Self-registration of new users in the Web Portal
Users who are not yet registered have the option to register themselves to use the Web Portal. These users can log in to the Web Portal once a manager has attested the user's main data and the set the user's password. This adds an external identity to the One Identity Manager database.
Attestation sequence:
- The user logs in to the Web Portal for the first time and enters the required properties.
A new identity is added to the One Identity Manager database with properties:
Table 51: Properties of a newly added identity
|
Certification status |
New |
|
External |
Set |
|
Contact email address |
Email address to send the verification link to. |
|
Permanently deactivated |
Set |
|
No inheritance |
Set |
- Attestation is started automatically.
Attestation policy used: New user certification
NOTE: The attestation only starts automatically if the QER | Attestation | UserApproval configuration parameter is set. Otherwise the new user remains permanently deactivated until a manager changes the identity main data manually.
- Attestors are found.
Effective approval policy: Certification of users
-
If the QER | Attestation | ApproveNewExternalUsers configuration parameter is set and the value is 1, attestation of members of the Identity & Access Governance | Attestation | Attestors for external users is submitted.
- If an attestor for external users denies the attestation, the attestation case is closed. The identity's properties are updated in the database.
Table 52: Properties of an external identity with denied attestation
|
Certification status |
Denied |
|
|
External |
Set |
|
|
Permanently deactivated |
Set |
The user cannot log in to the Web Portal. |
|
No inheritance |
Set |
Company resources are not inherited. |
-
If an attestor for external users approves attestation, an email with a verification link is sent to the new user.
NOTE: If the QER | Attestation | ApproveNewExternalUsers configuration parameter is not set or the value is 0, an email with a verification link is sent immediately to the new user.
-
Once the user has followed the link and a password and a password question have been set, the attestation case is approved. The identity's properties are updated in the database.
Table 53: Properties of an external identity with approved attestation
|
Certification status |
Certified |
|
|
External |
Set |
|
|
Permanently deactivated |
Not set |
The user can log in to the Web Portal. |
|
No inheritance |
Not set |
Company resources are inherited. |
The default is 4 hours. If logging in to the Password Reset Portal fails because the timeout has expired, the user can ask for a new verification link to be sent.
If the user does not complete registration with 24 hours, the attestation case quits. To register anyway, the user must log in again to the Web Portal from the beginning.
Related topics
Adding new identities using a manager or administrator for identities
You can also attest new users if new identities are added in the Manager or if a manager in the Web Portal adds a new identities. Specify the required behavior with the configuration parameter QER | Attestation | UserApproval | InitialApprovalState. This configuration parameter has the default value 0. This gives each new identity the certification status Certified. Automatic attestation is not carried out.
To automatically attest new users
-
In the Designer, enable the QER | Attestation | UserApproval | InitialApprovalState configuration parameter and set the value to 1.
All identities added to the database from this point on are given the certification status New. This means automatic attestation of these identities is carried out.
The sequence is different for internal and external identities.
Attestation sequence:
- Enter the new user's main data and assign a manager to them.
For more information about adding identities, see the One Identity Manager Identity Management Base Module Administration Guide and the One Identity Manager Web Designer Web Portal User Guide.
The certification status corresponds to the value of the QER | Attestation | UserApproval | InitialApprovalState configuration parameter. If the configuration parameter has the value 1, certification status is set to New.
The identity is activated by default. They can therefore log in to One Identity Manager immediately. To ensure that the identity cannot log in to One Identity Manager until their main data has been attested, deactivate the identity.
- Once the identity's main data has been saved, attestation starts.
Attestation policy used: New user certification
- Attestors are found.
Effective approval policy: Certification of users
-
If the External option is set for the identity:
Attestation takes place as described in the Self-registration of new users in the Web Portal section, steps 4 to 5.
- If the External option is set for the identity:
- One Identity Manager checks whether you have assigned a manager to the identity.
-
If you have assigned a manager to the identity, the case is immediately passed on to them for approval.
-
If you have not assigned a manager to the identity, the case is assigned to the identity administrators for approval.
- An identity administrator checks your main data and also assigns a manager to you.
-
An identity administrator assigns a manager and approves attestation. The attestation case is assigned to the manager for approval.
-
If the identity administrator does not assign a manager and approves attestation, the attestation case is closed. The identity's properties are updated in the database.
Table 54: Properties of an identity with approved attestation
|
Certification status |
Certified |
|
|
External |
Not set |
|
|
Disabled permanently |
Not set |
|
|
No inheritance |
Not set |
Company resources are inherited. |
-
If the identity administrator denies attestation, the attestation case is closed. The identity properties are updated in the database.
Table 55: Properties of an identity with rejected attestation
|
Certification status |
Rejected |
|
|
External |
Not set |
|
|
Permanently disabled |
Set |
|
|
No inheritance |
Set |
Company resources are not inherited.
User accounts are not created automatically. |
- The manager can deny attestation approval if they are not the manager in charge of the user.
-
The manager can assign another identity as manager. The attestation case is immediately assigned to this manager.
-
If the manager does not know who your manager is, approval is returned to the identity administrators. These can
- If the manager approves attestation, the attestation case is closed. The identity properties are updated in the database.
Table 56: Properties of an identity with approved attestation
|
Certification status |
Certified |
|
|
External |
Not set |
|
|
Disabled permanently |
Not set |
|
|
No inheritance |
Not set |
Company resources are inherited. |
NOTE: Only identity administrators can ultimately deny attestation approval. If a manager denies attestation, the case is returned to the identity administrators for approval in any case.
Related topics
Importing new identity main data
You can request attestation of new identities if the main data is imported from other systems into the One Identity Manager database. To ensure that new identities are automatically attested, you must set the identity’s certification status to New (Person.ApprovalState = '1'). There are two possible ways to do this:
-
The QER | Attestation | UserApproval | InitialApprovalState configuration parameter is evaluated for certification status. If the configuration parameter has the value 1, certification status is set to New.
Prerequisite: The import does not alter the Person.ApprovalState property.
NOTE: The QER | Attestation | UserApproval | InitialApprovalState configuration parameter has the value 0 by default. This gives each new identity the certification status Certified. Automatic attestation is not carried out.
If you want to attest new identities immediately, change the value of the configuration parameter to 1.
- The import sets the Person.ApprovalState property explicitly.
-
The import sets ApprovalState='1' (New).
The identity is automatically sent to the manager for attestation.
-
The import sets ApprovalState=’0' (Certified).
Imported identity main data has already been authorized. It should not be attested again.
-
The import sets ApprovalState=’3' (Denied).
The identity is deactivated permanently and is not attested.
Attestation of new users is triggered when:
-
The QER | Attestation | UserApproval configuration parameter is set
-
New identity main data was imported into the One Identity Manager database
-
The certification status for new identities is set to New
-
No Import data source is stored with the identity.
If the External option is not set for an identity, attestation takes place as described in the Adding new identities using a manager or administrator for identities section, step 5.
If the External option is set for the identity, attestation takes place as described in the Self-registration of new users in the Web Portal section, steps 4 to 5.
The New user certification attestation policy is run.
Related topics
Scheduled attestation
Users are also attested when the certification status for an identity is set to New at a later date (manually or through import). The Daily schedule is assigned to the New user certification attestation policy for this purpose. Attestation of new users is started when the time set in the schedule is reached. This process determines all identities with the certification status New and for whom no attestation cases are pending.
You can assign a custom schedule to the attestation policy if required.
Detailed information about this topic
