立即与支持人员聊天
与支持团队交流

Identity Manager On Demand Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

System role attestation

Installed modules: System Roles Module

If you use the System role membership attestation default attestation policy or have set up attestation policies with the System entitlement memberships attestation default attestation procedure, you can configure automatic removal of system roles through the QER | Attestation | AutoRemovalScope | ESetAssignment configuration parameter. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the system role.

Table 42: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDirect

Direct membership in the system role is removed.

This removes all indirect assignments obtained by the employee through this system role.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemovePrimaryRole

If the system role was inherited through a primary role, the role is withdrawn.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveRequestedRole

If the system role was inherited through a requested role, the role request is canceled or unsubscribed.

This removes all indirect assignments obtained by the employee through this role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDelegatedRole

If the system role was inherited through a delegated role, the delegation of this role is canceled or unsubscribed.

This removes all indirect assignments obtained by the employee through this role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveRequested

If the system role was requested through the IT Shop, the request is canceled or unsubscribed.

This removes all indirect assignments obtained by the employee through this system role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDirectRole

If the system role was inherited through a secondary role (organization or business role), the employee's membership is removed from this role.

This removes all indirect assignments obtained by the employee through this role.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDynamicRole

If the system role was inherited through a dynamic role, the employee is excluded from the dynamic role.

This removes all indirect assignments obtained by the employee through this role.

If you use the System role entitlement assignment attestation default attestation policy or have set up attestation policies with the System role entitlement assignment attestation default attestation procedure, you can configure automatic removal of the assignments through the QER | Attestation | AutoRemovalScope | ESetHasEntitlement configuration parameter.

Table 43: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveDirect

Assignment of the company resource to a system role is removed.

You can configure automatic withdrawal of system role assignments to hierarchical roles, if you use the following default attestation policies or procedures:

  • Department system role assignment attestation

  • Cost center system role assignment attestation

  • Location system role assignment attestation

  • Business role system role assignment attestation

Enabled the following configuration parameters to do this.

Table 44: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | DepartmentHasESet | RemoveDirect

The assignment of the system role to a department is removed.

Therefore the system role is removed from all employees that inherit assignments from this department.

QER | Attestation | AutoRemovalScope | ProfitCenterHasESet | RemoveDirect

The assignment of the system role to a cost center is removed.

Therefore the system role is removed from all employees that inherit assignments from this cost center.

QER | Attestation | AutoRemovalScope | LocalityHasESet | RemoveDirect

The assignment of the system role to a location is removed.

Therefore the system role is removed from all employees that inherit assignments from this location.

QER | Attestation | AutoRemovalScope | OrgHasESet | RemoveDirect

The assignment of the system role to a business role is removed.

Therefore the system role is removed from all employees that inherit assignments from this business role.

Application role attestation

When you use the Application role membership attestation default attestation policy or have set up attestation policies with the Application role membership attestation default attestation procedure, you can configure automatic removal of application roles through the QER | Attestation | AutoRemovalScope | AERoleMembership configuration parameter. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the application role.

Table 45: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDirectRole

The employee's secondary membership is removed from the application role.

This removes all indirect assignments obtained by the employee through this application role. Membership in dynamic roles is not removed in this process.

QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveRequestedRole

If the employee requested the application role through the IT Shop, the request is canceled or unsubscribed.

This removes all indirect assignments obtained by the employee through this application role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDelegatedRole

If the application role was delegated to the employee, delegation is canceled or unsubscribed.

This removes all indirect assignments obtained by the employee through this application role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDynamicRole

The employee is excluded from the application role's dynamic role.

This removes all indirect assignments obtained by the employee through this application role. This does not remove memberships in the application role that were created in another way.

Business role attestation

Installed modules: Business Roles Module

When you use the Business role membership attestation default attestation policy and have set up attestation policies with the Business role membership attestation default attestation procedure, you can configure automatic removal of business roles through the QER | Attestation | AutoRemovalScope | RoleMembership configuration parameter. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the business role.

Table 46: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDirectRole

The employee's secondary membership in the business role is removed.

This removes all indirect assignments obtained by the employee through this business role. Membership in dynamic roles is not removed by this.

QER | Attestation | AutoRemovalScope | RoleMembership | RemoveRequestedRole

If the employee requested the business role through the IT Shop, the request is canceled or unsubscribed.

This removes all indirect assignments obtained by the employee through this business role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDelegatedRole

If the business role was delegated to the employee, delegation is canceled or unsubscribed.

This removes all indirect assignments obtained by the employee through this business role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Default attestation and withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDynamicRole

The employee is excluded from the business role's dynamic role.

This removes all indirect assignments obtained by the employee through this business role. This does not remove memberships in the business role that were created in another way.

User attestation and recertification

Use the One Identity Manager attestation functionality to regularly check and authorize employees' main data and target system entitlements and assignments. In addition, One Identity Manager provides default procedures for managers to quickly attest and certify the main data of newly added One Identity Manager users in the One Identity Manager database. This functionality can be used, for example, if external employees, such as contract workers, are provided with temporary access to the One Identity Manager. The sequence is different for internal and external employees.

Regular recertification can be run through scheduled tasks.

In the context of an attestation, a manager can check and update the main data of the user to be certified, if necessary. Use the Web Portal for attestation.

Detailed information about this topic
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级