Oracle® Identity Manager Administrative and User Console Guide Release 9.0 B25936-01 |
|
Previous |
Next |
This chapter describes how to create, manage, and view attestation tasks in the following sections:
Note: See Appendix A, "Understanding Attestation" for detailed conceptual information on using attestation in the Oracle Identity Manager Administrative and User Console |
A new menu item in the Administrative and User Console provides access to the Attestation Process Configuration Screens. Oracle Identity Manager administrators can use these screens to do the following:
Define new attestation processes
Manage existing processes
Initiate ad-hoc attestation processes
Under the top-level menu called Attestation, are the following three menu links:
Create
Manage
Dashboard
These menu items are governed by the same delegated admin permission controls that currently govern all menu items in the Oracle Identity Manager Administrative Console.
These menu items are defined but not assigned to any group in Oracle Identity Manager. They will be assigned to the System Administrators group in Oracle Identity Manager with audit compliance components installed.
Attestation has the following dependencies:
The User Profile Audit feature must be enabled.
Historical data must be collected at least down to the Process Form level.
If the auditing level is set below the required levels, clicking on menu item links related to attestation generates the Attestation Feature Not Available page, and prevents the user from defining any attestation processes.
Audit levels are controlled by the system property called XL.UserProfileAuditDataCollection
and attestation feature expects this value to be set to at least Resource Form
.
To create a new attestation process:
Expand the Attestation link and click Create. The Step1: Define process identification page appears.
On the Step1: Define process identification page, enter values for the fields described in the following table, and then click Next.
Field | Description |
---|---|
Name* | Identifies a unique name for the attestation process. |
Code | An identifying code (up to 32 characters) for the process. |
Description | Detailed description of the attestation process. |
Note: The Code and Name must be unique across both disabled and deleted attestation processes. |
On the Step 2: Define attestation scope and review page, perform the following steps:
Attestation scope defines the algorithm by which the targets of the attestation are selected. The first three options correspond to User Entitlement Attestation in which every financially significant entitlement for the determined users needs to be reviewed and attested. The algorithms determine how the users whose entitlements need attestation are to be selected – based on a reporting relationship, membership in a group, or on the organization that the user is defined in.
The fourth option corresponds to Resource Entitlement Attestation, in which all access to a specific resource must be attested, irrespective of the user, and ignoring other entitlements that the user might have. In this option, the administrator must therefore select the resource whose access must be attested.
Select one of the following types of attestation scope:
Users reporting to manager
Members of group
Users in organization
User access for a single resource
Click the magnifying glass next to the selected type of attestation scope to select a manager, group, organization, or resource.
Note: The Oracle Identity Manager Permission model applies in this scenario, which restricts the displayed list to just those users, organizations, groups, and resources that the logged-in user is allowed read access to. |
Select one of the following attestation reviewers:
Each user's manager
In this case, multiple attestation tasks can be set up, one for each manager who has any reports that fall into the target user set.
A specific reviewer
This reviewer can be the reviewer for the entire target set.
If you selected a specific reviewer in the previous step, click the magnifying glass to select the reviewer.
Note: In this scenario, the Oracle Identity Manager Permission model applies, which restricts the displayed list to just those users that the logged-in user is allowed read access to. |
Click Next. The Step 3: Define administrative details page appears.
In this step, the user specifies the following administrative details about the attestation process:
The attestation schedule
The process owner
Optionally, notifications for Process Owner user groups if reviewers decline attestations.
On the Step 3: Define administrative details page, perform the following steps:
Select one of the following attestation schedules:
Run once
Run every specified number of months
Run every specified number of days
Run every specified number of years
If you decide to run the attestation process on a monthly, daily, or yearly schedule, you have to specify a frequency on the selected option's text box.
Select a starting date by clicking the calendar icon next to the Starting On field.
Specify a process owner group by clicking the magnifying glass next to the Process owner group box.
If desired, click clear the Email process owner if reviewer refuses attestation request box. In this case, notifications are not sent to the process owner users if a reviewer refuses to attest.
Click Next. The Step 4: Confirmation page appears.
On the Step 4: Confirmation page, click Create Process to create the attestation process. You are redirected to a screen with the following information:
You have successfully created Attestation Process Definition processname.
Clicking processname takes you to the Attestation Process Detail page. To create another attestation process, click Create Another Attestation Process Definition.
The Attestation Process Detail page is described in Managing Attestation Processes.
To manage attestation processes:
Expand the Attestation link and click Manage. The Attestation Search page appears.
On the Attestation Search page, enter the search criteria for the attestation process you want to manage. You can search by attestation process name, process code, reviewer type, scope type, or process owner. After you enter your search criteria, click Search. A results table appears with the attestation processes that match your search criteria. Only those attestation processes are displayed that the logged-in administrator is allowed to view based on permissions, or by virtue of being a member of the Process Owner group. This page does not show any deleted processes. The results table contains the columns listed in the following table:
Column | Description |
---|---|
Process Names | Specifies the name of the process. |
Process Code | Attestation process code. |
Data Type | Identifies the type of data being attested. |
Scope | Indicates whether the attestation scope is by manager, group, organization, or resource. |
Last Start | Specifies the last time an attestation process was executed. |
Last Completion | Specifies the last time an instance of this process was completed. |
Next Start | Specifies when the process is scheduled to run next. |
Status | Indicates whether the attestation process is active or disabled. |
In the results table on the Attestation Search page, click the link of the process name you want to manage. The Attestation Process Detail page appears.
This section includes the following subsections:
To edit an attestation process:
On the Attestation Process Detail page, click Edit. The Edit Attestation Process page appears.
On the Edit Attestation Process page, make the desired changes to the attestation process and click Save. The fields on the Edit Attestation Process page are same as those displayed in the Creating Attestation Processes wizard.
To disable an attestation process:
On the Attestation Process Detail page, click Disable. The Disable button only appears when the process is active. The Disable Attestation Confirmation page appears.
On the Disable Attestation Confirmation page, click Confirm Disable.
To enable an attestation process:
On the Attestation Process Detail page, click Enable. The Enable button only appears when the process is disabled. The Enable Attestation Confirmation page appears.
On the Enable Attestation Confirmation page, click Confirm Enable.
Note: An attestation process can only be enabled if its next start time is in the future. |
To delete an attestation process:
On the Attestation Process Detail page, click Delete. The Delete Attestation Confirmation page appears.
On the Delete Attestation Confirmation page, click Confirm Delete.
Note: Editing, disabling, and deleting an attestation process can only be done by process administrators with required permissions. |
This feature supports unscheduled attestation needs. To run an attestation process click Run Now on the Attestation Process Detail page. This initiates the attestation process independent of the attestation schedule. Unscheduled initiation of attestation processes can only be performed by users in process owner group.
To manage an attestation process's administrators, select Administrators from the Additional Details box on the Attestation Process Detail page. The Attestation Process Details >> Administrative Groups page appears. You can use this page to add and remove administrators for an attestation process and update administrator permissions.
The permission model for attestation process definition is as follows:
To view the Attestation Process Definition, the user must be either of the following:
A member of a group that has the appropriate read permissions in the Administrators
A member of the group that is the process owner
To edit the Attestation Process Definition, the user must be a member of a group that has the appropriate write permissions in the Administrators.
To delete the Attestation Process Definition, the user must be a member of a group that has the appropriate delete permissions in the Administrators.
Note: The tasks of adding, deleting and updating Administrative Groups for Attestation Processes are similar to the tasks of adding, deleting and updating administrative groups for users and organizations. |
To view an attestation process's execution history, select Execution History from the Additional Details box on the Attestation Process Detail page. The Attestation Process Details >> Attestation Process Execution History page appears.
Attestation process execution history table contains the columns listed in the following table:
Column | Description |
---|---|
Request Id | Id for the attestation process instance that was run |
Scope Parameter | Parameter value chosen for the attestation scope selection |
Reviewer | Name of the reviewer for the attestation process. |
Initiated On | Date and time when the request was initiated |
Completed On | Date and time when the request was completed. If the request is still pending, it shows Not Completed. |
You use the Attestation Dashboard to quickly view the state of any attestation processes that are owned by any group of which you are a member. To use the Attestation Dashboard, expand the Attestation link and click Attestation Dashboard. The Attestation Dashboard page appears and displays a table listing the state of any attestation processes that are owned by any group of which you are a member. The Attestation Dashboard table contains the columns listed in the following table:
Column | Description |
---|---|
Process Code | Attestation process code. |
Process Names | Specifies the name of the process. Clicking on the link for an attestation process name link takes user to the Attestation Process Detail page |
Last Completion | The date and time when the instance executed before the latest one was completed. If it doesn't exist, then the value should be None. It is a link that will take the user to the Attestation Request Detail page for the appropriate Attestation Request. |
Current Request Date | The date and time when the last instance of this Process was executed. If it has never been run, then the value is New. It is a link that will take the user to the Attestation Request Detail page for the appropriate Attestation Request. |
Current Completion | The date and time when the last instance executed was completed. If it hasn't been completed, then the value is Pending. |
Total Records | Identifies the total number of entitlements identified for attestation and covered by an attestation task as part of the last process instance. |
Certified | Specifies the number of entitlements certified in the last attestation process instance. |
Rejected | Specifies the number of entitlements rejected in the last attestation process instance. |
Declined | Specifies the number of entitlements declined in the last attestation process instance. |
Delegated | Specifies the number of entitlements delegated in the last attestation process instance. |
The drill-down page accessed from the Attestation Dashboard page displays the attestation details of all entitlements covered by a particular run of the Attestation Process. To view attestation request details:
Click the link for the Last Completion or Current Request Page fields listed in the table on the Attestation Dashboard page. The Attestation Request Detail page displays the request details for the selected attestation process, along with a table that contains the following columns:
Column | Description |
---|---|
User | The user whose entitlement is being attested. The data is a link that pops up the user profile page showing user details as on the Attestation Date. |
Resource | The resource that is the basis for the entitlement being attested. The data is a link that pops up a page with the process form data of the entitlement as on the Attestation Date. |
Descriptive Data | The descriptive data field for the provisioned resource instance. |
Attestation Result | The response that was finally provided for the attestation. |
Reviewer | The user that provided the response. The data is a link that pops up the user profile page showing current user details. |
Delegation Path | If the attestation of an entitlement goes through any delegation, then you can use the View link in this column to see the Delegation Path Detail page. If no delegation happens, then it says None. |
Comments | This shows reviewer comments. Long comments are truncated and a a rollover tool tip shows the entire comment |
Any attestation requests that required delegation will include a link in the Delegation Path column. Clicking the link displays a Delegation Path page containing more detailed information on the attestation request's delegation path.
The Data Attested field shows details of the entitlement being attested to. It constructs the value by putting together the User information, the Resource name, and the Descriptive Data in the following format:
<<User First Name>> <<User Last Name>> [<<User ID>>] - <<Resource Name>> - <<Descriptive Data>>
The table contains the following fields:
Column | Description |
---|---|
Reviewer | The reviewer to whom the entitlement for attestation is assigned. The data is a link that pops up the current user profile data |
Attestation Result | Action supplied by the reviewer. Except for the first record, it will always be Delegated. |
Attestation Date | The date and time of the attestation response of the reviewer. |
Comments | Reviewer comments. Long comments are truncated and displayed in full as a rollover tooltip |
As part of the attestation process, the attestation engine sends out emails to the concerned parties at various stages. To make the emails configurable by the customer with respect to content, they will be made available as email templates of type General in the Oracle Identity Manager Email Definition store. In all the templates, the form user is defined as XELSYSADM. If desired, you can change it another user. Make sure that email address is defined for the user picked to use these templates. Otherwise, the system may not be able to send out notifications.The following email notification templates are available:
Notify Attestation Reviewer: Used for sending out emails when an attestation task is assigned to a reviewer.
Notify Delegated Reviewers: Used for sending out emails to reviewers when an attestation task is delegated to them.
Invalid Attestation Reviewers: This template is used for sending out emails to users in the Process Owner group if attestation task generation results in invalid reviewers.
Notify Declined Attestation Entitlements: This template is used for sending out emails to users in the Process Owner group if a reviewer declines any entitlements.
Attestation Reviewers With No Email Defined: This template is used for sending out emails to users in the Process Owner group if an email address is not defined for any of the reviewers
The system scheduled task called Initiate Attestation Processes is responsible for examining the Attestation Processes defined in Oracle Identity Manager and creating the necessary attestation tasks in the system. Salient features of this scheduled task are:
Out of the box, scheduled tasks are set to run every 30 minutes by default. Users can change this to suit their needs
It examines all active attestation processes.
It initiates a call to the Attestation Engine to initiate the any attestation process that needs to be run (its next scheduled start time is in the past).