Chat now with support
Chat with Support

Identity Manager 9.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Phases of attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Certifying new roles and organizations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Using persons responsible for attestation objects to find attestors

If you want to attest system entitlements and the user accounts assigned to them, use the ED, EM, EN, EO, or SO approval policies. Use the approval procedures AM, MD, or SO to attest user accounts. Attestation objects are user accounts or system entitlements and the user accounts assigned to them as well as system roles that have system entitlements or system roles assigned to them.

You use the KA approval procedure to attest Active Directory groups and group memberships. This approval procedure is only available if the Active Roles Module is present.

The approval procedures determine the following attestors.

 

Attestation base objects

Attestors

Available in Module

AM

User accounts (UNSAccount)

Employee’s department manager to whom the user account is connected.

Target System Base Module

ED

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

Employee’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case.

Target System Base Module

EM

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

Employee’s department manager to whom the user account is connected.

Target System Base Module

EN

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

System entitlements (UNSGroup)

Target system manager of the target system area to which the system entitlement belongs.

Target System Base Module

EO

System roles: assignments (ESetHasEntitlement)

All user account assignments to system entitlements; for example, User accounts: system entitlement assignments (UNSAccountInUNSGroup) or SAP user accounts: assignments to roles (SAPUserInSAPRole)

All system entitlement or system role assignments to roles; for example, Roles and organizations: Active Directory group assignments (BaseTreeHasADSGroup) or Locations: EBS entitlement assignments (LocalityHasEBSResp)

Product owner of the service item to which the system entitlement or system role is assigned.

Target System Base Module or System Roles Module

MD

User accounts (UNSAccount)

Employee’s department manager (and deputy manager) to whom the user account is connected. The primary department assigned in this case.

Target System Base Module

SO

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

User accounts (UNSAccount)

System entitlements: assignments to system entitlements (UNSGroupInUNSGroup)

Target system manager for the target system to which the system entitlement or user account belongs.

Target System Base Module

KA

Active Directory groups (ADSGroup)

Active Directory user Accounts: assignments Group (ADSAccountInADSGroup)

User accounts: system entitlement assignments (UNSAccountInUNSGroup)

System entitlements (UNSGroup)

Product owner and additional owner of the Active Directory Group

If the groups were added automatically to the IT Shop, the account managers are identified as product owners.

The additional owners of the Active Directory groups are determined only if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled.

For more information about these functions, see the One Identity Manager Administration Guide for One Identity Active Roles Integration.

Active Roles Module

Using a specified role to find attestors

If the attestors for any object are specified in a certain role, use the OR or OM approval procedure. You can allow any objects to be attested by employees from any role using these approval procedures. In the approval step, specify the role by means of which the attestors are to be determined. The approval procedures determine the following attestors.

 

Selectable Roles

Attestors

OM

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Manager and deputy manager of the role specified in the approval step.

OR

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Application roles (AERole)

All secondary members of the role specified in the approval step.

Using product owners to find attestors

Use the approval procedure OA to detemine whether product owners can be attestors. The following objects can be attested with this procedure:

  • Service items

  • System entitlements

  • System entitlement assignments to user accounts or system entitlements

  • System role assignments to employees

Prerequisites:

  • A service item must be assigned to the system entitlements and system roles.
  • An application role for product owners must be assigned to the service item.

All employees who are assigned this application role are determined as attestors.

Using owners of a privileged object to find attestors

Installed modules: Privileged Account Governance Module

Use the OP approval procedure if you want to allow privileged objects in a Privileged Account Management system, for example, PAM assets or PAM directory accounts, to be attested by their owners. The owners attest the possible user accord to these privileged objects. The owners of the privileged objects must have the Privileged Account Governance | Asset and account owners application role or a child application role.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating