Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Managing attestation cases

During attestation, you may find it necessary to assign someone else as default attestor responsible for the attestation because, for example, the actual attestor is absent. You may require additional information about an attestation object. One Identity Manager offers different possibilities to intervene in an open attestation case.

Getting more information

An attestor has the option to gather more information about an attestation case. This ability does not, however, replace the granting or denying approval of an attestation case. There is no additional approval step required in the approval workflow to obtain the information.

Attestors can request information from any employee. The attestation case is put on hold while the query is pending. Once the employee requested has supplied the required information and the attestors have made an decision on the approval step, hold status is revoked. Attestors can recall a pending query at any time. The request is taken off hold. The query and answer are logged in the approval sequence and made available to the attestors.

NOTE: Hold status is revoked if the attestor who asked a question is removed as an approver. The queried employee does not have to answer and the attestation process proceeds.

Email notification to the employees involved can be sent using unanswered inquiries.

For more information about queries, see the One Identity Manager Web Designer Web Portal User Guide.

Detailed information about this topic

Appointing other attestors

Once an approval level in the approval workflow has been reached, the attestors at this level can appoint another employee to handle the approval. To do this, you have the options described below:

  • Rerouting approvals

    The attestor appoints another approval level to carry out attestations. To do this, set up a connection to the approval level in the approval workflow to which an approval decision can be rerouted.

  • Appointing additional attestors

    The attestor appoints another employee to carry out the attestation. The other attestor must make an approval decision in addition to the known attestors. To do this, enable the Additional approver possible option in the approval step.

    The additional attestor can reject the approval and return the attestation case to the original attestor. The original attestor is informed about this by email. The original attestor can appoint another additional attestor.

  • Delegate approval

    The attestor appoints another employee with the attestation. This employee is added to the current approval step as the attestor. This employee then makes the approval decision instead of the attestor who made the delegation. To do this, enable the Approval can be delegated option in the approval step.

    The current attestor can reject the approval and return the attestation case to the original attestor. The original attestor can withdraw the delegation and delegate a different employee, for example, if the other attestor is not available.

Email notifications can be sent to the original attestors and the others.

Detailed information about this topic
Related topics

Escalating an attestation case

Approval steps can be automatically escalated once the specified timeout is exceeded. The attestation case is presented again to another approval body. The attestation case can subsequently be processed again in the normal approval workflow.

To configure escalation of an approval step

  1. Open the approval workflow in the Workflow Editor.

  2. Add an additional approval level with one approval step for escalation.

  3. Connect the approval step that is going to be escalated when the time period is exceeded with the new approval step. Use the connection point for escalation to do this.

    Figure 3: Example of an approval workflow with escalation

  4. Configure the behavior for the approval step to be escalated when it times out.

    Table 33: Properties for escalation on timeout
    Property Meaning
    Timeout (minutes)

    Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

    The timeout is check every 30 minutes, by default. To change this interval, modify the Checks reminder interval and timeout of attestation cases schedule.

    The working hours of the respective approver are taken into account when the time is calculated.

    NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

    TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

    If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

    If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

    If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

    If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    Timeout behavior

    Action that is run if the timeout expires.

    • Escalation: The attestation case is escalated. The escalation approval level is called.

  5. (Optional) If the approval step still needs to be escalated but no attestor be found and no fallback approver is assigned, set the Escalate if no approver found option.

    In this case, the attestation case is escalated instead of being canceled or passed to the chief approval team.

In the event of an escalation, email notifications can be sent to the new approvers and other employees.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating