立即与支持人员聊天
与支持团队交流

Identity Manager On Demand Hosted - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Using owners of the attestation objects to find attestors

When you assign new owners to devices or system entitlements in the Web Portal, the new owner should agree with this assignment. An attestation with the PO approval procedure is carried out for this purpose.

Using employees assigned to user accounts to find attestors

If you want to allow user accounts to be attested by the employees assigned to them, use the EA approval procedure. This approval procedure can be used if the Target System Base Module is installed.

Determining attested employee as attestor

An employee can attest to the correctness of their own main data to confirm that it has been entered correctly, for example. Use the CS approval procedure to do this. Employees are the base object for attestation. The approval procedure is used by default to assign managers to employees who do not have a manager assigned to them (Attestation of initial manager assignment attestation policy).

Calculated approval

NOTE: Only one approval step can be defined with the CD approval procedure per approval level.

If you want to make attestation dependent on specific conditions, use the CD approval procedure. This procedure does not determine an attestor. One Identity Manager makes the decision depending on the condition that is formulated in the approval step.

You can use the procedure for any attestation base objects. You create a condition in the approval step. If the condition returns a result, the approval step is approved through One Identity Manager. If the condition does not return a result, the approval step is denied by One Identity Manager. If there are no further approval steps, the approval procedure is either finally granted or denied.

To enter a condition for the CD approval procedure

  1. Edit the approval step properties.

    For more information, see Editing approval levels.

  2. In the Condition input field, enter a valid WHERE clause for database queries. You can enter the SQL query directly or with a wizard.

Example of a simple approval workflow with the CD approval procedure:

External employees should be attestation by their managers. If no manager is assigned, the members of a designated application role must attest the employees.

You can find all external employees, who have managers assigned to them by using the CD approval procedure and the following condition.

EXISTS

(SELECT 1 FROM

(SELECT xobjectkey FROM Person WHERE (IsExternal = 1)

AND (EXISTS

(SELECT 1 FROM

(SELECT UID_Person FROM Person WHERE 1 = 1) as X

WHERE X.UID_Person = Person.UID_PersonHead) )) as X

WHERE X.xobjectkey = AttestationCase.ObjectKeyBase)

If the condition is fulfilled, the external employee's manager can attest the employee. To do this, add an approval step in the positive approval path with the CM approval procedure.

If the condition is not fulfilled, the employee is attested by the member of a designated application role. To do this, add an approval step in the negative approval path with the OR approval procedure and assign the application role.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级