Chat now with support
Chat with Support

Identity Manager 8.2.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Getting more information

An attestor has the option to gather more information about an attestation case. This ability does not, however, replace the granting or denying approval of an attestation case. There is no additional approval step required in the approval workflow to obtain the information.

Attestors can request information from any employee. The attestation case is put on hold while the query is pending. Once the employee requested has supplied the required information and the attestors have made an decision on the approval step, hold status is revoked. Attestors can recall a pending query at any time. The request is taken off hold. The query and answer are logged in the approval sequence and made available to the attestors.

NOTE: Hold status is revoked if the attestor who asked a question is removed as an approver. The queried employee does not have to answer and the attestation process proceeds.

Email notification to the employees involved can be sent using unanswered inquiries.

For detailed information about queries, see the One Identity Manager Web Designer Web Portal User Guide

Detailed information about this topic

Appointing other attestors

Once an approval level in the approval workflow has been reached, the attestors at this level can appoint another employee to handle the approval. To do this, you have the options described below:

  • Rerouting approvals

    The attestor appoints another approval level to carry out attestations. To do this, set up a connection to the approval level in the approval workflow to which an approval decision can be rerouted.

  • Appointing additional attestors

    The attestor appoints another employee to carry out the attestation. The other attestor must make an approval decision in addition to the known attestors. To do this, enable the Additional approver possible option in the approval step.

    The additional attestor can reject the approval and return the attestation case to the original attestor. The original attestor is informed about this by email. The original attestor can appoint another additional attestor.

  • Delegate approval

    The attestor appoints another employee with the attestation. This employee is added to the current approval step as the attestor. This employee then makes the approval decision instead of the attestor who made the delegation. To do this, enable the Approval can be delegated option in the approval step.

    The current attestor can reject the approval and return the attestation case to the original attestor. The original attestor can withdraw the delegation and delegate a different employee, for example, if the other attestor is not available.

Email notifications can be sent to the original attestors and the others.

Detailed information about this topic
Related topics

Escalating an attestation case

Approval steps can be automatically escalated once the specified timeout is exceeded. The attestation case is presented again to another approval body. The attestation case can subsequently be processed again in the normal approval workflow.

To configure escalation of an approval step

  1. Open the approval workflow in the Workflow Editor.

  2. Add an additional approval level with one approval step for escalation.

  3. Connect the approval step that is going to be escalated when the time period is exceeded with the new approval step. Use the connection point for escalation to do this.

    Figure 3: Example of an approval workflow with escalation

  4. Configure the behavior for the approval step to be escalated when it times out.

    Table 31: Properties for escalation on timeout
    Property Meaning
    Timeout (minutes)

    Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

    The timeout is check every 30 minutes, by default. To change this interval, modify the Checks reminder interval and timeout of attestation cases schedule.

    The working hours of the respective approver are taken into account when the time is calculated.

    NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

    TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

    If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

    If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

    If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

    If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    Timeout behavior

    Action that is run if the timeout expires.

    • Escalation: The attestation case is escalated. The escalation approval level is called.

  5. (Optional) If the approval step still needs to be escalated but no attestor be found and no fallback approver is assigned, set the Escalate if no approver found option.

    In this case, the attestation case is escalated instead of being canceled or passed to the chief approval team.

In the event of an escalation, email notifications can be sent to the new approvers and other employees.

Related topics

Attestors cannot be established

You can specify a fallback approver if attestation cases cannot be approved because no attestors are available. An attestation case is then always assigned to the fallback approver for attestation if no attestor can be found in an approval step in the specified approval procedure.

To specify fallback approvers, define application roles and assign these to an approval step. Different attestation groups in the approval steps may also require different fallback approvers. Specify different application role for this, to which you can assign employees who can be determined as fallback approvers in the approval process. For more information, see the One Identity Manager Authorization and Authentication Guide.

To specify fallback approvers for an approval step

  • Enter the following data for the approval step.

    Table 32: Approval step properties for fallback approvers
    Property Meaning

    Fallback approver

    Application role whose members are authorized to approve attestation cases if an attestor cannot be determined through the approval procedure. Assign an application from the menu.

    To create a new application role, click . Enter the application role name and assign a parent application role. For detailed information, see the One Identity Manager Authorization and Authentication Guide.

    NOTE: The number of approvers is not applied to the fallback approvers. The approval step is considered approved the moment as soon as one fallback approver has approved the request.

Attestation sequence with fallback approvers

  1. No attestor can be found for an approval step in an approval process. The attestation is assigned to all members of the fallback approver application role.

  2. Once a fallback approver has approved an attestation case, it is presented to the attestors at the next approval level.

    NOTE: You can specify in the approval step how many attestors are required for approval in this step. This limit is NOT valid for the chief approval team. The approval step is considered to be approved as soon as ONE fallback approver has approved the attestation.

  3. The attestation case is canceled if no fallback approver can be found.

Fallback approvers can make approval decisions on attestation cases for all manual approval steps. Fallback approvals are not permitted for approval steps using the CD, EX, and WC approval procedures.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating