Chat now with support
Chat with Support

Identity Manager 9.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Providing terms of use for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls for attestation policies Setting up attestation in a separate database Configuration parameters for attestation

Business role attestation

Installed modules: Business Roles Module

If you attest memberships in business roles, you can use the QER | Attestation | AutoRemovalScope | RoleMembership configuration parameter to configure automatic removal of business roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the business role.

If membership of the business role is removed after an attestation is denied, all indirect assignments that the identity obtained via this business role are removed.

  • QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDirectRole

    The identity's secondary membership in the business role is removed.

    Membership in dynamic roles is not removed by this.

  • QER | Attestation | AutoRemovalScope | RoleMembership | RemoveRequestedRole

    If the identity requested the business role through the IT Shop, the request is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDelegatedRole

    If the business role was delegated to the identity, delegation is canceled or unsubscribed.

    Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter.

  • QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDynamicRole

    The identity is excluded from the business role's dynamic role.

    This does not remove memberships in the business role that were created in another way.

Related topics

Configuring sample attestation of identities and their entitlements

The Identity attestation default policy collection combines all default attestation policies to attest identities along with all their entitlements and memberships. The policy collection is assigned to a default sample that you use to specify which identities to attest.

To set up comprehensive attestation of selected identities

  1. Manually assign the identities to be attested to the Individual selection of identities sample.

  2. Create a schedule and assign it to the Identity attestation policy collection. By doing this, you replace the schedule assigned by default.

    • Enable the schedule.
Related topics

User attestation and recertification

Use the One Identity Manager attestation functionality to regularly check and authorize identities' main data and target system entitlements and assignments. In addition, One Identity Manager provides default procedures for managers to quickly attest and certify the main data of newly added One Identity Manager users in the One Identity Manager database. This functionality can be used, for example, if external identities, such as contract workers, are provided with temporary access to One Identity Manager. The sequence is different for internal and external identities.

Regular recertification can be run through scheduled tasks.

In the context of an attestation, a manager can check and update the main data of the user to be certified, if necessary. Use the Web Portal for attestation.

Detailed information about this topic
Related topics

One Identity Manager users for attesting and recertifying users

The following users are used for attesting and recertifying identities.

Table 41: Users

Users

Tasks

Identity administrators

Identity administrators must be assigned to the Identity Management | Identities | Administrators application role.

Users with this application role:

  • Can edit any identity's main data

  • Assign managers to identities.

  • Can assign company resources to identities.

  • Check and authorize identity main data.

  • Create and edit risk index functions.

  • Edit password policies of identities' passwords.

  • Delete identity's security keys (WebAuthn)

  • Can see everyone's requests, attestations, and delegations and edit delegations in the Web Portal.

Manager
  • Check identity main data of the internal user to be certified.
  • Update identity main data as required.
  • Assign another manager if required.
  • Attests the main data.

Attestors for external users

Attestors for external users must be assigned to the Identity & Access Governance | Attestation | Attestors for external users application role.

Users with this application role:

  • Attests new, external identities.

Administrators for attestation cases

Administrators must be assigned to the Identity & Access Governance | Attestation | Administrators application role.

Users with this application role:

  • Modify the attestation policies if necessary.

  • Create more schedules if required.

Web Portal users
  • Log on to the Web Portal and enter their main data,

Self-registered identities

External identities, who have registered themselves in the Web Portal, are assigned to the Base roles | Self-registered identities application role through a dynamic role.

Users with this application role:

  • Specify their password and password questions for logging in to One Identity Manager tools.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating