Chat now with support
Chat with Support

Identity Manager 9.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Phases of attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Certifying new roles and organizations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Setting up the staging phase

For a staging phase, an approval level is inserted at the beginning of the approval workflow, in which the owners of the attestation policy are identified as approvers. All attestation cases in an attestation run are thus submitted to a single employee (AttestationPolicy.UID_PersonOwner) or a group of employees (AttestationPolicy.UID_AERoleOwner) for review.

For example, a staging phase can be set up when the attestation policy or its components (attestation procedures, approval workflow, and so on) have been newly created and need to be tested to see if they deliver the expected results.

To set up a staging phase

  1. In the Manager, create a new approval workflow or edit an existing approval workflow.

  2. Add a new approval level at the beginning of the workflow and enter the approval step properties.

    • Approval procedure: PW - owner of the attestation policy.

  3. Drag the Approval connector from the decision level for testing to the next decision level.

  4. Save the changes.
  5. Assign an approval policy to the approval workflow.

  6. Assign an attestation policy to the approval policy.

  7. Assign a single owner or an application role as owner to the attestation policy.

  8. Edit the main data of the attestation procedure assigned to the attestation policy.

    • On the Template tab, in the Text template field, enter a text to describe the reviewers' and attestors' task.

      Example:

      For reviewer: Does the attestation case contain the correct data for the attestation object and will the correct attestors be identified?
      For attestors: Is the attestation object data correct and up-to-date?
  9. Save the changes.

This workflow configuration starts the attestation phase once the attestation policy owners has approved staging. If the approval step is denied, attestation for the current attestation case is finally denied and the necessary corrections can be made.

Detailed information about this topic
Related topics

Criteria for the Staging phase

In the staging phase, at the beginning of each attestation run of the attestation policy, the generated attestation cases are checked for correctness. Staging criteria can be:

  • Attestation scope

    Will too many or too few attestation cases be created?

    -> Does the condition of the attestation policy need to be worded differently?

  • Attestation sequence

    Will the correct attestors be identified in the correct order?

    -> Must the application workflow be changed?

  • Details of the attestation objects that the attestors see

    • Is too much or too little detailed information displayed?

      -> Does the report on attestation procedure or the content of the snapshot need to be changed?

    • Is incorrect information shown?

      -> Must the attestation object's main data need to be corrected?

If errors are found only in individual attestation cases, you can deny these attestations and make the necessary corrections to the attestation objects. All other attestation cases can be approved and continue down the approval process.

If fundamental issues are found with the attestation policy, the attestation procedure, or the approval workflow used, you can flag all pending attestation procedures, deny them all together, and then make the necessary corrections.

Related topics

Setting up the challenge phase

If an attestation is finally denied, the employees affected can be given the opportunity to challenge this decision. The challenge may be particularly useful if entitlements are to be automatically withdrawn following denied attestations. Those affected can prevent this in the final instance.

To set up the challenge phase

  1. In the Manager, edit an approval workflow and add a new approval level at the end of the workflow.

  2. Enter the approval step properties.

    • Approval procedure: CN - Challenge the decision

    If the workflow includes an approval level for automatically withdrawing attested entitlements , the challenge approval level must be inserted directly before it.

  3. Drag the Deny connector from the previous approval level to the challenge approval level.

  4. (Optional) Drag the Deny connector from the challenge approval level to the approval level for automatically withdrawing entitlements .

  5. Save the changes.
  6. Assign an approval policy to the approval workflow.

  7. Assign an attestation policy to the approval policy.

    It is possible to challenge if attesting user accounts, memberships in roles and organizations, or memberships in system entitlements.

  8. Edit the main data of the attestation procedure assigned to the attestation policy.

    • On the Template tab, in the Text template field, enter a text to describe the attestors task.

      Example:

      For attestors: Is the attestation object data correct and up-to-date?
      For affected: Challenge the deny decision?
      - Yes: Approval granted
      - No: Approval denied
  9. Save the changes.

This workflow configuration finally approves an attestation if the challenge step is approved, meaning denial is successfully challenged. The attestation is finally denied if the challenge step is denied, meaning the attestors' approval decision is accepted. If automatic withdrawal of entitlements is configured, the attested assignment is then automatically removed.

Detailed information about this topic
Related topics

Setting up withdrawal of entitlements

If an attestation is denied in the end, the denied entitlements can be removed immediately. To do this, an automatic approval step with external approval is added to the end of the approval workflow.

To setup automatic withdrawal of entitlements

  1. In the Manager, edit an approval workflow and add a new approval level at the end of the workflow.

  2. Enter the approval step properties.

    • Approval procedure: EX - Approvals to be made externally

    • Event: AUTOREMOVE

  3. Drag the Deny connector from the previous approval level to the approval level for automatically withdrawing entitlements.

  4. Save the changes.
  5. Assign an approval policy to the approval workflow.

  6. Assign an attestation policy to the approval policy.

    Automatic withdrawal of entitlements is possible if attesting memberships or assignments to application roles, business role, system roles, or system entitlements.

  7. Save the changes.
  1. In the Designer, set the QER | Attestation | AutoRemovalScope configuration parameter and the configuration subparameters.

  2. If the entitlements were obtained through IT Shop, specify whether these requests should be unsubscribed or canceled. To do this, set the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter and select a value.

    • Abort: Requests are canceled. In this case, they do not go through a cancellation workflow. The requested entitlements are withdrawn without additional checks.

    • Unsubscribe: Requests are unsubscribed. They go through the cancellation workflow defined in the approval policies. Withdrawal of the entitlement can thus be subjected to an additional check.

      If the cancellation is denied, the entitlement is not withdrawn even though the attestation has been denied.

    If the configuration parameter is not set, the requests are canceled.

Detailed information about this topic
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating