Attestation policy |
Name of the attestation policy. |
Attestation procedure |
Attestation procedure used for attesting. Attestation procedures are displayed in a drop-down grouped by attestation type. |
Approval policies |
Approval policy for determining the attestor for the attestation objects. |
Owner |
Creator of the attestation policy. The name of the user logged in to One Identity Manager is entered here by default. This can be changed. |
Owner (application role) |
Application role whose members may edit the attestation policy.
To create a new application role, click . Enter the application role name and assign a parent application role. |
Policy collection |
Policy collection used to start the attestation.
You can us policy collections to group together various attestation policies and run them collectively. |
Sample |
Sample that can be used for attestations. A sample can only be assigned to exactly one attestation policy.
To create a new sample, click . Enter the name of the sample and assign the table from which to take the data for the sample.
You cannot assign samples to default attestation policies. |
Time required (days) |
Number of days within which a decision must be made over the attestation. Enter 0 if you do not want to specify a particular processing period.
Weekends and holidays are included by default when calculating the due date of attestation cases. If weekends and holidays should be treated as working days, set the QER | Attestation | UseWorkingHoursDefinition, QBM | WorkingHours | IgnoreHoliday, and QBM | WorkingHours | IgnoreWeekend configuration parameters. For more information about calculating working hours, see the One Identity Manager Configuration Guide.
One Identity Manager does not stipulate which actions are carried out if processing times out. Define your own custom actions or evaluations to deal with this situation. |
Description |
Text field for additional explanation. |
Risk index |
Specifies the risk for the company if attestation for this attestation policy is denied. Use the slider to enter a value between 0 and 1.
This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated. |
Risk index (reduced) |
Show the risk index taking mitigating controls into account. The risk index for an attestation policy is reduced by the Significance reduction value for all assigned mitigating controls.
This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated. The value is calculated by One Identity Manager and cannot be edited. |
Calculation schedule |
Schedule for running attestation. Attestation cases are started automatically at the times specified by the schedule.
If a policy collection is assigned, the input field is disabled. The policy collection's schedule applies. |
Language |
Language in which the information to be attested is displayed.
If a language is not specified, the information is generated in the same language as the device that started the attestation. |
Disabled |
Specifies whether the attestation policy is disabled or not.
Attestation cases cannot be added to disabled attestation policies and, therefore, attestation is not carried out. Disabled attestation policies can be deleted.
Closed attestation cases can be deleted once the attestation policy is disabled. |
Display objects to be attested in the Manager |
Specifies whether the objects affected by the attestation policy are calculated and displayed on the overview form in the Manager. |
No empty attestation runs |
Specifies whether to generate an empty attestation run if there can be no attestation object found when calculating the attestation case.
Enabled: Does not generate an empty attestation run. This means that it is not possible to subsequently determine whether the attestation was started normally.
Disabled: An attestation run is generated without an attestation case. This means it is possible that the attestation was started but no objects to attest were found. |
Always send notification of pending attestations |
Specifies whether to send adaptive cards or individual emails about pending attestations even if the QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is set. |
Close obsolete tasks automatically |
Specifies whether pending attestation cases are canceled if new ones are added.
If attestation is started and this option is set, new attestation cases are created according to the condition. All pending, obsolete attestation cases for newly determined attestation objects of this attestation policy are stopped. Attestation cases for attestation objects that are not recalculated, remain intact. |
Obsolete tasks limit |
Specifies the maximum number of closed attestation cases for each attestation object that should remain in the database when closed attestation cases are deleted.
The value can be edited only if the Delete attestation cases function is configured. For more information, see Deleting attestation cases. |
Terms of use |
Terms of use are presented to attestors as a PDF file. For example, this can be the current policies. |
Reason for decision |
Reason that is given if the Close obsolete tasks automatically option is set and pending attestation cases are automatically closed. |
Output format |
Format in which the report is generated.
This drop-down is only visible if the QER | Attestation | AllowAllReportTypes configuration parameter is set. If the configuration parameter is not set, the default PDF format is used because it is the only format that is version compatible. |
Reason type on approval |
Specifies which type of reason is required when the attestation is granted approval.
-
Optional: A reason can be provided if required.
-
Reason required (standard or free): A standard reason must be selected or a reason given with any text.
-
Free text required: A reason must be given with freely selected text. |
Reason type on denial |
Specifies which type of reason is required when the attestation is denied approval.
-
Optional: A reason can be provided if required.
-
Reason required (standard or free): A standard reason must be selected or a reason given with any text.
-
Free text required: A reason must be given with freely selected text. |
Edit connection... |
Starts the WHERE clause wizard. Use this wizard to create or edit a condition to determine the attestation objects from the database table specified in the attestation procedure. |
Condition |
Data query for finding attestation objects.
This shows the input field for new attestation policies.
NOTE: For sample attestation, the condition must also query the sampling data. There is a template to help set up the condition. This condition can be changed if necessary.
Example of attesting identities using a sample:
EXISTS (SELECT 1 FROM |
( |
SELECT ObjectKeyItem FROM QERPickedItem |
WHERE UID_QERPickCategory = '$UID_QERPickCategory$' |
) as X |
WHERE X.ObjectKeyItem = Person.XObjectKey) |
Example of attesting user accounts using a sample of identities:
EXISTS (SELECT 1 FROM |
( |
SELECT UID_Person FROM Person WHERE EXISTS |
( |
SELECT 1 FROM |
( |
SELECT ObjectKeyItem FROM QERPickedItem |
WHERE UID_QERPickCategory = '$UID_QERPickCategory$' |
) as X |
WHERE X.ObjectKeyItem = Person.XObjectKey |
) ) as X |
WHERE X.UID_Person = UNSAccount.UID_Person) |
To show the condition for existing attestation policies, run the Show condition task. |
Approval by multi-factor authentication |
Attestation of this attestation policy requires multi-factor authentication. |
Set certification status to "Certified" |
Specifies whether the certification status of the attested object is set to Certified if the attestation case was approved in the end. |
Set certification status to "Denied" |
Specifies whether the certification status for the attested object is set to Denied if the attestation case was denied in the end. |