Chat now with support
Chat with Support

Identity Manager 9.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Attestation and recertification

Managers or others responsible for compliance can use the One Identity Manager attestation feature to certify correctness of entitlements, requests, or exception approvals either scheduled or on demand. Recertification is the term generally used to describe regular certification of entitlements. One Identity Manager uses the same workflows for recertification and attestation.

There are attestation policies defined in One Identity Manager for carrying out attestations. Attestation policies specify which objects are attested when, how often, and by whom. Once an attestation is performed, One Identity Manager creates attestation cases that contain all the necessary information about the attestation objects and the attestor responsible. The attestor checks the attestation objects. They verify the correctness of the data and initiate any changes that need to be made if the data conflicts with internal rules.

Attestation cases record the entire attestation sequence. Each attestation step in the attestation case can be audit-proof reconstructed. Attestations are run regularly using scheduled tasks. You can also trigger single attestations manually.

Attestation is complete when the attestation case has been granted or denied approval. You specify how to deal with granted or denied attestations on a company basis.

TIP: One Identity Manager provides various default attestation procedures for different data situations and default attestation procedures. If you use these default attestation procedures, you can configure how you deal with denied attestations.

For more information, see Configuring withdrawal of entitlements.

To use attestation functionality

  • In the Designer, set the QER | Attestation configuration parameter.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

One Identity Manager users for attestation

The following users are used for attestation.

Table 1: Users
User Tasks
Administrators for attestation cases

Administrators are assigned to the Identity & Access Governance | Attestation | Administrators application role.

Users with this application role:

  • Define attestation procedures and attestation policies.

  • Create approval policies and approval workflows.

  • Specify which approval procedure to use to find attestors.

  • Set up attestation case notifications.

  • Configure attestation schedules.

  • Enter mitigating controls.

  • Create and edit risk index functions.

  • Monitor attestation cases.

  • Manage application roles for attestation policy owners.

  • Maintain members of the chief approval team.

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Attestation policy owners

Owners of attestation policies must be assigned to a child application role of the Identity & Access Governance | Attestation | Attestation policy owners application role.

Users with this application role:

  • Are responsible for its content and handle the attestation policies assigned to it.

  • Assign the attestation procedure, approval policy, and calculation schedule.

  • Assign approvers, mitigating controls, and compliance frameworks.

  • Monitor attestation cases and attestation runs.

Attestors
  • Check attestation objects in the Web Portal.
  • Confirm data correctness.
  • Initiate changes if data conflicts with internal rules.

Attestators in charge are determined through approval procedures.

Compliance and security officer

Compliance and security officers must be assigned to the Identity & Access Governance | Compliance & Security Officer application role.

Users with this application role:

  • View all compliance relevant information and other analysis in the Web Portal. This includes attestation policies, company policies and policy violations, compliance rules, and rule violations and risk index functions.

  • Edit attestation polices.

Auditors

Auditors are assigned to the Identity & Access Governance | Auditors application role.

Users with this application role:

  • See the Web Portal all the relevant data for an audit.

Chief approval team

The chief approver must be assigned to the Identity & Access Governance | Attestation | Chief approval team application role.

Users with this application role:

  • Approve using attestation cases.

  • Assign attestation cases to other attestors.

Attestation base data

The attestation framework and the objects to be attested are specified in the attestation policy. You require certain base data to define attestation policies.

Attestation types:

Attestation types

Approval policies:

Approval policies for attestations

Approval workflows:

Approval workflow for attestations

Approval procedures:

Setting up approval procedures

Attestation procedures:

Attestation procedure

Schedules:

Attestation schedules

Compliance frameworks:

Compliance frameworks

Mail templates:

Custom mail templates for notifications

Chief approval team:

Chief approval team

Standard reasons:

Standard reasons for attestation

Adaptive cards:

Creating, editing, and deleting adaptive cards for attestations

Attestation types

Attestation types are used to group attestation procedures. These make it easier to assign a matching attestation procedure to the attestation policies.

To edit attestation types

  1. Select the Attestation > Basic configuration data > Attestation types category.

  2. Select an attestation type in the result list and run the Change main data task.

    – OR –

    Click in the result list.

  3. Edit the attestation type main data.

  4. Save the changes.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating