Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 9.2 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Assigning attestation policies

Use this task to assign attestation policies to the selected compliance framework.

To assign attestation policies to a compliance framework

  1. In the Manager, select the Attestation > Basic configuration data > Compliance frameworks category.

  2. Select the compliance framework from the result list.
  3. Select the Assign attestation polices task.

    Assign the attestation policies in Add assignments.

    TIP: In the Remove assignments pane, you can remove attestation policy assignments.

    To remove an assignment

    • Select the approval policy and double-click .

  4. Save the changes.

Chief approval team

Sometimes, approval decisions cannot be made for attestation cases because an attestor is not available or does not have access to One Identity Manager tools. To complete these attestations, you can define a chief approval team whose members are authorized to intervene in the approval process at any time.

There is a default application role in One Identity Manager for the chief approval team. Assign this application role to all identities who are authorized to approve, deny, cancel attestations in special cases, or to authorize other attestors. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Table 8: Default application role for chief approval team

User

Tasks

Chief approval team

The chief approver must be assigned to the Identity & Access Governance | Attestation | Chief approval team application role.

Users with this application role:

  • Approve using attestation cases.

  • Assign attestation cases to other attestors.

To add members to the chief approval team

  1. In the Manager, select the Attestation > Basic configuration data > Chief approval team category.

  2. Select the Assign identities task.

    In the Add assignments pane, assign the identities who are authorized to approve all attestations.

    TIP: In the Remove assignments pane, you can remove assigned identities.

    To remove an assignment

    • Select the identity and double-click .

  3. Save the changes.
Detailed information about this topic

Attestation policy owners

Default application roles for attestation policy owners are available in One Identity Manager. These owners are entitled to edit attestation policies. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Table 9: Default application roles for attestation policy owners

User

Tasks

Attestation policy owners

Owners of attestation policies must be assigned to a child application role of the Identity & Access Governance | Attestation | Attestation policy owners application role.

Users with this application role:

  • Are responsible for its content and handle the attestation policies assigned to it.

  • Assign the attestation procedure, approval policy, and calculation schedule.

  • Assign approvers, mitigating controls, and compliance frameworks.

  • Monitor attestation cases and attestation runs.

Direct owners

Direct owners are all identities assigned to an attestation policy as an Owner (UID_PersonOwner column). Members of this application role are determined through a dynamic role.

Owner role

This application role or child application role can be assigned to attestation policies as an Owner (application role) (UID_AERoleOwner column) This allows you to specify groups of identities as owners for attestation policies. Identities are added as members to application roles by direct assignment.

To add members to the owner role

  1. In Manager, select the Attestation > Basic configuration data > Attestation policy owners > Owner role category.

  2. Select the Assign identities task.

    In the Add Assignments pane, assign the identities that are allowed to edit an attestation policy.

    TIP: In the Remove assignments pane, you can remove the assignment of identities.

    To remove an assignment

    • Select the identity and double-click .

  3. Save the changes.

If you want to restrict owners' permissions to individual attestation policies, create child application roles.

To specify an owner role for an attestation policy

  1. Log in to the Manager as an attestation administrator (Identity & Access Governance | Attestation | Administrators application role).

  2. Select the Attestation > Attestation policies category.

  3. Select the attestation policy in the result list.

  4. Select the Change main data task.

  5. In the Owner (application role) menu, select the owner role.

    - OR -

    Click next to the menu to create a new application role.

    1. Enter the application role name and assign the Identity & Access Governance | Attestation | Attestation policy owners | Owner role parent application role.

    2. Click OK to add the new application role.

  6. Save the changes.
  7. Assign identities to this application role who are permitted to edit the attestation policy.

Related topics

Standard reasons for attestation

For attestations, you can specify reasons in the Web Portal that explain the individual approval decisions. You can freely formulate this text. You also have the option to predefine reasons. The attestors can select a suitable text from these standard reasons in the Web Portal and store it with the attestation case.

Standard reasons are displayed in the attestation history.

To create or edit standard reasons

  1. In the Manager, select the Attestation > Basic configuration data > Standard reasons category.

  2. Select a standard reason in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the main data of a standard reason.

  4. Save the changes.

Enter the following properties for the standard reason.

Table 10: General main data of a standard reason

Property

Description

Standard reason

Reason text as displayed in the Web Portal and in the attestation history.

Description

Text field for additional explanation.

Automatic Approval

Specifies whether the reason text is only used for automatic approvals by One Identity Manager. This standard reason cannot be selected by manual approvals in the Web Portal.

Do not set the option if the you want to select the standard reason in the Web Portal.

Additional text required

Specifies whether an additional reason should be entered in free text for the attestation.

Usage type

Usage type of standard reason. Assign one or more usage types to allow filtering of the standard reasons in the Web Portal.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating