Chat now with support
Chat with Support

Identity Manager 9.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Phases of attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Certifying new roles and organizations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Attestation by peer group analysis

Using peer group analysis, approval for attestation cases can be granted or denied automatically. For example, a peer group might be all employees in the same department. Peer group analysis assumes that these employees require the same system entitlements. For example, if the majority of employees belonging to a department have a system entitlement, assignment to another employee in the department can be carried out automatically. This helps to accelerate approval processes.

Peer group analysis can be used during attestation of the following memberships:

  • Assignment of system entitlements to user account (UNSAccountInUNSGroup table)
  • Secondary memberships in business role (PersonInOrg table)

Peer groups contain all employees with the same manager or belonging to the same primary or secondary department as the employee linked to the attestation object (= employee to be attested). Configuration parameters specify which employee belong to the peer group. At least one of the following configuration parameters must be set.

  • QER | Attestation | PeerGroupAnalysis | IncludeManager: Employees with the same manager as the employee being attested

  • QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Employees who belong to the same primary department as the employee being attested

  • QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the employee being attested

The number of employees in a peer group that must already own the membership to be attested is set by a threshold in the QER | Attestation | PeerGroupAnalysis | ApprovalThreshold configuration parameter. The threshold specifies the ratio of the total number of employees in the peer group to the number of employees in the peer group who already own this membership.

You can also specify that employees are not permitted to own cross-functional memberships, which means, if the membership and the employee being attested belong to different functional areas, the attestation case should be denied approval. To include this check in peer group analysis, set the QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.

Whether a membership is cross-functional or not can only be tested if the following conditions are fulfilled.

  • The employee being attested and the member of the peer group requested the membership in the IT Shop.

  • The employee being attested is assigned a primary department and this department is assigned a function area.

  • The service item that the membership is assigned to, is assigned a functional area.

Attestation cases are automatically approved for fully configured peer group analysis, if both:

  • The membership being attested is not cross-functional

  • The number of employees in the peer group who already own this membership equal or exceeds the given threshold

If this is not the case, attestation cases are automatically denied.

To use this functionality, One Identity Manager provides the QER_PersonWantsOrg_Peer group analysis process and the PeergroupAnalysis event. The process is run using an approval step with the EX approval procedure.

Detailed information about this topic

Configuring peer group analysis for attestations

To configure peer groups

  1. In the Designer, set the QER | ITShop | PeerGroupAnalysis configuration parameter.

  2. Set at least on of the following subparameters:

    • QER | Attestation | PeerGroupAnalysis | IncludeManager: Employees with the same manager as those with the employee linked to the attestation object

    • QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Employees who belong to the same primary department as those with the employee linked to the attestation object

    • QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the employee linked to the attestation object

    Thus, you specify which employees belong to the peer group. You can also set two or all of the configuration parameters.

  3. To specify a threshold for the peer group, set the QER | Attestation | PeerGroupAnalysis | ApprovalThreshold configuration parameter and specify a value between 0 and 1.

    The default value is 0.9. That means, at least 90 percent of the peer group members must already have the membership to be attested in order for the attestation case to be approved.

  4. (Optional) To check whether the membership to be attested is cross-functional, enable the QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.

    • Ensure that the following conditions are met:

      • The employee being attested and the member of the peer group requested the membership in the IT Shop.

      • The employee being attested is assigned a primary department and this department is assigned a function area.

      • The service item that the membership is assigned to, is assigned a functional area.

      Only functional areas that are primary assigned service items are taken into account.

      For more information about editing service items, see the One Identity Manager IT Shop Administration Guide. For more information about functional areas, see the One Identity Manager Identity Management Base Module Administration Guide.

  5. In the Manager, create an approval workflow with at least one approval level. For the approval step, enter at least the following data:

    • Single step: EXWithPeerGroupAnalysis.

    • Approval procedure: EX

    • Event: PeerGroupAnalysis

    The event starts the ATT_AttestationCase_Peer group analysis process, which runs the ATT_PeerGroupAnalysis_for_Attestation script.

    The script runs automatic approval and sets the approval step type to Grant or Deny.

Detailed information about this topic
Related topics

Managing attestation cases

During attestation, you may find it necessary to assign someone else as default attestor responsible for the attestation because, for example, the actual attestor is absent. You may require additional information about an attestation object. One Identity Manager offers different possibilities to intervene in an pending attestation case.

Getting more information

An attestor has the option to gather more information about an attestation case. This ability does not, however, replace the granting or denying approval of an attestation case. There is no additional approval step required in the approval workflow to obtain the information.

Attestors can request information from any employee. The attestation case is put on hold while the query is pending. Once the employee requested has supplied the required information and the attestors have made an decision on the approval step, hold status is revoked. Attestors can recall a pending query at any time. The request is taken off hold. The query and answer are logged in the approval sequence and made available to the attestors.

NOTE: Hold status is revoked if the attestor who asked a question is removed as an approver. The queried employee does not have to answer and the attestation case proceeds.

Email notification to the employees involved can be sent using unanswered inquiries.

For more information about queries, see the One Identity Manager Web Designer Web Portal User Guide.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating