立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation types Attestation procedure Attestation schedules Compliance frameworks Chief approval team Attestation policy owners Standard reasons for attestation Attestation policies Sample attestation Grouping attestation policies Custom mail templates for notifications Suspending attestation Automatic attestation of policy violations
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by identity awaiting attestation Automatic acceptance of attestation approvals Phases of attestation Attestation by peer group analysis Approval recommendations for attestations Managing attestation cases
Attestation sequence Default attestations Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Attestors cannot be established

You can specify a fallback approver if attestation cases cannot be approved because no attestors are available. An attestation case is then always assigned to the fallback approver for attestation if no attestor can be found in an approval step in the specified approval procedure.

To specify fallback approvers, define application roles and assign these to an approval step. Different attestation groups in the approval steps may also require different fallback approvers. Specify different application role for this, to which you can assign identities who can be determined as fallback approvers in the approval process. For more information, see the One Identity Manager Authorization and Authentication Guide.

To specify fallback approvers for an approval step

  • Enter the following data for the approval step.

    Table 33: Approval step properties for fallback approvers
    Property Meaning

    Fallback approver

    Application role whose members are authorized to approve attestation cases if an attestor cannot be determined through the approval procedure. Assign an application from the menu.

    To create a new application role, click . Enter the application role name and assign a parent application role. For more information, see the One Identity Manager Authorization and Authentication Guide.

    NOTE: The number of approvers is not applied to the fallback approvers. The approval step is considered approved the moment as soon as one fallback approver has approved the request.

Attestation sequence with fallback approvers

  1. No attestor can be found for an approval step in an approval process. The attestation is assigned to all members of the fallback approver application role.

  2. Once a fallback approver has approved an attestation case, it is presented to the attestors at the next approval level.

    NOTE: You can specify in the approval step how many attestors are required for approval in this step. This limit is NOT valid for the chief approval team. The approval step is considered to be approved as soon as ONE fallback approver has approved the attestation.
  3. The attestation case is canceled if no fallback approver can be found.

Fallback approvers can make approval decisions on attestation cases for all manual approval steps. Fallback approvals are not permitted for approval steps using the CD, EX, and WC approval procedures.

Related topics

Automatic approval on timeout

Attestation cases can be automatically granted or denied approval once a specified time period has been exceeded.

To configure automatic approval if the timeout expires

  • Enter the following data for the approval step.

    • Timeout (minutes):

      Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

      The timeout is check every 30 minutes, by default. To change this interval, modify the Checks reminder interval and timeout of attestation cases schedule.

      The working hours of the respective approver are taken into account when the time is calculated.

      NOTE: Ensure that a state, county, or both is entered into the identity's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating identities' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

      TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

      If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

      If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

      If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

      If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    • Timeout behavior:

      Action, which is run if the timeout expires.

      • Approved: The attestation case is approved in this approval step. The next approval level is called.

      • Deny: The attestation case is denied in this approval step. The approval level for denying is called.

When the approval decision for an attestation case is made automatically, other people can be notified by email.

Related topics

Halting an attestation case on timeout

Attestation cases can be automatically halted once a specified time period has been exceeded. The action halts when either a single approval step or the entire approval process has exceeded the timeout.

To configure halting after the timeout of a single approval step has been exceeded

  • Enter the following data for the approval step.

    • Timeout (minutes):

      Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

      The timeout is check every 30 minutes, by default. To change this interval, modify the Checks reminder interval and timeout of attestation cases schedule.

      The working hours of the respective approver are taken into account when the time is calculated.

      NOTE: Ensure that a state, county, or both is entered into the identity's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating identities' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

      TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

      If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

      If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

      If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

      If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    • Timeout behavior:

      Action that runs if the timeout expires.

      • Cancel: The approval step and, therefore, the entire attestation procedure, is canceled.

To configure halting on timeout for the entire approval process

  • Enter the following data for the approval workflow.

    • System halt (days):

      Number of days to elapse after which the approval workflow, and therefore the system, automatically halts the entire attestation procedure.

When an attestation case is halted, other people can be notified by email.

Related topics

Attesting by chief approval team

Sometimes, approval decisions cannot be made for attestation cases because an attestor is not available or does not have access to One Identity Manager tools. To complete these attestations, you can define a chief approval team whose members are authorized to intervene in the approval process at any time.

The chief approval team is authorized to approve, deny, or cancel attestations in special cases or to appoint other attestors.

IMPORTANT:

  • The four-eye principle can be broken like this because chief approval team members can make approval decisions for attestation cases at any time. Specify, on a custom basis, in which special cases the chief approval team may intervene in the approval process.

  • The chief approval team is authorized to attest its own members. The configuration parameter setting QER | Attestation | PersonToAttestNoDecide does not apply to the chief approval team.

  • In the approval step, you can specify how many attestors must make a decision on this approval step.

    • If an approval decision is made by the chief approval team, it overrides the approval decision of just one regular attestor. This means, if three attestors must approve an approval step and the chief approval team one of the decision, two more are still required.

    • The number of approvers if not taken into account when the attestation is assigned to fallback approvers. The chief approval team can also attest in this case. The approval decision is considered to be made as soon as one member of the chief approval team has made an approval decision about the attestation.

  • If a regular attestor has added an additional attestor, the chief approval team can approve for both the regular and the additional attestors. If both approvals are pending, a chief approver first replaces the regular attestor's approval only. Only a second approval of the chief approval team can replace the approval of the additional attestor.

The chief approval team can approve attestations for all manual approval steps. The following applies:

  • Chief approval team decisions are not permitted for approval steps using the CD, EX, and WC approval procedures.

  • If a member of the chief approval team is also named as a regular attestor for an approval step, they can only make an approval decision for this step as a regular attestor.

  • The chief approval team can also make an approval decision if a regular attestor has submitted a query and the attestation is in hold status.

To add members to the chief approval team

  1. In the Manager, select the Attestation > Basic configuration data > Chief approval team category.

  2. Select the Assign identities task.

    In the Add assignments pane, assign the identities who are authorized to approve all attestations.

    TIP: In the Remove assignments pane, you can remove assigned identities.

    To remove an assignment

    • Select the identity and double-click .

  3. Save the changes.
Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级