立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Default approval procedures

To display default approval procedures

  • Select the Attestation > Basic configuration data > Approval procedures > Predefined category.

The following approval procedures are defined to select the responsible attestors, by default.

Table 27: Approval procedures for attestation

Procedure Name

Attestors

AA - Attestor for the role to attest

Attestor of the organization (department, cost center, location), business role, or IT Shop if assignments of system entitlements or system roles to roles are attested.

  • Attestors for departments, cost centers and locations must be assigned to the Identity Management | Organizations | Attestors application role.
  • Attestors for business roles must be assigned to the Identity Management | Business roles | Attestors application role.
  • Attestors for requests must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Using attestation objects to find attestors.

AD - Attestor of recipient's department

Attestor of the department to which the attestation object is primarily assigned.

  • Attestors for departments must be assigned to the Identity Management | Organizations | Attestors application role.

For more information, see Using roles of identities to be attested to find attestors.

AL - Attestor for recipient’s location

Attestor of the location to which the attestation object is primarily assigned.

  • Attestors for locations must be assigned to the Identity Management | Organizations | Attestors application role.

For more information, see Using roles of identities to be attested to find attestors.

AM - Manager of account's person

Manager of the identity connected to the user account that is to be attested

For more information, see Using persons responsible for attestation objects to find attestors.

AN - Attestor for the system entitlement to attest

Attestor of the system entitlement or system role if assignments of system entitlements or system roles to roles are attested. Attestors are determined through the assigned service item.

  • Attestors must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Using attestation objects to find attestors.

AO - Attestor for recipient's primary role

Attestor of the business role to which the attestation object is primarily assigned.

Attestors for business roles must be assigned to the Identity Management | Business roles | Attestors application role.

For more information, see Using roles of identities to be attested to find attestors.

AP - Attestor for recipient's cost center

Attestor of the cost center to which the attestation object is primarily assigned.

  • Attestors for cost centers must be assigned to the Identity Management | Organizations | Attestors application role.

For more information, see Using roles of identities to be attested to find attestors.

AR - Attestor for attestation compliance rule

Attestor for the compliance rule to be attested.

  • Attestors must be assigned to the Identity & Access Governance | Identity Audit | Attestors application role.

For more information, see Using attestation objects to find attestors.

AS - Approver for attestation policy

All identities assigned to the attestation policy as approver.

For more information, see Using attestation policies to find attestors.

AT - Attestor for the organization to be attested

Attestor of the organization (department, cost center, location), business role, or IT Shop to be attested.

  • Attestors for departments, cost centers and locations must be assigned to the Identity Management | Organizations | Attestors application role.
  • Attestors for business roles must be assigned to the Identity Management | Business roles | Attestors application role.
  • Attestors for requests must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Using attestation objects to find attestors.

AY - Attestor for the company policy to be attested

Attestor of the company policy to be attested.

  • Attestors must be assigned to the Identity & Access Governance | Company policies | Attestors application role.

For more information, see Using attestation objects to find attestors.

CD - Calculated approval

-

For more information, see Calculated approval.

CM - Manager of the attested identity

Manager of the identity to be attested.

For more information, see Using attestation object managers to find attestors.

CN - Challenge the approval decision

Identity to be attested.

For more information, see Determining attested identity as attestor.

CS - Identity themselves

Identity to be attested, attests themselves.

For more information, see Determining attested identity as attestor.

DM - Manager of recipient's department

Department manager/deputy if identities of secondary memberships are attested in departments.

For more information, see Using attestation object managers to find attestors.

AE - Identity assigned to account

Identity assigned to the user account to be attested.

For more information, see Using identities assigned to user accounts to find attestors.

ED - Department manager for system entitlement attestation

Identity’s department manager whose system entitlements are to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

EM - Identity manager for system entitlement attestation

Identity’s manager whose system entitlements are to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

EN - Target system manager of the system entitlement to attest

Target system manager of the system entitlements to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

EO - Product owner of the system entitlement to attest

Product owner whose system entitlements or system roles are to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

EX - Approvals to be made externally

-

For more information, see Approvals to be made externally.

KA - Product owner and additional owner of the Active Directory Group

Product owner and additional owner of the Active Directory group, if Active Directory groups or group memberships are attested.

For more information, see Using persons responsible for attestation objects to find attestors.

LM - Manager of recipient's location

Location manager/deputy if identities of secondary memberships are attested in locations.

For more information, see Using attestation object managers to find attestors.

MD - Department manager of account's person

Manager of the main department of the identity that is connected to the user account to be attested

For more information, see Using persons responsible for attestation objects to find attestors.

MO - Role owner

Business role manager/deputy if identities of secondary memberships are attested in roles.

For more information, see Using attestation object managers to find attestors.

OA - product owner

All members of the assigned application role if service items, system entitlements or system roles are attested.

For more information, see Using product owners to find attestors.

OM - Manager of a specific role

Manager of the role selected in the approval workflow.

For more information, see Using a specified role to find attestors.

OP - Owner of a privileged object

All identities that can be determined as owners of the privileged request.

For more information, see Using owners of a privileged object to find attestors.

OR - Members of a certain role

All identities that are assigned to a secondary business role.

For more information, see Using a specified role to find attestors.

OT - Attestor of assigned service item

Attestor of the service item assigned to the object to be attested.

  • Attestors must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

For more information, see Determining attestors using the attestation objects' service item.

OW - Product owners of a Microsoft Teams team

Product owner of the Office 365 group that is assigned to the attestation object.

For more information, see Using product owners to find attestors.

PA - Secondary owner of Active Directory group

All identities to be found through the additional owner of the requested Active Directory group.

For more information, see Using additional Active Directory group owners to find attestors.

PM - Manager of recipient's cost center

Cost center manager/deputy if secondary memberships in cost centers are attested.

For more information, see Using attestation object managers to find attestors.

PO - Proposed owner

Proposed owner of the attestation object

For more information, see Using owners of the attestation objects to find attestors.

PW - Owner of the attestation policy

Owner of the attestation policy to run.

For more information, see Determining attestation policy owners.

RE - Manager of system roles to be attested

System role manager to be attested.

For more information, see Using attestation object managers to find attestors.

RM - Role manager for attesting memberships

Manager of role to be attested if secondary memberships in roles are attested.

For more information, see Using attestation object managers to find attestors.

RR - Role manager for attesting roles and role assignments

Manager of role to be attested.

For more information, see Using attestation object managers to find attestors.

SO - Target system manager of the entitlement to attest

Target system manager of system entitlement or user account to be attested.

For more information, see Using persons responsible for attestation objects to find attestors.

WC - Waiting for further approval

-

For more information, see Waiting for further approval.

XM - Manager of the identity for all attestations

Manager of the identity that can be determined with the attestation object.

For more information, see Using attestation object managers to find attestors.

Using attestation policies to find attestors

Use the AS approval procedure if you want to fix attestors for any object to an attestation policy. This approval procedure finds all identities that are assigned to the attestation procedure as approvers.

Use this procedure to allow any objects to be attested by any of the specified identities. These identities must be assigned to the attestation policy as approvers. The attestor can also be entered when you create attestation policies in the Web Portal. For more information about this, see the One Identity Manager Web Designer Web Portal User Guide.

Related topics

Using roles of identities to be attested to find attestors

Installed modules:

Business Roles Module (for approval procedure AO).

If you want to attest company resource assignments to identities or the requests, use the AD, AL, AO, or AP approval procedures. The attestors found are members of the Attestor application role.

Attestation objects are identities (table: Person) or request recipients (table: PersonWantsOrg table). These approval procedures determine the role (department, location, business role, cost center) for each attestation object to which the attestation object is primarily assigned. If the primarily assigned role is not directly assigned an attestor, the approval procedure finds the attestor's parents roles. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.

NOTE: When attestors are found using the AO approval procedure and when "bottom-up" inheritance is defined for business roles, note the following:

  • If there is no attestor given for the primary business role, attestors are taken from the child business role.

Related topics

Using attestation objects to find attestors

Use the AR, AY, or AT approval procedures if you want to attest the validity of compliance rules, rule violations, company policies, policy violations, or of departments, locations, cost centers, or business roles. The AT procedure is also suitable for attesting assignments to IT Shop structures (shops, shopping centers, or shelves). Use the AA or AN approval procedures to attest system entitlement or system role assignments to departments, locations, cost centers, business roles or IT Shop structures. The attestors found are members of the Attestor application role.

 

Attestation base objects

Available in Module

AR

Rules (ComplianceRule)

Rule violations (PersonInNonCompliance)

Compliance Rules Module

AY

Company policies (QERPolicy)

Policy violations (QERPolicyHasObject)

Company Policies Module

AT

Departments (Department)

IT Shop Structures (ITShopOrg)

Locations (Locality)

Business roles (Org)

Cost centers (ProfitCenter)

IT Shop Templates (ITShopSrc)

 

AA, AN

System entitlement or target system group assignments to roles (<BaseTree>HasUNSGroupB,

<BaseTree>HasADSGroup, <BaseTree>HasEBSResp, ...)

System role assignments to roles (<BaseTree>HasESet)

Target System Base Module

These approval procedures determine the attestors to which the attestation object is assigned. The AA approval procedure finds the attestor using the role (departments, locations, business roles, cost centers) or IT Shop structures (IT Shop templates). The AN approval procedure finds the attestor using the service item assigned to the system entitlement or target system group.

Furthermore, the following also applies to the AT and AA approval procedures: If an attestor is not directly assigned to the attestation object, the approval procedure finds the attestor of the parent roles/IT Shop structures. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.

NOTE: If the attestation base object is a business role or a business role assignment and bottom-up inheritance is defined for the associated role classes, the following applies:

  • If there is no attestor assigned to the attestation object, the approval procedure finds attestors from the attestors of subordinate roles.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级