IMPORTANT: In order to customize the User recertification default attestation policy, you must make changes to One Identity Manager objects. Always use a custom copy of the relevant object to make these changes.
All identities saved in the database are recertified using the User recertification attestation policy supplied in One Identity Manager. It may be necessary to limit recertification of new users to a certain group of identities, for example, if only identities in a specific departments should be attested. To do this, you can extend the condition attached to the attestation policy. Create a custom attestation policy for this.
The following objects must be changed so that recertification of users can be carried out with this attestation policy. Always create a copy of the respective object to do this.
-
User recertification attestation policy
-
VI_Attestation_AttestationCase_Person_Approval_Granted process
-
VI_Attestation_AttestationCase_Person_Approval_Dismissed process
IMPORTANT: In order for recertification to run correctly in the Web Portal, the default Certification of users attestation procedure and the default Certification of users approval policy must be assigned to the attestation policy.
The default attestation procedure, the default approval policy, and the default Certification of users approval workflow must not be changed.
To customize default recertification of users
-
Copy the User recertification attestation policy and customize it.
Table 61: Attestation policy properties
|
Attestation procedure |
Certification of users. |
|
Approval policies |
Certification of users. |
|
Editing conditions |
Copy the default condition without modification so that the correct attestation object is selected.
To limit the number of attestation objects, you can add additional partial conditions to the database query. |
-
In the Designer, copy the VI_Attestation_AttestationCase_Person_Approval_Granted process of the AttestationCase base object and customize the copy.
Table 62: Process properties with changes
|
Pre-script for generating |
Replace the UID of the User recertification attestation policy with the UID of the new attestation policy. |
|
Generating condition |
-
In the Designer, copy the VI_Attestation_AttestationCase_Person_Approval_Dismissed process of the AttestationCase base object and customize the copy.
Table 63: Process properties with changes
|
Pre-script for generating |
Replace the UID of the User recertification attestation policy with the UID of the new attestation policy. |
|
Generating condition |
For more information about editing processes, see the One Identity Manager Configuration Guide.
Detailed information about this topic
NOTE: This functionality is only available if the Target System Base Module in installed.
One Identity Manager provides default procedures for managers to quickly attest and certify the main data of newly added application roles, business roles, and organizations in the One Identity Manager database. Attestation is performed only for roles and organizations with the New certification status. If the attestation is approved, the certificate status of the attested role or organization is set to Certified and otherwise, to Denied.
Attestation is performed when a new role or organization is created in the Manager or the Web Portal or imported into the One Identity Manager database. No Import data source can be stored for the role or organization.
NOTE: Following attestation, the certification status is changed. If attestation was granted approval, it disables the Identities do not inherit option.
If attestation was denied approval, only the certification status changes. Other behavioral changes, for example in the inheritance calculation, are not associated with this and can be implemented on a custom basis.
Detailed information about this topic
Related topics
The following users are involved in the certification of roles and organizations.
Table 64: Users
|
Administrators for organizations |
Administrators must be assigned to the Identity Management | Organizations | Administrators application role.
Users with this application role:
-
Set up and edit departments, cost centers, and locations.
-
Assign company resources to departments, cost centers, and locations.
-
Attest the main data of departments, cost centers, and locations.
-
Administrate application roles for role approvers, role approvers (IT), and attestors.
-
Set up other application roles as required. |
|
Business roles administrators |
Administrators must be assigned to the Identity Management | Business roles | Administrators application role.
Users with this application role:
-
Create and edit business roles.
-
Assign company resources to business roles.
-
Attest business roles' main data.
-
Administrate application roles for role approvers, role approvers (IT), and attestors.
-
Set up other application roles as required. |
|
Administrators for basic functionality |
Administrators must be assigned to the Base roles | Administrators application role.
Users with this application role:
-
Administer application roles for administrators.
-
Assign identities to administrator application roles.
-
Add other identities to the Base roles | Administrators application role and edit conflicting application roles.
-
See the main data for the other application roles.
-
Attest application roles' main data.
-
Can use Password Reset Portal to set passwords for selected system users. |
|
Manager |
- Check the main data of the roles and organizations to be certified.
- Assign another manager if required.
- Attests the main data.
|
|
Administrators for attestation cases |
Administrators must be assigned to the Identity & Access Governance | Attestation | Administrators application role.
Users with this application role:
|
Detailed information about this topic
Attestation and certification of departments with the New certification status can start when the following requirements are met.
To certify new departments
-
In the Designer, set the QER | Attestation | DepartmentApproval and QER | Attestation | DepartmentApproval | InitialApprovalState configuration parameters.
-
The value of the InitialApprovalState configuration parameter to 1.
All departments added to the database from this point on are given the certification status New.
-
In the Manager, edit the main data of the New departments certification attestation policy.
-
In the Manager, assign at least one identity to the Identity Management | Organizations | Administrators application role.
- Save the changes.
Attestation of imported departments is triggered when:
-
Initial certification status was set to New by the InitialApprovalState configuration parameter.
- OR -
The import sets Department.ApprovalState='1'
-
There is no Import data source stored with the department (ProfitCenter.ImportSource='')
The Identities do not inherit option (Department.IsNoInheriteToPerson) is disabled by the VI_Attestation_AttestationCase_Department_Approval_Granted process.
Related topics
