduction of a mitigating control supplies the value by which the risk index of an attestation policy is reduced when the control is implemented.One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.

The reduced risk index is calculated from the company policy and the significance reduced sum of all assigned mitigating controls.

Risk index (reduced) = Risk index - sum significance reductions

If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.

Appendix: Configuration parameters for attestation

The following configuration parameters are additionally available in One Identity Manager after the module has been installed. Some general configuration parameters are relevant for attestation. The following table contains a summary of all applicable configuration parameters for attestation.

Table 65: Overview of configuration parameters

Configuration parameter

Description

QER | Attestation

Preprocessor relevant configuration parameter for controlling the model parts for attestation. Changes to the parameter require recompiling the database.

If the parameter is enabled you can use the attestation function.

QER | Attestation | AllowAllReportTypes

This configuration parameter specifies whether all report formats are permitted for attestation policies. By default, only PDF is allowed because it is the only audit secure format.

QER | Attestation |
AutoCloseInactivePerson

If this configuration parameter is set, pending attestation cases for an employee are closed, when this employees is permanently deactivated.

QER | Attestation | AutoRemovalScope

General configuration parameter for defining automatic withdrawal of memberships/assignments if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
AERoleMembership

Determines default behavior for automatic removal of application role memberships if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
AERoleMembership |
RemoveDelegatedRole

If this configuration parameter is set, it ends the application role delegation if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
AERoleMembership |
RemoveDirectRole

If this configuration parameter is set, the employee’s membership of the application role is removed when attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
AERoleMembership |
RemoveRequestedRole

If this configuration parameter is set, the request for membership of the application role is aborted if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | DepartmentHasESet

Determines default behavior for automatic removal of system role assignments to departments if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | DepartmentHasESet | RemoveDirect

If this configuration parameter is set, system role to department assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | DepartmentHasUNSGroup

Determines default behavior for automatic removal of system entitlement assignments to departments if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | DepartmentHasUNSGroup | RemoveDirect

If this configuration parameter is set, system entitlement to department assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
ESetAssignment

Determines default behavior for automatic removal of system role memberships if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
ESetAssignment |
RemoveDelegatedRole

If this configuration parameter is set, it ends the role delegation through which the employee obtained the system role if attestation approval is not granted.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope |
ESetAssignment | RemoveDirect

If this configuration parameter is set, the direct user account membership in the system role will be removed if attestation approval is not granted.

This removes all indirect assignments obtained by the employee through the system role.

QER | Attestation | AutoRemovalScope |
ESetAssignment | RemoveDirectRole

If this configuration parameter is set, the system role assignment to roles (organizations and business roles) is removed if attestation approval is not granted. This removes the system entitlement assignment to all user accounts whose associated employees are members of these roles.

IMPORTANT: Employees whose attestation has been approved can lose the system role through this.

QER | Attestation | AutoRemovalScope |
ESetAssignment |
RemovePrimaryRole

If this configuration parameter is set, the primary role assignment through which the employee obtained the system role is removed from the employee when attestation approval is not granted.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope |
ESetAssignment | RemoveRequested

If this configuration parameter is set, the requested system role is canceled if attestation approval is not granted.

This removes all indirect assignments obtained by the employee through the system role.

QER | Attestation | AutoRemovalScope |
ESetAssignment |
RemoveRequestedRole

If this configuration parameter is set, the request for the role through which the employee obtained the system role is canceled if attestation approval is not granted.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope | ESetHasEntitlement

Determines default behavior for automatic removal of system role assignments after attestation approval has been denied.

QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveDirect

If this configuration parameter is set, company resource assignments to system roles are removed when attestation approval is denied.

QER | Attestation | AutoRemovalScope |
GroupMembership

Determines default behavior for automatic removing of united namespace system entitlements if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveDelegatedRole

If this configuration parameter is set, it ends the role delegation through which the employee obtained the system entitlement if attestation approval is not granted.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope |
GroupMembership | RemoveDirect

If this configuration parameter is set, the direct user account membership in the system entitlement will be removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveDirectRole

If this configuration parameter is set, the system entitlement assignment to roles (organizations and business roles) is removed if attestation approval is not granted. This removes the system entitlement assignment to all user accounts whose associated employees are members of these roles.

IMPORTANT: Employees whose attestation has been approved can lose the system entitlement through this.

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemovePrimaryRole

If this configuration parameter is set, the primary role assignment through which the employee obtained the system entitlement is removed from the employee when attestation approval is not granted.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveRequested

If this configuration parameter is set, the requested system entitlement is canceled if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveRequestedRole

If this configuration parameter is set, the request for the role through which the employee obtained the system entitlement is canceled when attestation approval is not granted.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope |
GroupMembership |
RemoveSystemRole

If this configuration parameter is set, the system role assignment through which the employee obtained the system entitlement is removed from the employee when attestation approval is not granted.

This removes all indirect assignments obtained by the employee through this system role.

NOTE: This configuration parameter is only available if the System Roles Module is installed.

QER | Attestation | AutoRemovalScope | LocalityHasESet

Determines default behavior for automatic removal of system role assignments to locations if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | LocalityHasESet | RemoveDirect

If this configuration parameter is set, system role to location assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | LocalityHasUNSGroup

Determines default behavior for automatic removal of system entitlement assignments to locations if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | LocalityHasUNSGroup | RemoveDirect

If this configuration parameter is set, system entitlement to location assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | OrgHasESet

Determines default behavior for automatic removal of system role assignments to business roles if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | OrgHasESet | RemoveDirect

If this configuration parameter is set, system role to business role assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | OrgHasUNSGroup

Determines default behavior for automatic removal of system entitlement assignments to business roles if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | OrgHasUNSGroup | RemoveDirect

If this configuration parameter is set, system entitlement to business role assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | ProfitCenterHasESet

Determines default behavior for automatic removal of system role assignments to system roles if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | ProfitCenterHasESet | RemoveDirect

If this configuration parameter is set, system role to cost center assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | ProfitCenterHasUNSGroup

Determines default behavior for automatic removal of system entitlement assignments to system roles if attestation approval has been denied.

QER | Attestation | AutoRemovalScope | ProfitCenterHasUNSGroup | RemoveDirect

If this configuration parameter is set, system entitlement to cost center assignments are removed if attestation approval is not granted.

QER | Attestation | AutoRemovalScope | PWOMethodName

Method to be executed on requests if the requested assignment is to be deleted when attestation approval is not granted.

The requests can be unsubscribed (Unsubscribe) or aborted (Abort). If the configuration parameter is not set, the requests are aborted by default.

QER | Attestation | AutoRemovalScope |
RoleMembership

Determines default behavior for automatic removal of business role memberships if attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
RoleMembership |
RemoveDelegatedRole

If this configuration parameter is set, it ends the business role delegation if attestation approval is not granted.

This removes all indirect assignments the employee obtained through this business role.

QER | Attestation | AutoRemovalScope |
RoleMembership | RemoveDirectRole

If this configuration parameter is set, the employee secondary membership in the business role will be removed if attestation approval is not granted.

This removes all indirect assignments the employee obtained through this business role.

QER | Attestation | AutoRemovalScope |
RoleMembership |
RemoveRequestedRole

If this configuration parameter is set, the request for membership of the business role is canceled if attestation approval is not granted.

This removes all indirect assignments the employee obtained through this business role.

QER | Attestation | AutoRemovalScope |
UNSGroupInUNSGroup

Specifies the default behavior for removing assignments from system entitlements to system entitlement is attestation approval is not granted.

QER | Attestation | AutoRemovalScope |
UNSGroupInUNSGroup |
RemoveDirect

If this configuration parameter is set, the system entitlement assignment to a system entitlement is removed when attestation approval is not granted.

QER | Attestation |
DefaultSenderAddress

This configuration parameter contains the sender email address for messages automatically generated for attestation.

QER | Attestation | MailApproval |
Account

User account name for authentication on Approval by Mail inbox

QER | Attestation | MailApproval |
DeleteMode

Specifies the way emails are deleted from the inbox.

QER | Attestation | MailApproval |
Domain

User account domain for authentication on Approval by Mail inbox

QER | Attestation | MailApproval |
ExchangeURI

Specifies the Microsoft Exchange Web Service URL. AutoDiscover mode is used to find the URL if it is not given.

QER | Attestation | MailApproval |
Inbox

This Microsoft Exchange mailbox is used for Approval by Mail processes.

QER | Attestation | MailApproval |
Password

User account password for authentication on Approval by Mail inbox

QER | Attestation |
MailTemplateIdents |
AnswerToApprover

This mail template is used to send a notification with an answer to a question from an approver.

QER | Attestation |
MailTemplateIdents |
AttestationApproval

Designates the mail template used for attestation decisions issued with Approval by Mail

QER | Attestation |
MailTemplateIdents |
InformAddingPerson

This mail template is used to notify approvers that an approval decision has been made for the step they added.

QER | Attestation |
MailTemplateIdents |
InformDelegatingPerson

This mail template is used to notify approvers that an approval decision has been made for the step they delegated.

QER | Attestation |
MailTemplateIdents |
QueryFromApprover

This mail template is used to send a notification with a question from an approver to an employee.

QER | Attestation |
MailTemplateIdents |
RequestApproverByCollection

This mail template is used for generating an email when there are pending attestation for an approver. If this configuration parameter is not set, a Mail template request or Mail template reminder can be entered for single approval steps. This template is then sent for each individual attestation case. If this configuration parameter is set, single mails are not sent.

QER | Attestation | OnWorkflowAssign

This configuration parameter specifies how pending attestation cases are handled when a new approval workflow is assigned to the approval policy.

QER | Attestation | OnWorkflowUpdate

This configuration parameter specifies how pending attestations are handled when the approval workflow is changed.

QER | Attestation |
PersonToAttestNoDecide

This configuration parameter specifies whether employees to be attested are allowed to approve this attestation case. If the parameter is set, an attestation case cannot be approved by employees, which are contained in the attestation object (AttestationCase.ObjectKeyBase) or in the objects identifiers 1-3 (AttestationCase.UID_ObjectKey1, ObjectKey2 or ObjectKey3). If the parameter is not set, these employee are allowed to make approval decisions for this attestation case.

QER | Attestation |
ReducedApproverCalculation

This configuration parameter specifies, which approval steps are recalculated if modifications require attestors to be redetermined.

QER | Attestation | UserApproval

Supports attestation procedures for regularly checking and confirming One Identity Manager users through their Manager.

QER | Attestation | UserApproval |
InitialApprovalState

Certification status for new employees. If an employee is added with the certification status 1 = new, data attestation by the employee’s manager is started.

QER | CalculateRiskIndex

Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is enabled, values for the risk index can be entered and calculated.

QER | Employee | Defender

This configuration parameter specifies whether Starling Two-Factor Authentication is supported.

QER | Employee | Defender | ApiEndpoint

This configuration parameter contains the URL of the Starling 2FA API end point used to register new users.

QER | Employee | Defender | ApiKey

This configuration parameter contains your company's subscription key for accessing the Starling Two-Factor Authentication interface.

QER | Person | Defender |
DisableForceParameter

This configuration parameter specifies whether Starling 2FA is forced to send the OTP by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameter is set, Starling 2FA can disallow the request and the user must request the OPT through Starling 2FA.

QER | WebPortal | BaseURL

Web Portal URL This address is used in mail templates to add hyperlinks to the Web Portal.

Common | MailNotification |
DefaultCulture

This configuration parameter contains the default language for email notifications if no language can be determined for the recipient.

Common | MailNotification | Signature

Data for the signature in email automatically generated from mail templates.

Common | MailNotification | Signature | Caption

Signature under the salutation.

Common | MailNotification | Signature | Company

Company name.

Common | MailNotification | Signature | Link

Link to company website.

Common | MailNotification |
SMTPAccount

User account name for authentication on an SMTP server.

Common | MailNotification |
SMTPDomain

User account domain for authentication on the SMTP server.

Common | MailNotification |
SMTPPassword

User account password for authentication on the SMTP server.

Common | MailNotification |
SMTPPort

Port for SMTP services on the SMTP server (default: 25).

Common | MailNotification |
SMTPRelay

SMTP server for sending notifications.

Common | MailNotification |
SMTPUseDefaultCredentials

If this configuration parameter is set, the One Identity Manager Service credentials are used for authentication on the SMTP server. If this configuration parameter is not set, the login data stored in the configuration parameters Common | MailNotification | SMTPDomain and Common | MailNotification | SMTPAccount or Common | MailNotification | SMTPPassword is used.

Common | ProcessState | PropertyLog

When this configuration parameter is set, changes to individual values are logged and shown in the process view.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating