Using peer group analysis, approval for attestation cases can be granted or denied automatically. For example, a peer group might be all employees in the same department. Peer group analysis assumes that these employees require the same system entitlements. For example, if the majority of employees belonging to a department have a system entitlement, assignment to another employee in the department can be carried out automatically. This helps to accelerate approval processes.
Peer group analysis can be used during attestation of the following memberships:
- Assignment of system entitlements to user account (UNSAccountInUNSGroup table)
- Secondary memberships in business role (PersonInOrg table)
Peer groups contain all employees with the same manager or belonging to the same primary or secondary department as the employee linked to the attestation object (= employee to be attested). Configuration parameters specify which employee belong to the peer group. At least one of the following configuration parameters must be set.
QER | Attestation | PeerGroupAnalysis | IncludeManager: Employees with the same manager as the employee being attested
QER | Attestation | PeerGroupAnalysis | IncludePrimaryDepartment: Employees who belong to the same primary department as the employee being attested
QER | Attestation | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the employee being attested
The number of employees in a peer group that must already own the membership to be attested is set by a threshold in the QER | Attestation | PeerGroupAnalysis | ApprovalThreshold configuration parameter. The threshold specifies the ratio of the total number of employees in the peer group to the number of employees in the peer group who already own this membership.
You can also specify that employees are not permitted to own cross-functional memberships, which means, if the membership and the employee being attested belong to different functional areas, the attestation case should be denied approval. To include this check in peer group analysis, set the QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.
Whether a membership is cross-functional or not can only be tested if the following conditions are fulfilled.
The employee being attested and the member of the peer group requested the membership in the IT Shop.
The employee being attested is assigned a primary department and this department is assigned a function area.
The service item that the membership is assigned to, is assigned a functional area.
Attestation cases are automatically approved for fully configured peer group analysis, if both:
The membership being attested is not cross-functional
The number of employees in the peer group who already own this membership equal or exceeds the given threshold
If this is not the case, attestation cases are automatically denied.
To use this functionality, One Identity Manager provides the QER_PersonWantsOrg_Peer group analysis process and the PeergroupAnalysis event. The process is run using an approval step with the EX approval procedure.