立即与支持人员聊天
与支持团队交流

Identity Manager On Demand - Starling Edition Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

System role attestation

Installed modules: System Roles Module

If you attest memberships in system roles, you can use the QER | Attestation | AutoRemovalScope | ESetAssignment configuration parameter to configure the automatic removal of system roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the system role.

Table 45: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDirect

Direct membership in the system role is removed.

This removes all indirect assignments obtained by the identity through this system role.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemovePrimaryRole

If the system role was inherited through a primary role, the role is withdrawn.

This removes all indirect assignments obtained by the identity through this role.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveRequestedRole

If the system role was inherited through a requested role, the role request is canceled or unsubscribed.

This removes all indirect assignments obtained by the identity through this role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDelegatedRole

If the system role was inherited through a delegated role, the delegation of this role is canceled or unsubscribed.

This removes all indirect assignments obtained by the identity through this role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveRequested

If the system role was requested through the IT Shop, the request is canceled or unsubscribed.

This removes all indirect assignments obtained by the identity through this system role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDirectRole

If the system role was inherited through a secondary role (organization or business role), the identity's membership is removed from this role.

This removes all indirect assignments obtained by the identity through this role.

QER | Attestation | AutoRemovalScope | ESetAssignment | RemoveDynamicRole

If the system role was inherited through a dynamic role, the identity is excluded from the dynamic role.

This removes all indirect assignments obtained by the identity through this role.

If you attest assignments to system roles, you can use the QER | Attestation | AutoRemovalScope | ESetHasEntitlement configuration parameter to configure automatic removal of assignments.

Table 46: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveDirect

Assignment of the company resource to a system role is removed.

QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveRequested

Assignment of the company resource to a system role requested by assignment request is unsubscribed.

If you attest system role assignments to hierarchical roles, you can use the following configuration parameters to configure automatic removal of system roles.

Table 47: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | DepartmentHasESet | RemoveDirect

The assignment of the system role to a department is removed.

Therefore the system role is removed from all identities that inherit assignments from this department.

QER | Attestation | AutoRemovalScope | ProfitCenterHasESet | RemoveDirect

The assignment of the system role to a cost center is removed.

Therefore the system role is removed from all identities that inherit assignments from this cost center.

QER | Attestation | AutoRemovalScope | LocalityHasESet | RemoveDirect

The assignment of the system role to a location is removed.

Therefore the system role is removed from all identities that inherit assignments from this location.

QER | Attestation | AutoRemovalScope | OrgHasESet | RemoveDirect

The assignment of the system role to a business role is removed.

Therefore the system role is removed from all identities that inherit assignments from this business role.

Application role attestation

If you attest memberships in application roles, you can use the QER | Attestation | AutoRemovalScope | AERoleMembership configuration parameter to configure automatic removal of application roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the application role.

Table 48: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDirectRole

The identity's secondary membership is removed from the application role.

This removes all indirect assignments obtained by the identity through this application role. Membership in dynamic roles is not removed in this process.

QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveRequestedRole

If the identity requested the application role through the IT Shop, the request is canceled or unsubscribed.

This removes all indirect assignments obtained by the identity through this application role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDelegatedRole

If the application role was delegated to the identity, delegation is canceled or unsubscribed.

This removes all indirect assignments obtained by the identity through this application role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDynamicRole

The identity is excluded from the application role's dynamic role.

This removes all indirect assignments obtained by the identity through this application role. This does not remove memberships in the application role that were created in another way.

Business role attestation

Installed modules: Business Roles Module

If you attest memberships in business roles, you can use the QER | Attestation | AutoRemovalScope | RoleMembership configuration parameter to configure automatic removal of business roles. After attestation approval has been denied, One Identity Manager checks which type of assignment was used for the user account to become a member in the business role.

Table 49: Effect of configuration parameters when attestation denied

Configuration parameter

Effect when set

QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDirectRole

The identity's secondary membership in the business role is removed.

This removes all indirect assignments obtained by the identity through this business role. Membership in dynamic roles is not removed by this.

QER | Attestation | AutoRemovalScope | RoleMembership | RemoveRequestedRole

If the identity requested the business role through the IT Shop, the request is canceled or unsubscribed.

This removes all indirect assignments obtained by the identity through this business role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDelegatedRole

If the business role was delegated to the identity, delegation is canceled or unsubscribed.

This removes all indirect assignments obtained by the identity through this business role.

Set the desired behavior in the QER | Attestation | AutoRemovalScope | PWOMethodName configuration parameter. For more information, see Configuring withdrawal of entitlements.

QER | Attestation | AutoRemovalScope | RoleMembership | RemoveDynamicRole

The identity is excluded from the business role's dynamic role.

This removes all indirect assignments obtained by the identity through this business role. This does not remove memberships in the business role that were created in another way.

Configuring sample attestation of identities and their entitlements

The Identity attestation default policy collection combines all default attestation policies to attest identities along with all their entitlements and memberships. The policy collection is assigned to a default sample that you use to specify which identities to attest.

To set up comprehensive attestation of selected identities

  1. Manually assign the identities to be attested to the Individual selection of identities sample.

  2. Create a schedule and assign it to the Identity attestation policy collection. By doing this, you replace the schedule assigned by default.

    • Enable the schedule.
Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级