Chat now with support
Chat with Support

Identity Manager 9.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Providing terms of use for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls for attestation policies Setting up attestation in a separate database Configuration parameters for attestation

Default approval workflows

One Identity Manager provides a default approval workflow for default attestation of new users and recertification of all identities stored in the One Identity Manager database. Moreover, default approval workflows are supplied through which different roles and system entitlements mapped in the Unified Namespace can be attested. You can use default approval policies for creating attestation policies in the Web Portal.

To edit default approval workflows

  • In the Manager, select the Attestation > Basic configuration data > Approval workflows > Predefined category.

For more information about using default approval workflows, see the One Identity Manager Web Portal User Guide.

Related topics

Selecting attestors

One Identity Manager can make approvals automatically in an attestation procedure or through attestors. An attestor is an identity or a group of identities who can grant or deny an attestation case within an attestation procedure. It takes several approval procedures to grant or deny approval. You specify in the approval step which approval procedure should be used.

If several people are determined to be approvers by an approval procedure, the number given in the approval step specifies how many people must approve the step. A request can only be passed up to next level afterwards. The attestation procedure is canceled if an approver cannot be found for an approval step.

One Identity Manager provides approval procedures by default. You can also define your own approval procedures.

The DBQueue Processor calculates which identity is authorized as an approver and in which approval level. Take into account the special cases for each approval procedure when setting up the approval workflows to determine those authorized to grant approval.

Related topics

Default approval procedures

Default approval procedures are provided to help with selecting which attestors are responsible. These you can use to setup your own approval workflows.

 

To display default approval procedures

  • In the Manager, select the Attestation > Basic configuration data > Approval procedures > Predefined category.

For more information about default approval procedures for attestation, see:

Related topics

Determining attestors via attestation objects

An Attestors application role can be assigned to different objects in One Identity Manager. Different approval procedures can be used to identity members of this application role as attestors when these objects are attested.

ClosedAA - Attestor of the role from the role assignment to attest
ClosedAT - Attestor of the role to attest
ClosedAR - Attestor of the compliance rule to attest
ClosedAY - Attestor of the company policy to attest

For the AT and AA approval procedures the following also applies:

Attestors of the parent roles/IT Shop structures are determined if

  • the role or IT Shop structure is not directly assigned an attestor

  • the assigned application role has no members.

If still no attestor can be determined, the attestation case is presented to the attestors of the associated role class for approval.

Attestors of child business roles are determined if

  • the attestation object is a business role or the assignment to a business role and

  • the associated role class inheritance is bottom-up and

  • the business role is not directly assigned an attestor or

  • the assigned application role has no members.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating