You can copy default approval procedures in order to customize them.
To copy an approval procedure
-
In the Manager, select the Attestation > Basic configuration data > Approval procedures category.
-
Select an approval procedure in the result list. Select the Change main data task.
-
Select the Create copy task.
- Confirm the security prompt with Yes.
-
Enter the short name for the copy.
The short name for an approval procedure consists of a maximum of two characters.
-
Click OK to start copying.
- OR -
Click Cancel to cancel copying.
To delete an approval procedure
-
Remove all assignments to approval steps.
-
On the approval procedure overview form, check which approval steps are assigned to the approval procedure.
-
Switch to the approval workflow and assign another approval procedure to the approval step.
-
In the Manager, select the Attestation > Basic configuration data > Approval procedures category.
-
Select an approval procedure from the result list.
-
Click .
- Confirm the security prompt with Yes.
Related topics
The DBQueue Processor calculates which identity is authorized as an approver and in which approval level. Once an attestation is triggered, the attestors are determined for every approval step of the workflow to be processed. Changes to responsibilities may lead to an identity no longer being authorized as an approver for an attestation that is not yet finally approved. In this case, the attestors must be recalculated. The following changes can trigger recalculation of pending attestations:
-
Approval policy, workflow, step, or procedure changes.
-
An authorized approver loses their responsibility in One Identity Manager, for example, if a change is made to the department manager, attestation policy approver, or target system manager.
-
An identity obtains responsibilities in One Identity Manager and therefore is authorized as an approver, for example as the manager of the identity to be attested.
-
An identity authorized as an approver is deactivated.
Once an identity's responsibilities have changed in One Identity Manager, a task for recalculating the attestors is queued in the DBQueue. All approval steps of the pending attestation cases are also recalculated by default. Approval steps that have already been approved remain approved, even if their attestor has changed. Recalculating attestors may take a long time depending on the configuration of the system environment and the amount of data to be processed. To optimize this processing time, you can specify the approval steps for which the attestors are to be recalculated.
NOTE: The attestation recalculation task is set for approval steps that implement default approval procedures. Approval steps with customized approval procedures are not recalculated automatically.
To configure recalculation of the attestors
Detailed information about this topic
Related topics
You can set up additional authentication for particularly security critical attestations, which requires every attestor to additionally authenticate themselves for attestation. In your attestation policies, define which attestation policies require this authentication.
One Identity Manager uses OneLogin for multi-factor authentication. Usable authentication modes are determined through the OneLogin user accounts linked to the identities.
Prerequisites
In OneLogin:
In One Identity Manager:
-
The OneLogin Module is installed.
-
Synchronization with a OneLogin domain is set up and has been run at least once.
-
Identities linked to OneLogin user accounts.
-
The API Server and the web application are configured as required.
For more information about setting up multi-factor authentication, see the One Identity Manager Authorization and Authentication Guide.
To use multi-factor authentication for attesting
-
In the Manager, select the attestation policies to which you want to apply multi-factor authentication.
-
Enable the Approval by multi-factor authentication option.
Multi-factor authentication cannot be used for default attestation policies.
Once the Approval by multi-factor authentication option is enabled on an attestation policy, additional authentication is requested in each approval step of the approval process. Attestors can select any one of the authentication methods assigned to their OneLogin user accounts.
IMPORTANT: An attestation cannot be sent by email if multi-factor authentication is configured for the attestation policy. Attestation emails for such attestations produce an error message.
For more information about multi-factor authentication, see the One Identity Manager Web Portal User Guide.
Related topics