立即与支持人员聊天
与支持团队交流

Identity Manager On Demand Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

One Identity Manager users for attesting and recertifying users

The following users are used for attesting and recertifying employees.

Table 47: Users

Users

Tasks

Employee administrators

Employee administrators must be assigned to the Identity Management | Employees| Administrators application role.

Users with this application role:

  • Can edit main data for all employees

  • Assign managers to employees.

  • Can assign company resources to employees.

  • Check and authorize employee main data.

  • Create and edit risk index functions.

  • Edit password policies for employee passwords

  • Delete employee's security keys (WebAuthn)

  • Can see everyone's requests, attestations, and delegations and edit delegations in the Web Portal.

Manager

  • Check employee main data of the internal user to be certified.
  • Update employee main data as required.
  • Assign another manager if required.
  • Attests the main data.

Attestors for external users

Attestors for external users must be assigned to the Identity & Access Governance | Attestation | Attestors for external users application role.

Users with this application role:

  • Attests new, external employees.

Administrators for attestation cases

Administrators must be assigned to the Identity & Access Governance | Attestation | Administrators application role.

Users with this application role:

  • Modify the attestation policies if necessary.

  • Create more schedules if required.

Web Portal users

  • Log on to the Web Portal and enter their main data,

Self-registered employees

External employees, who have self-registered in the Web Portal, are assigned to the Base roles | Self-registered employees application role through a dynamic role.

Users with this application role:

  • Specify their password and password questions for logging in to One Identity Manager tools.

Configuring user attestation and recertification

To use the attestation and recertification function for new internal users

  1. In the Designer, set the QER | Attestation | UserApproval configuration parameter.

  2. Assign at least one employee to the Identity Management | Employees | Administrators application role.

    All employees with this application role can assign a manager to the employee being attested during the attestation process.

To use the attestation and recertification function for new external users

  1. In the Designer, set the following configuration parameters:

    • QER | Attestation | ApproveNewExternalUsers: Select the value 1.

    • QER | WebPortal | PasswordResetURL: Enter the URL for the Password Reset Portal.

    • QER | Attestation | MailTemplateIdents | NewExternalUserVerification: Mail template sending verification links.

    • QER | Attestation | NewExternalUserTimeoutInHours: For new external users, specify the duration of the verification link in hours.

      The default is 4 hours. If logging in to the Password Reset Portal fails because the timeout has expired, the user can ask for a new verification link to be sent. To change the duration of the verification link, change the value in the configuration parameter.

    • QER | Attestation | NewExternalUserFinalTimeoutInHours: Specify the duration in hours, within which self-registration must be successfully completed.

      If the user does not complete registration with 24 hours, the attestation case quits. To register anyway, the user must log in again to the Web Portal from the beginning. To change the checkout duration of registration, change the value of the configuration parameter.

  2. Assign at least one employee to the Identity & Access Governance | Attestation | Attestor for external users application role.

Detailed information about this topic

Attesting new users

Attestation of new users is divided into three use cases by One Identity Manager:

  1. Registration of new external users logging in to the Web Portal.

  2. Adding new employees in the Manager or using a manager in the Web Portal.

  3. Adding a new employee by importing employee main data.

The result of attestation is the same in all three cases.

  • Certified, activated employees who can access all entitlements assigned to them in One Identity Manager and the connected target systems.

    Company resources are inherited. Account definitions are assigned to internal employees.

    - OR -

  • Denied and permanently deactivated employees.

    Disable employees cannot log in to One Identity Manager tools. Company resources are not inherited. Account definitions are not automatically assigned. User accounts associated with the employee are also locked or deleted. You can customize the behavior to meet your requirements.

Self-registration of new users in the Web Portal

Users who are not yet registered have the option to register themselves to use the Web Portal. These users can log in to the Web Portal once a manager has attested the user's main data and the set the user's password. This adds an external employee to the One Identity Manager database.

Attestation sequence:

  1. The user logs in to the Web Portal for the first time and enters the required properties.

    A new employee object is added to the One Identity Manager database with properties:

    Table 48: Properties of a newly added employee

    Property

    Value

    Certification status

    New

    External

    Set

    Contact email address

    Email address to send the verification link to.

    Permanently deactivated

    Set

    No inheritance

    Set

  2. Attestation is started automatically.

    Attestation policy used: New user certification

    NOTE: The attestation only starts automatically if the QER | Attestation | UserApproval configuration parameter is set. Otherwise the new user remains permanently deactivated until a manager changes the employee main data manually.
  3. Attestors are found.

    Effective approval policy: Certification of users

  4. If the QER | Attestation | ApproveNewExternalUsers configuration parameter is set and the value is 1, attestation of members of the Identity & Access Governance | Attestation | Attestors for external users is submitted.

    1. If an attestor for external users denies the attestation, the attestation case is closed. The employee object's properties are updated in the database.
      Table 49: Properties of an external employee with denied attestation

      Property

      Value

      Explanation

      Certification status

      Denied

      External

      Set

       

      Permanently deactivated

      Set

      The user cannot log in to the Web Portal.

      No inheritance

      Set

      Company resources are not inherited.

    2. If an attestor for external users approves attestation, an email with a verification link is sent to the new user.

    NOTE: If the QER | Attestation | ApproveNewExternalUsers configuration parameter is not set or the value is 0, an email with a verification link is sent immediately to the new user.

  5. Once the user has followed the link and a password and a password question have been set, the attestation case is approved. The employee object's properties are updated in the database.

    Table 50: Properties of an external employee with approved attestation

    Property

    Value

    Explanation

    Certification status

    Certified

     

    External

    Set

     

    Permanently deactivated

    Not set

    The user can log in to the Web Portal.

    No inheritance

    Not set

    Company resources are inherited.

The default is 4 hours. If logging in to the Password Reset Portal fails because the timeout has expired, the user can ask for a new verification link to be sent.

If the user does not complete registration with 24 hours, the attestation case quits. To register anyway, the user must log in again to the Web Portal from the beginning.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级