Chat now with support
Chat with Support

Identity Manager 9.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Phases of attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Certifying new roles and organizations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Importing new employee main data

You can request attestation of new employees if the main data is imported from other systems into the One Identity Manager database. To ensure that new employees are automatically attested, you must set the employee’s certification status to New (Person.ApprovalState = '1'). There are two possible ways to do this:

  1. The QER | Attestation | UserApproval | InitialApprovalState configuration parameter is evaluated for certification status. If the configuration parameter has the value 1, certification status is set to New.

    Prerequisite: The import does not alter the Person.ApprovalState property.

    NOTE: The QER | Attestation | UserApproval | InitialApprovalState configuration parameter has the value 0 by default. This gives each new employee the certification status Certified. Automatic attestation is not carried out.

    If you want to attest new employees immediately, change the value of the configuration parameter to 1.

  2. The import sets the Person.ApprovalState property explicitly.
    • The import sets ApprovalState='1' (New).

      The employee is automatically sent to the manager for attestation.

    • The import sets ApprovalState=’0' (Certified).

      Imported employee main data has already been authorized. It should not be attested again.

    • The import sets ApprovalState=’3' (Denied).

      The employee is deactivated permanently and is not attested.

Attestation of new users is triggered when:

  • The QER | Attestation | UserApproval configuration parameter is set

  • New employee main data was imported into the One Identity Manager database

  • The certification status for new employees is set to New

  • No Import data source is stored with the employee.

If the External option is not set for an employee, attestation takes place as described in the Adding new employees using a manager or employee administrator section, step 5.

If the External option is set for the employee, attestation takes place as described in the Self-registration of new users in the Web Portal section, steps 4 to 5.

The New user certification attestation policy is run.

Related topics

Scheduled attestation

Users are also attested when the certification status for an employee is set to New at a later date (manually or through import). The Daily schedule is assigned to the New user certification attestation policy for this purpose. Attestation of new users is started when the time set in the schedule is reached. This process determines all employees with the certification status New and for whom no attestation cases are pending.

You can assign a custom schedule to the attestation policy if required.

Detailed information about this topic

Limiting attestation objects for certification

IMPORTANT: In order to customize the default New user certification attestation policy, you must make changes to One Identity Manager objects. Always use a custom copy of the respective object to make changes.

It may be necessary to limit attestation of new users to a certain group of employees, for example, if only employees in a specific departments should be attested. To do this, you can extend the condition attached to the attestation policy. Create a custom attestation policy for this.

The following objects must be changed so that attestation of new users can be carried out with this attestation policy. Always create a copy of the respective object to do this.

  • New user certification attestation policy
  • VI_Attestation_Person_new_AttestationCase_for_Certification process
  • VI_Attestation_AttestationCase_Person_Approval_Granted process
  • VI_Attestation_AttestationCase_Person_Approval_Dismissed process

IMPORTANT: In order for attestation to run correctly in the Web Portal, the default Certification of users attestation procedure and the default Certification of users approval policy must be assigned to the attestation policy.

The default attestation procedure, the default approval policy, and the default Certification of users approval workflow must not be changed.

To customize default attestation of new users

  1. Copy the Certification of users attestation policy and customize it.

    Table 57: Attestation policy properties

    Property

    Value

    Attestation procedure

    Certification of users.

    Approval policies

    Certification of users.

    Editing conditions

    Copy the default condition without modification so that the correct attestation object is selected.

    To limit the number of attestation objects, you can add additional partial conditions to the database query.

  2. In the Designer, create a copy of the VI_Attestation_Person_new_AttestationCase_for_Certification process from the Person base object and customize the copy.

    Table 58: Process properties with changes

    Process step

    Parameter

    Change

    Create attestation instance

    WhereClause

    Replace the UID of the New user certification attestation policy with the UID of the new attestation policy.

  3. In the Designer, copy the VI_Attestation_AttestationCase_Person_Approval_Granted process of the AttestationCase base object and customize the copy.

    Table 59: Process properties with changes

    Process property

    Change

    Pre-script for generating

    Replace the UID of the New user certification attestation policy with the UID of the new attestation policy.

    Generating condition

  4. In the Designer, copy the VI_Attestation_AttestationCase_Person_Approval_Dismissed process of the AttestationCase base object and customize the copy.

    Table 60: Process properties with changes

    Process property

    Change

    Pre-script for generating

    Replace the UID of the New user certification attestation policy with the UID of the new attestation policy.

    Generating condition

For more information about editing processes, see the One Identity Manager Configuration Guide.

Detailed information about this topic

Recertifying existing users

IMPORTANT: Access to connected target systems may possibly be denied to One Identity Manager users as a result of recertification. You can configure this behavior to meet your company’s requirements. Read the following section thoroughly before you use the recertification function.

One Identity Manager provides an attestation policy for performing cyclical attestation of existing users allowing companies to regularly test and authorize employee main data stored in the One Identity Manager database. Cyclical attestation is triggered through a scheduled task. This resets the certification status for all employees stored in the database. One Identity Manager uses the same procedure for this as for attesting new users. The case is referred to as recertification.

Result of recertification
  • Certified, activated employees who can access all entitlements assigned to them in One Identity Manager and the connected target systems.

    Company resources are inherited. Account definitions are assigned to internal employees.

    - OR -

  • Denied and permanently deactivated employees.

    Disable employees cannot log in to One Identity Manager tools. Company resources are not inherited. Account definitions are not automatically assigned. User accounts associated with the employee are also locked or deleted. You can customize the behavior to meet your requirements.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating