立即与支持人员聊天
与支持团队交流

Identity Manager 9.3 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Providing terms of use for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls for attestation policies Setting up attestation in a separate database Configuration parameters for attestation

Determining attestors via owners of the attestation objects

Special owners are assigned to various objects in One Identity Manager. Different approval procedures can be used to determine these owners as attestors.

ClosedPO - Proposed owner
ClosedOP - Owner of a privileged object
ClosedPA - Secondary owner of Active Directory group
ClosedSP - Owner of service principals
ClosedBA - Owner of the application
ClosedBE - Approver of the application entitlement
Related topics

Determining owners or approvers of attestation policies

Both single identities as well as application roles can be assigned as owners to attestation policies. You can also assign any identity to the attestation policies as approver. The owners and approvers can be determined as attestors for attesting any property.

ClosedAS - Approver for attestation policy
ClosedPW - Owner of the attestation policy
Related topics

Calculated approval

NOTE: Only one approval step can be defined with the CD approval procedure per approval level.

If you want to make attestation dependent on specific conditions, use the CD approval procedure. This procedure does not determine an attestor. One Identity Manager makes the decision depending on the condition that is formulated in the approval step.

You can use the procedure for any attestation base objects. You create a condition in the approval step. If the condition returns a result, the approval step is approved through One Identity Manager. If the condition does not return a result, the approval step is denied by One Identity Manager. If there are no further approval steps, the approval procedure is either finally granted or denied.

To enter a condition for the CD approval procedure

  1. Edit the approval step properties.

    For more information, see Editing approval levels.

  2. In the Condition input field, enter a valid WHERE clause for database queries. You can enter the SQL query directly or with a wizard.

Example of a simple approval workflow with the CD approval procedure:

External identities should be attestation by their managers. If no manager is assigned, the members of a designated application role must attest the identities.

You can find all external identities, who have managers assigned to them by using the CD approval procedure and the following condition.

EXISTS
(SELECT 1 FROM
    (SELECT xobjectkey FROM Person WHERE (IsExternal = 1)
    AND (EXISTS
        (SELECT 1 FROM(SELECT UID_Person FROM Person WHERE 1 = 1) as X
    WHERE X.UID_Person = Person.UID_PersonHead) )) as X
WHERE X.xobjectkey = AttestationCase.ObjectKeyBase)

If the condition is fulfilled, the external identity's manager can attest the identity. To do this, add an approval step in the positive approval path with the CM approval procedure.

If the condition is not fulfilled, the identity is attested by the member of a designated application role. To do this, add an approval step in the negative approval path with the OR approval procedure and assign the application role.

Related topics

Approvals to be made externally

Use external approvals (EX approval procedure) if an attestation needs to be approved as soon as a defined event from outside One Identity Manager takes place. You can also use this procedure to reach attestors with no access to One Identity Manager.

Specify an event in the approval step that triggers an external approval. The event triggers a process that initiates the external approval for the attestation case and evaluates the result of the approval decision. The approval process waits for the external decision to be passed to One Identity Manager. Define the subsequent approval steps depending on the result of the external approval.

To use an approval procedure

  1. In the Designer, define your own processes that:

    • Triggers an external approval.

    • Analyzes the results of the external approval.

    • Grants or denies approval in the subsequent external approval step in One Identity Manager.

  2. Defines an event that starts the process for external approval. Enter the result in Result in the approval step.

If the external event occurs, the approval step status in One Identity Manager must be changed. Use the CallMethod process task with the MakeDecision method for this. Pass the following parameters to the process task:

MethodName: Value = "MakeDecision"

ObjectType: Value = "AttestationCase"

Param1: Value = "sa"

Param2: Value = <approval> ("true" = granted; "false" = denied)

Param3: Value = <reason for approval decision>

Param4: Value = <standard reason>

Param5: Value = <number approval steps> (PWODecisionStep.SubLevelNumber)

WhereClause: Value = "UID_AttestationCase ='"& $UID_AttestationCase$ &"'"

Use these parameters to specify which attestation case is to be approved by external approval (WhereClause). Param1 specifies the attestor. The attestor is always the sa system user. Param2 passes down the approval decision. If the attestation was granted, a value of True must be returned. If the attestation was denied, a value of False must be returned. Use Param3 to pass a reason text for the approval decision; use Param4 to pass a predefined standard reason. If more than one external approval steps have been defined in an approval level, use Param5 to pass the approval step count. This ensures the approval is aligned with the correct approval step.

Example for using the EX approval procedure

All compliance rules should be checked and attested by an external assessor. The attestation object data should be made available as a PDF on an external share. The assessor should save the result of the attestation in a text file on the external share. Use the EX approval procedure to make external approvals and define:

  • A P1 process that saves a PDF report with data about the attestation object data and the attestation procedure on an external share
  • An E1 event that starts the P1 process

    In the approval step, enter E1 in the Event field, and enter P1 in the process as the trigger for the external decision.

  • A P2 process that checks the share for new text files, evaluates the content, and calls the One Identity Manager CallMethod process task the method MakeDecision method
  • An E2 event that starts the P2 process
  • A schedule that starts the E2 event on a regular basis

For more information about creating processes, see the One Identity Manager Configuration Guide. For more information about setting up schedules, see the One Identity Manager Operational Guide.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级