Chat now with support
Chat with Support

Identity Manager 8.2.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Using a specified role to find attestors

If the attestors for any object are specified in a certain role, use the OR or OM approval procedure. You can allow any objects to be attested by employees from any role using these approval procedures. In the approval step, specify the role by means of which the attestors are to be determined. The approval procedures determine the following attestors.


Selectable Roles



Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Manager and deputy manager of the role specified in the approval step.


Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Application roles (AERole)

All secondary members of the role specified in the approval step.

Using product owners to find attestors

Use the approval procedure OA to detemine whether product owners can be attestors. The following objects can be attested with this procedure:

  • Service items

  • System entitlements

  • System entitlement assignments to user accounts or system entitlements

  • System role assignments to employees


  • A service item must be assigned to the system entitlements and system roles.
  • An application role for product owners must be assigned to the service item.

All employees who are assigned this application role are determined as attestors.

Using owners of a privileged object to find attestors

Installed modules: Privileged Account Governance Module

Use the OP approval procedure if you want to allow privileged objects in a Privileged Account Management system, for example, PAM assets or PAM directory accounts, to be attested by their owners. The owners attest the possible user accord to these privileged objects. The owners of the privileged objects must have the Privileged Account Governance | Asset and account owners application role or a child application role.

Using additional Active Directory group owners to find attestors

Installed modules:

Active Roles Module

If the Active Directory group is attested, the attestor can be determined through additional owners of this Active Directory group. Use the PA approval procedure for this purpose. This finds all employees that are:

  • A member in the assigned Active Directory group through their Active Directory user account

  • Linked to the assigned Active Directory user account

NOTE: Only use the PA approval procedure if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled. The column Additional owners is only available in this case.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating