立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Queries for finding attestors

The condition through which the attestors are determined is formulated as a database query. Several queries may be combined into one condition. This adds all identities determined by single queries to the group of attestors.

To edit the condition

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures category.

  2. Select an approval procedure from the result list.

  3. Select Change queries for approver selection.

To create single queries

  1. Click Add.

    This inserts a new row in the table.

  2. Mark this row. Enter the query properties.
  3. Add more queries if required.
  4. Save the changes.

To edit a single query

  1. Select the query you want to edit in the table. Edit the query's properties.
  2. Save the changes.

To remove single queries

  1. Select the query you want to remove in the table.
  2. Click Delete.
  3. Save the changes.
Table 30: Query properties

Property

Description

Approver selection

Query identifier that determines the attestors.

Query

Database query for determining the attestors.

The database query must be formulated as a select statement. The column selected by the database query must return a UID_Person. Every query must return a value for UID_PWORulerOrigin. The query returns one or more identities to whom the attestation case is presented for approval. If the query fails to return a result, the attestation procedure is canceled.

A query contains exactly one select statement. To combine several select statements, create several queries.

If a DBQueue Processor task is assigned, you cannot enter a query to determine attestors.

Query for recalculating

Database query to determine attestation transactions that require recalculation of their attestors.

You can, for example, determine predefined attestors with the query (example 1). The attestor can also be found dynamically depending on the attestation case to approve. To do this, within the database query, using the @UID_AttestationCase variable to access the attestation case (example 2).

Example 1

The attestation cases should be approved by a specific attestor.

Query:

select UID_Person, null as UID_PWORulerOrigin from Person where InternalName='User, JB'
Example 2

All active compliance rules should be attested by the respective rule supervisor.

Query:

select pia.UID_Person, null as UID_PWORulerOrigin from AttestationCase ac
    join ComplianceRule cr on cr.XObjectKey = ac.ObjectKeyBase and cr.IsWorkingCopy = '0'
    join PersonInBaseTree pia on pia.UID_Org = cr.UID_OrgResponsible and pia.XOrigin > 0
    where ac.UID_AttestationCase = @UID_AttestationCase
Taking delegation into account

To include delegation when determining attestors, use the query to also determine the identities to whom a responsibility has been delegated. If the managers of hierarchical roles are to make the attestation decision, determine the attestors from the HelperHeadOrg table. This table groups all hierarchical role managers, their deputy managers, and identities to whom a responsibility has been delegated. If the members of business or application roles are to make the approval decision, determine the approvers from the PersonInBaseTree table. This table groups all hierarchical role members and identities to whom a responsibility has been delegated.

Determine the UID_PWORulerOrigin in order to notify delegators when the recipient of the delegation has made a decision on an attestation case and thus allow the Web Portal to show if the attestor was originally delegated.

To determine the UID_PWORulerOrigin of the delegation

  • Determine the UID_PersonWantsOrg of the delegation and copy this value as UID_PWORulerOrigin to the query. Use the dbo.QER_FGIPWORulerOrigin table function to do this.

    select dbo.QER_FGIPWORulerOrigin(XObjectKey) as UID_PWORulerOrigin

    select dbo.QER_FGIPWORulerOrigin(XObjectKey) as UID_PWORulerOrigin

Modified query from example 2:

select pia.UID_Person, dbo.QER_FGIPWORulerOrigin(pia.XObjectKey) as UID_PWORulerOrigin from AttestationCase ac
    join ComplianceRule cr on cr.XObjectKey = ac.ObjectKeyBase and cr.IsWorkingCopy = '0'
    join PersonInBaseTree pia on pia.UID_Org = cr.UID_OrgResponsible and pia.XOrigin > 0
    where ac.UID_AttestationCase = @UID_AttestationCase

Additional tasks for approval procedures

After you have entered the main data, you can run the following tasks.

Overview of the approval procedure

To obtain an overview of an approval procedure

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures category.

  2. Select an approval procedure from the result list.

  3. Select the Approval procedure overview task.

Specifying permitted approval procedures for tables

You can only assign selected approval policies to attestation procedures. The approval policies permitted depend on the approval procedures applied in the approval policies and on the table that forms the attestation base object for an attestation procedure.

You specify which tables are permitted for use with custom approval procedures.

If you want to use custom tables with the default approval procedures AS, CD, EX, OM, OR, or WC then assign these table to the approval procedures.

To specify the tables that permit this approval procedure

  1. In the Manager, select the Attestation > Basic configuration data > Approval procedures category.

  2. Select an approval procedure from the result list.

  3. Select the Assign tables task.

    In the Add assignments pane, assign the tables to which the approval procedure can be assigned.

    TIP: In the Remove assignments pane, you can remove table assignments.

    To remove an assignment

    • Select the table and double-click .

  4. Save the changes.

You can display which tables allow an approval procedure on the approval procedure overview form.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级