Chat now with support
Chat with Support

Identity Manager 9.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Phases of attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Certifying new roles and organizations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Using additional Active Directory group owners to find attestors

Installed modules:

Active Roles Module

If the Active Directory group is attested, the attestor can be determined through additional owners of this Active Directory group. Use the PA approval procedure for this purpose. This finds all employees that are:

  • A member in the assigned Active Directory group through their Active Directory user account

  • Linked to the assigned Active Directory user account

NOTE: Only use the PA approval procedure if the TargetSystem | ADS | ARS_SSM configuration parameter is enabled. The column Additional owners is only available in this case.

Using owners of the attestation objects to find attestors

When you assign new owners to devices or system entitlements in the Web Portal, the new owner should agree with this assignment. An attestation with the PO approval procedure is carried out for this purpose.

Using employees assigned to user accounts to find attestors

If you want to allow user accounts to be attested by the employees assigned to them, use the EA approval procedure. This approval procedure can be used if the Target System Base Module is installed.

Determining attested employee as attestor

An employee can attest to the correctness of their own main data to confirm that it has been entered correctly, for example. Use the CS approval procedure to do this. Employees are the base object for attestation. The approval procedure is used by default to assign managers to employees who do not have a manager assigned to them (Attestation of initial manager assignment attestation policy).

When user accounts, memberships in roles and organizations, or memberships in system entitlements are attested, the CN decision procedure determines whether the employee to whom these objects are assigned can be an attestor. The CN approval procedure is used to challenge denied attestations. For example, affected employees can prevent necessary entitlements being removed. For more information, see Setting up the challenge phase.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating