User account memberships in system entitlements are attested using the System entitlements membership attestation attestation procedure.
For this attestation procedure you can use the following attestation conditions:|
Condition |
Description |
|---|---|
|
All system entitlements |
Attests memberships in all system entitlements. |
|
Specific employees |
Select the identities. Attests this identity's memberships (or their associated user accounts) in system entitlements. |
|
Specific employees with subidentities. |
Select the identities. Attests this identity's memberships (or their associated user accounts) in system entitlements. In addition, it attests sub identities' memberships (or their associated user accounts) that the select identities are assigned to. |
|
Specific system entitlements |
Select the system entitlements. Attests memberships in these system entitlements. |
|
Membership by attestation state |
Select an attestation status Attests memberships in system entitlements that match this attestation status.
|
|
New or not attested for x days |
Specify a number of days. Attests memberships in system entitlements that have not been attested for the defined number of days. |
|
No dynamic groups from Active Roles |
Attests memberships in all system entitlements. Dynamic groups are ignored in the process. |
|
System entitlements with specific owners |
Select the identities. Attests memberships in system entitlements that are managed by these identities. |
|
System entitlements in a target system container |
Select the target system containers. Attests memberships in system entitlements found in these target system containers. |
|
System entitlements in target systems |
Select the target systems. Attests memberships in system entitlements assigned to these target systems. |
|
System entitlements with defined risk index |
|
|
System entitlements with owners in departments |
Select the departments. Attests memberships in system entitlements that are managed by the identities in these departments. |
|
System entitlements with any owner |
Attests user account memberships in system entitlements that only have one owner. |
|
System entitlements with matching name |
Enter part of a name of system entitlements with user account memberships to attest. All system entitlements that have this pattern in their name are included. Example: Per finds "Person", "Personal", "Perfection" and so on. |
|
System entitlements by applications |
Select the applications. Attests user account memberships in system entitlements that are assigned to these applications. |
|
System entitlements by assignment origin |
Select how user account memberships in system entitlements must be assigned to enable attestation:
|
|
Approval policies |
Description |
|---|---|
| Attestation by selected approvers | Click Assign/Change in the Attestors field and then select the identities that can make approval decisions about attestation cases. |
|
Attestation by selected approvers with automatic removal of assignments |
Click Assign/Change in the Attestors field and then select the identities that can make approval decisions about attestation cases. Memberships are deleted if attestation is denied and the configuration fits. |
|
Attestation by entitlement owner with automatic removal of assignments |
Product owners of system entitlements can be approved through attestation cases. Memberships are deleted if attestation is denied and the configuration fits. |
|
Attestation by employee manager and product owner (with peer group analysis) |
The following identities can be approved through attestation cases:
|
|
Attestation of group memberships by product owner with automatic removal of memberships |
Product owners of system entitlements can be approved through attestation cases. Memberships are deleted if attestation is denied and the configuration fits. |
and 
to switch between hierarchical and list view. Multi-select is possible.