立即与支持人员聊天
与支持团队交流

Identity Manager On Demand Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Standard reasons for attestation

For attestations, you can specify reasons in the Web Portal that explain the individual approval decisions. You can freely formulate this text. You also have the option to predefine reasons. The attestors can select a suitable text from these standard reasons in the Web Portal and store it with the attestation case.

Standard reasons are displayed in the attestation history.

To create or edit standard reasons

  1. In the Manager, select the Attestation > Basic configuration data > Standard reasons category.

  2. Select a standard reason in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the main data of a standard reason.

  4. Save the changes.

Enter the following properties for the standard reason.

Table 9: General main data of a standard reason

Property

Description

Standard reason

Reason text as displayed in the Web Portal and in the attestation history.

Description

Text field for additional explanation.

Automatic Approval

Specifies whether the reason text is only used for automatic approvals by One Identity Manager. This standard reason cannot be selected by manual approvals in the Web Portal.

Do not set the option if the you want to select the standard reason in the Web Portal.

Additional text required

Specifies whether an additional reason should be entered in free text for the attestation.

Usage type

Usage type of standard reason. Assign one or more usage types to allow filtering of the standard reasons in the Web Portal.

Related topics

Predefined standard reasons for attestations

One Identity Manager provides predefined standard reasons. These are added to the attestation case by One Identity Manager during automatic approval. You can use the usage type to specify which standard reasons can be selected in the Web Portal.

To change the usage type

  1. In the Manager, select the Attestation > Basic configuration data > Standard reasons > Predefined category.

  2. Select the standard reason whose usage type you want to change.

  3. Select the Change main data task.

  4. In the Usage type menu, set all the actions where you want to display the standard reason in the Web Portal.

    Unset all the actions where you do not want to display the default reason.

  5. Save the changes.
Related topics

Attestation policies

Attestation policies specify the concrete conditions for attestation. Use the main data form to enter the attestation procedure, approval policy and the schedule. You can use a WHERE clause to limit the attestation objects.

To edit attestation polices

  1. In the Manager, select the Attestation > Attestation policies category.

  2. Select an attestation policy in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the main data of the attestation policy.

  4. Save the changes.

General main data of attestation policies

Enter the following data for attestation policies.

Table 10: General main data of attestation policies

Property

Description

Attestation policy

Name of the attestation policy.

Attestation procedure

Attestation procedure used for attesting. Attestation procedures are displayed in a menu grouped by attestation type.

Approval policies

Approval policy for determining the attestor for the attestation objects.

Owner

Creator of the attestation policy. The name of the user logged in to One Identity Manager is entered here by default. This can be changed.

Owner (application role)

Application role whose members may edit the attestation policy.

To create a new application role, click . Enter the application role name and assign a parent application role.

Sample

Sample that can be used for attestations. A sample can only be assigned to exactly one attestation policy.

To create a new sample, click . Enter the name of the sample and assign the table from which to take the data for the sample.

You cannot assign samples to default attestation policies.

Time required (days)

Number of days within which a decision must be made over the attestation. Enter 0 if you do not want to specify a particular processing period.

Weekends and holidays are included by default when calculating the due date of attestation cases. If weekends and holidays should be treated as working days, set the QER | Attestation | UseWorkingHoursDefinition, QBM | WorkingHours | IgnoreHoliday, and QBM | WorkingHours | IgnoreWeekend configuration parameters. For more information about calculating working hours, see the One Identity Manager Configuration Guide.

One Identity Manager does not stipulate which actions are carried out if processing times out. Define your own custom actions or evaluations to deal with this situation.

Description

Text field for additional explanation.

Risk index

Specifies the risk for the company if attestation for this attestation policy is denied. Use the slider to enter a value between 0 and 1.

  • 0: No risk.

  • 1: The denied attestation is a problem.

This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.

Risk index (reduced)

Show the risk index taking mitigating controls into account. The risk index for an attestation policy is reduced by the Significance reduction value for all assigned mitigating controls.

This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated. The value is calculated by One Identity Manager and cannot be edited.

Calculation schedule

Schedule for running attestation. Attestation cases are started automatically at the times specified by the schedule.

Deactivated

Specifies whether the attestation policy is disabled or not.

Attestation cases cannot be added to disabled attestation policies and, therefore, no attestation is done. Disabled attestation policies can be deleted.

Completed attestation cases can be deleted once the attestation policy is disabled.

Display objects to be attested

Specifies whether the objects affected by the attestation policy are calculated and displayed on the overview form.

Close obsolete tasks automatically

Specifies whether pending attestation cases are canceled if new ones are added.

If attestation is started and this option is set, new attestation cases are created according to the condition. All pending, obsolete attestation cases for newly determined attestation objects of this attestation policy are stopped. Attestation cases for attestation objects that are not recalculated, remain intact.

Obsolete tasks limit

Specifies the maximum number of closed attestation cases for each attestation object that should remain in the database when closed attestation cases are deleted.

  • 0: No attestation cases are deleted.

  • > 0: The given number of closed attestation cases for each attestation object to remain in the database.

The value can be edited only if the Delete attestation cases function is configured. For more information, see Deleting attestation cases.

Reason for decision

Reason that is given if the Close obsolete tasks automatically option is set and pending attestation cases are automatically closed.

Output format

Format in which the report is generated.

This menu is only visible if the QER | Attestation | AllowAllReportTypes configuration parameter is set. If the configuration parameter is not set, the default PDF format is used because it is the only format that is version compatible.

Edit connection...

Starts the WHERE clause wizard. Use this wizard to create or edit a condition to determine the attestation objects from the database table specified in the attestation procedure.

Condition

Data query for finding attestation objects.

This shows the input field for new attestation policies.

NOTE: For sample attestation, the condition must also query the sample data. There is a template to help set up the condition. This condition can be changed if necessary.

Example of attesting employees using a sample:

EXISTS (SELECT 1 FROM 
	(
SELECT ObjectKeyItem FROM QERPickedItem 
WHERE UID_QERPickCategory = '$UID_QERPickCategory$'
	) as
WHERE X.ObjectKeyItem = Person.XObjectKey) 

Example of attesting user accounts using a sample of employees:

EXISTS (SELECT 1 FROM 
	(
SELECT UID_Person FROM Person WHERE EXISTS 
		(
SELECT 1 FROM 
			(
SELECT ObjectKeyItem FROM QERPickedItem 
WHERE UID_QERPickCategory = '$UID_QERPickCategory$'
			) as
WHERE X.ObjectKeyItem = Person.XObjectKey
	) ) as
WHERE X.UID_Person = UNSAccount.UID_Person)

To show the condition for existing attestation policies, run the Show condition task.

Attestation with multi-factor authentication

Attestation of this attestation policy requires multi-factor authentication.

NOTE: You can only edit attestation policies in the Web Portal that were created in the Web Portal. You will see a corresponding message on the main data form as to whether the attestation policy as created in the Web Portal.

If you want to edit attestation policies like this, create a copy in the Manager.

For more information about editing attestation policies in the Web Portal, see the One Identity Manager Web Designer Web Portal User Guide.

Detailed information about this topic
Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级