立即与支持人员聊天

获得即时帮助
完成注册

登录

请求定价

联系销售人员

Identity Manager 8.2.1 - Attestation Administration Guide

Attestation and recertification

One Identity Manager users for attestation Attestation base data

Attestation types

Default attestation types Additional tasks for attestation types

Overview of the attestation type Assigning attestation procedures

Attestation procedure

General main data of an attestation procedure Defining reports for attestation Default attestation procedures Additional tasks for attestation procedures

Overview of the attestation procedure Assigning approval policies Creating a copy

Attestation schedules

Default schedules Additional tasks for schedules

Schedule overview Assigning attestation policies Starting schedules immediately

Compliance frameworks

Additional tasks for compliance frameworks

Compliance framework overview Assigning attestation policies

Chief approval team Attestation policy owners Standard reasons for attestation

Predefined standard reasons for attestations

Attestation policies

General main data of attestation policies Specifying risk indexes for attestation guidelines Default attestation policies Additional tasks for attestation policies

The attestation policy overview Assigning approvers to attestation policies Assigning compliance frameworks to attestation policies Mitigating controls

Assigning mitigating controls Creating mitigating controls

Running attestation for single objects Showing or hiding conditions Copy attestation policies Showing selected objects Deleting attestation policies

Disabling attestation policies Reports about attestations

Sample attestation

Creating, editing, deleting samples General main data of samples Managing sample data Generating sample data automatically Using samples with attestation policies Displaying the sample overview Default sample for attesting memberships in system entitlements

Custom mail templates for notifications

Creating and editing attestation mail templates General properties of a mail template Creating and editing a mail definition

Using base object properties Use of hyperlinks in the Web Portal

Default functions for creating hyperlinks

Customizing email signatures

Copying mail templates for attestation Displaying attestation mail templates previews Deleting mail templates for attestation Custom notification processes

Suspending attestation

Approval processes for attestation cases

Approval policies for attestations

General main data of approval policies Default approval policies Additional tasks for approval policies

Editing approval workflows Validity checking

Approval workflow for attestations

Working with the workflow editor Setting up approval workflows

Editing approval levels Editing approval steps Properties of an approval step Connecting approval levels

Additional tasks for approval workflows

The approval workflow overview Copying approval workflows

Deleting approval workflows Default approval workflows

Selecting attestors

Default approval procedures

Using attestation policies to find attestors Using roles of employees to be attested to find attestors Using attestation objects to find attestors Determining attestors using the attestation objects' service item Using attestation object managers to find attestors Using persons responsible for attestation objects to find attestors Using a specified role to find attestors Using product owners to find attestors Using owners of a privileged object to find attestors Using additional Active Directory group owners to find attestors Using owners of the attestation objects to find attestors Using employees assigned to user accounts to find attestors Determining attested employee as attestor Calculated approval Approvals to be made externally Waiting for further approval

Setting up approval procedures

General main data of an approval procedure Queries for finding attestors

Additional tasks for approval procedures

Overview of the approval procedure Specifying permitted approval procedures for tables Copying an approval procedure

Deleting approval procedures Determining the responsible attestors

Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis

Configuring peer group analysis for attestations

Managing attestation cases

Getting more information Appointing other attestors Escalating an attestation case Attestors cannot be established Automatic approval on timeout Halting an attestation case on timeout Attesting by chief approval team

Attestation sequence

Starting attestation Additional tasks for attestation cases

Attestation case overview Approval sequence Attestation history Reports about attestation cases

Modifying approval workflows for pending attestation cases Closing attestation cases for deactivated employees Deleting attestation cases Notifications in the attestation process

Requesting attestation Reminding attestors Scheduling attestation requests Reminding attestors about attestation objects Granting or denying attestation cases Notifying delegates Canceling attestation cases Escalation of attestation cases Delegating attestations Rejecting approvals Notifications with questions Notifications from additional attestors Link for verifying new external users Default mail templates

Attestation by mail

Processing attestation mails

Adaptive cards attestation

Using adaptive cards for attestations Adding and deleting recipients and channels Creating, editing, and deleting adaptive cards for attestations Creating, editing, and deleting adaptive cards templates for attestations Deploying and evaluating adaptive cards for attestations

Default attestation and withdrawal of entitlements

Attesting system entitlements System role attestation Application role attestation Business role attestation

User attestation and recertification

One Identity Manager users for attesting and recertifying users Configuring user attestation and recertification Attesting new users

Self-registration of new users in the Web Portal Adding new employees using a manager or employee administrator Importing new employee main data Scheduled attestation Limiting attestation objects for certification

Recertifying existing users

Preparing for recertification The recertification sequence Limiting attestation objects for recertification

Mitigating controls

General main data of mitigating controls Additional tasks for mitigating controls

Mitigating controls overview Assigning attestation policies

Calculating mitigation

Setting up attestation in a separate database

Requirements for the central database Setting up work databases Setting up synchronization between central and work databases Setting up and running attestations in the work database

Configuration parameters for attestation

Adding and deleting recipients and channels

Attestors can be registered in Starling Cloud Assistant as recipients through an IT Shop request and allocated to a channel. By default, the requests are approved immediately by self-service. Then the recipients are registered and the requested channel is assigned to them. Once the attestor has installed the Starling Cloud Assistant app, they can use adaptive cards to attest.

To add a recipient in Starling Cloud Assistant

In the Web Portal, request the New Starling Cloud Assistant recipient product.

To allocate Microsoft Teams as a channel in Starling Cloud Assistant

In the Web Portal, request the Teams channel for Starling Cloud Assistant recipient product.
Install the Starling Cloud Assistant app for Microsoft Teams.

For more information, see the One Identity Starling Cloud Assistant User Guide under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-documents.

To allocate Slack as a channel in Starling Cloud Assistant

In the Web Portal, request the Slack channel for Starling Cloud Assistant recipient product.
Install the Starling Cloud Assistant app for Slack.

For more information, see the One Identity Starling Cloud Assistant User Guide under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-documents.

To delete a recipient in Starling Cloud Assistant

Cancel the New Starling Cloud Assistant recipient product.

To remove a channel

Cancel the respective product.

For more information about requesting and unsubscribing products, see the One Identity Manager Web Portal User Guide.

Related topics

Creating, editing, and deleting adaptive cards for attestations

One Identity Manager provides adaptive cards for demanding attestation in German and English. These can be displayed in the Manager. You can create your own templates for adaptive cards, for example to make changes to the content or to provide adaptive cards in other languages. The recipient's language preferences are taken into account when an adaptive card is generated. If a language cannot be identified or there is no suitable template for the language found, en-US is used as fallback.

To use your own adaptive cards for attestations, configure the ATT_AttestationHelper approve anywhere process accordingly.

To display an adaptive card

In the Manager, select the Attestation > Basic configuration data > Adaptive cards category.
Select the adaptive card in the result list.
Select the Change main data task.
In the Adaptive card templates menu, select a template.

This displays the adaptive card's definition in the Template field.
- To display the entire JSON code, click .

To create an adaptive card.

In the Manager, select the Attestation > Basic configuration data > Adaptive cards category.
Click in the result list.
Edit the adaptive card's main data.
Create a new template for adaptive cards.
Save the changes.
Create additional language-specific templates for this adaptive card as required and save the changes.

To use your customized adaptive card

In the Designer, edit the ATT_AttestationHelper approve anywhere process.
1. Select the Send Adaptive Card to Starling Cloud Assistant process step.
2. Edit the value of the ParameterValue2 parameter and replace the name and UID with the values of your customized adaptive card.
Save the changes.

To delete an adaptive card.

In the Manager, select the Attestation > Basic configuration data > Adaptive cards category.
Select the adaptive card in the result list.
Click in the result list.

This deletes the adaptive card and all the templates belonging to it.

Related topics

Creating, editing, and deleting adaptive cards templates for attestations

To use your own adaptive cards or to provide adaptive cards in other languages, create your own adaptive card's templates.

To create an adaptive card template

In the Manager, select the Attestation > Basic configuration data > Adaptive cards category.
Select the adaptive card in the result list.
Edit the adaptive card's main data.
Next to the Adaptive card templates menu, click .
In the Language menu, select a language for the adaptive card.

All active languages are shown. To use another language, in the Designer, enable the corresponding countries. For more information, see the One Identity Manager Configuration Guide.
In the Template field, enter a definition for the adaptive card.
- To display the entire JSON code, click .
You can use the Adaptive Card Designer from Microsoft or the Visual Studio Code Plugin to help.
Save the changes.
In the Designer, check the ATT_CloudAssistant_ApprovalAnywhere script and modify it to suit your requirements.

To edit an adaptive card template

In the Manager, select the Attestation > Basic configuration data > Adaptive cards category.
In the result list, select the adaptive card whose template you want to edit.
Select the Change main data task.
In the Adaptive card templates menu, select a template.
In the Template field, edit the adaptive card definition.
- To edit the entire JSON code, click .
Save the changes.

To delete an adaptive card template

In the Manager, select the Attestation > Basic configuration data > Adaptive cards category.
In the result list, select the adaptive card whose template you want to delete.
Edit the adaptive card's main data.
In the Adaptive card templates menu, select the template.
Click next to the menu.
Save the changes.

Related topics

Deploying and evaluating adaptive cards for attestations

If an attestor is found in an approval step and this approval step has a mail template allocated to it, the ATT_AttestationHelper approve anywhere process is run. The process is generated if the following conditions are fulfilled:

The attestor is registered as the recipient in Starling Cloud Assistant.
A default email address is stored for the attestor.
The QER | Person | Starling | UseApprovalAnywhere configuration parameter is set.
An expiry date is entered in the QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire configuration parameter.
The QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is not set.

The process calls the ATT_CloudAssistant_CreateMessage_AttestationHelper script passing to it the name and UID of the adaptive card to send. The script creates the adaptive card from the JSON template for adaptive cards and the data in the attestation case and then sends it to the attestor. The QER_CloudAssistant_CheckMessage_AttestationHelper script checks if the attestor has sent a response, evaluates the response and updates the attestation case according to the approval decision.

HINWEIS: If you want to use your own adaptive cards template, check the ATT_CloudAssistant_CreateMessage_AttestationHelper, ATT_CloudAssistant_CreateData_AttestationHelper, and ATT_CloudAssistant_CheckMessage_AttestationHelper scripts and adjust them if necessary to reflect content changes in the template. For more information about overriding scripts, see the One Identity Manager Configuration Guide.

Related topics

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 使用条款隐私 Cookie Preference Center