Chat now with support
Chat with Support

Identity Manager 9.1.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Phases of attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Certifying new roles and organizations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Default approval workflows

One Identity Manager provides a default approval workflow for default attestation of new users and recertification of all employees stored in the One Identity Manager database. Moreover, default approval workflows are supplied through which different roles and system entitlements mapped in the Unified Namespace can be attested. You can use default approval policies for creating attestation policies in the Web Portal.

To edit default approval workflows

  • In the Manager, select the Attestation > Basic configuration data > Approval workflows > Predefined category.

For more information about using default approval workflows, see the One Identity Manager Web Designer Web Portal User Guide.

Related topics

Selecting attestors

One Identity Manager can make approvals automatically in an attestation procedure or through attestors. An attestor is an employee or a group of employees who can grant or deny an attestation case within an attestation procedure. It takes several approval procedures to grant or deny approval. You specify in the approval step which approval procedure should be used.

If several people are determined to be approvers by an approval procedure, the number given in the approval step specifies how many people must approve the step. A request can only be passed up to next level afterwards. The attestation procedure is canceled if an approver cannot be found for an approval step.

One Identity Manager provides approval procedures by default. You can also define your own approval procedures.

The DBQueue Processor calculates which employee is authorized as an approver and in which approval level. Take into account the special cases for each approval procedure when setting up the approval workflows to determine those authorized to grant approval.

Default approval procedures

To display default approval procedures

  • Select the Attestation > Basic configuration data > Approval procedures > Predefined category.

The following approval procedures are defined to select the responsible attestors, by default.

Table 28: Approval procedures for attestation

Procedure Name

Attestors

AA - Attestor for the role to attest

Attestor of the organization (department, cost center, location), business role, or IT Shop if assignments of system entitlements or system roles to roles are attested.

  • Attestors for departments, cost centers and locations must be assigned to the Identity Management | Organizations | Attestors application role.
  • Attestors for business roles must be assigned to the Identity Management | Business roles | Attestors application role.
  • Attestors for requests must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Using attestation objects to find attestors.

AD - Attestor of recipient's department

Attestor of the department to which the attestation object is primarily assigned.

  • Attestors for departments must be assigned to the Identity Management | Organizations | Attestors application role.

For more information, see Using roles of employees to be attested to find attestors.

AL - Attestor for recipient‘s location

Attestor of the location to which the attestation object is primarily assigned.

  • Attestors for locations must be assigned to the Identity Management | Organizations | Attestors application role.

For more information, see Using roles of employees to be attested to find attestors.

AM - Manager of account's person

Manager of the employee connected to the user account that is to be attested

For more information, see Using persons responsible for attestation objects to find attestors.

AN - Attestor for the system entitlement to attest

Attestor of the system entitlement or system role if assignments of system entitlements or system roles to roles are attested. Attestors are determined through the assigned service item.

  • Attestors must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Using attestation objects to find attestors.

AO - Attestor for recipient's primary role

Attestor of the business role to which the attestation object is primarily assigned.

Attestors for business roles must be assigned to the Identity Management | Business roles | Attestors application role.

For more information, see Using roles of employees to be attested to find attestors.

AP - Attestor for recipient's cost center

Attestor of the cost center to which the attestation object is primarily assigned.

  • Attestors for cost centers must be assigned to the Identity Management | Organizations | Attestors application role.

For more information, see Using roles of employees to be attested to find attestors.

AR - Attestor for attestation compliance rule

Attestor for the compliance rule to be attested.

  • Attestors must be assigned to the Identity & Access Governance | Identity Audit | Attestors application role.

For more information, see Using attestation objects to find attestors.

AS - Approver for attestation policy

All employees assigned to the attestation policy as approver.

For more information, see Using attestation policies to find attestors.

AT - Attestor for the organization to be attested

Attestor of the organization (department, cost center, location), business role, or IT Shop to be attested.

  • Attestors for departments, cost centers and locations must be assigned to the Identity Management | Organizations | Attestors application role.
  • Attestors for business roles must be assigned to the Identity Management | Business roles | Attestors application role.
  • Attestors for requests must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Using attestation objects to find attestors.

AY - Attestor for the company policy to be attested

Attestor of the company policy to be attested.

  • Attestors must be assigned to the Identity & Access Governance | Company policies | Attestors application role.

For more information, see Using attestation objects to find attestors.

CD - Calculated approval

-

For more information, see Calculated approval.

CM - Manager of the attested employee

Manager of the employee to be attested.

For more information, see Using attestation object managers to find attestors.

CN - Challenge the approval decision

Employee to be attested.

For more information, see Determining attested employee as attestor.

CS - Employee themselves

Employee to be attested, attests themselves.

For more information, see Determining attested employee as attestor.

DM - Manager of recipient's department

Department manager/deputy if employees of secondary memberships are attested in departments.

For more information, see Using attestation object managers to find attestors.

AE - Employee assigned to account

Employee assigned to the user account to be attested.

For more information, see Using employees assigned to user accounts to find attestors.

ED - Department manager for system entitlement attestation

Employee’s department manager whose system entitlements are to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

EM - Employee manager for system entitlement attestation

Employee’s manager whose system entitlements are to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

EN - Target system manager of the system entitlement to attest

Target system manager of the system entitlements to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

EO - Product owner of the system entitlement to be attested

Product owner whose system entitlements or system roles are to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

EX - Approvals to be made externally

-

For more information, see Approvals to be made externally.

KA - Product owner and additional owner of the Active Directory Group

Product owner and additional owner of the Active Directory group, if Active Directory groups or group memberships are attested.

For more information, see Using persons responsible for attestation objects to find attestors.

LM - Manager of recipient's location

Location manager/deputy if employees of secondary memberships are attested in locations.

For more information, see Using attestation object managers to find attestors.

MD - Department manager of account's person

Manager of the main department of the employee who is connected to the user account to be attested

For more information, see Using persons responsible for attestation objects to find attestors.

MO - Role owner

Business role manager/deputy if employees of secondary memberships are attested in roles.

For more information, see Using attestation object managers to find attestors.

OA - product owner

All members of the assigned application role if service items, system entitlements or system roles are attested.

For more information, see Using product owners to find attestors.

OM - Manager of a specific role

Manager of the role selected in the approval workflow.

For more information, see Using a specified role to find attestors.

OP - Owner of a privileged object

All employees that can be determined as owners of the privileged request.

For more information, see Using owners of a privileged object to find attestors.

OR - Members of a certain role

All employees that are assigned to a secondary business role.

For more information, see Using a specified role to find attestors.

OT - Attestor of assigned service item

Attestor of the service item assigned to the object to be attested.

  • Attestors must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Determining attestors using the attestation objects' service item.

PA - Secondary owner of Active Directory group

All employees to be found through the additional owner of the requested Active Directory group.

For more information, see Using additional Active Directory group owners to find attestors.

PM - Manager of recipient's cost center

Cost center manager/deputy if secondary memberships in cost centers are attested.

For more information, see Using attestation object managers to find attestors.

PO - Proposed owner

Proposed owner of the attestation object

For more information, see Using owners of the attestation objects to find attestors.

PW - Owner of the attestation policy

Owner of the attestation policy to run.

For more information, see Determining attestation policy owners.

RE - Manager of system roles to be attested

System role manager to be attested.

For more information, see Using attestation object managers to find attestors.

RM - Role manager for attesting memberships

Manager of role to be attested if secondary memberships in roles are attested.

For more information, see Using attestation object managers to find attestors.

RR - Role manager for attesting roles and role assignments

Manager of role to be attested.

For more information, see Using attestation object managers to find attestors.

SO - Target system manager of the entitlement to attest

Target system manager of system entitlement or user account to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

WC - Waiting for further approval

-

For more information, see Waiting for further approval.

XM - Manager of the employee for all attestations

Manager of the employee who can be determined with the attestation object.

For more information, see Using attestation object managers to find attestors.

Using attestation policies to find attestors

Use the AS approval procedure if you want to fix attestors for any object to an attestation policy. This approval procedure finds all employees that are assigned to the attestation procedure as approvers.

Use this procedure to allow any objects to be attested by any of the specified employees. These employees must be assigned to the attestation policy as approvers. The attestor can also be entered when you create attestation policies in the Web Portal. For more information, see the One Identity Manager Web Designer Web Portal User Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating