| Oracle® Identity Manager Administrative and User Console Guide Release 9.0.3 Part Number B32450-01 |
|
|
View PDF |
| Oracle® Identity Manager Administrative and User Console Guide Release 9.0.3 Part Number B32450-01 |
|
|
View PDF |
You can create, manage, and view attestation tasks.
This chapter discusses the following topics:
See also:
See Appendix A, "Understanding Attestation" for information on using attestation in the Oracle Identity Manager Administrative and User Console.A menu item in the Administrative and User Console provides access to the Attestation Process Configuration screens. Oracle Identity Manager administrators can use these screens to do the following:
Define new attestation processes
Manage existing processes
Initiate ad-hoc attestation processes
The top-level Attestation menu contains the following links:
Create
Manage
Dashboard
These menu items are governed by the same delegated administration permissions that govern all menu items in the Oracle Identity Manager Administrative Console.
These menu items are defined but not assigned to any group in Oracle Identity Manager. They will be assigned to the System Administrators group in Oracle Identity Manager if audit compliance components are installed.
Attestation has the following dependencies:
The User Profile Audit feature must be enabled.
Historical data must be collected at least down to the Process Form level.
If the auditing level is set below the required levels, clicking on menu item links related to attestation generates the Attestation Feature Not Available page, and prevents the user from defining any attestation processes.
Audit levels are controlled by the system property called XL.UserProfileAuditDataCollection and the attestation feature expects this value to be set to at least Resource Form.
The following procedures describes how to configure an attestation process.
Note:
In the following procedure, the Oracle Identity Manager Permission model applies. This model restricts any list of targets, for example, users, to only those targets that the logged-in user has read access to.To create a new attestation process:
Expand the Attestation link and click Create.
The Step1: Define process page appears.
Enter values for the fields described in the following table and click Next.
| Field | Description |
|---|---|
| Name* | Identifies a unique name for the attestation process. The name must be unique across disabled and deleted attestation processes. |
| Code | An identifying code (up to 32 characters) for the process. The code must be unique across disabled and deleted attestation processes. |
| Description | Detailed description of the attestation process. |
On the Step 2: Define Attestation Scope and Reviewer page, perform the following steps:
Attestation scope defines the algorithm by which the targets of the attestation are selected. The first three options correspond to User Entitlement Attestation in which every financially significant entitlement for the determined users needs to be reviewed and attested. The algorithms determine how the users whose entitlements need attestation are to be selected – based on a reporting relationship, membership in a group, or on the organization that the user is defined in.
The fourth option corresponds to Resource Entitlement Attestation, in which all access to a specific resource must be attested, irrespective of the user, and ignoring other entitlements that the user might have. In this option, the administrator must therefore select the resource whose access must be attested.
Select one of the following types of attestation scope:
Users reporting to manager
Members of group
Users in organization
User access for a single resource
Click the magnifying glass next to the selected type of attestation scope to select a manager, group, organization, or resource.
Select one of the following attestation reviewers:
Each user's manager
In this case, multiple attestation tasks can be set up, one for each manager who has any reports that fall into the target user set.
A specific reviewer
This reviewer can be the reviewer for the entire target set.
If you selected a specific reviewer in the previous step, click the magnifying glass to select the reviewer.
Click Next. The Step 3: Define administrative details page appears.
Specify the following administrative details about the attestation process:
The attestation schedule
The process owner
Optionally, notifications for Process Owner user groups if reviewers decline attestations.
On the Step 3: Define administrative details page, perform the following steps:
Select one of the following attestation schedules:
Run once
Run every specified number of months
Run every specified number of days
Run every specified number of years
If you decide to run the attestation process on a monthly, daily, or yearly schedule, you have to specify a frequency on the selected option's text box.
Select a starting date by clicking the calendar icon next to the Starting On field.
Specify a process owner group by clicking the magnifying glass next to the Process owner group box.
If desired, click clear the Email process owner if reviewer refuses attestation request box. In this case, notifications are not sent to the process owner users if a reviewer refuses to attest.
Click Next. The Step 4: Confirmation page appears.
On the Step 4: Confirmation page, click Create Process to create the attestation process. You are redirected to a screen with the following information:
You have successfully created an attestation process definition.
Clicking processname takes you to the Attestation Process Detail page. To create another attestation process, click Create Another Attestation Process Definition.
The Attestation Process Detail page is described in Managing Attestation Processes.
To manage attestation processes:
Expand the Attestation link and click Manage. The Attestation Search page appears.
On the Attestation Search page, enter the search criteria for the attestation process you want to manage. You can search by attestation process name, process code, reviewer type, scope type, or process owner. After you enter your search criteria, click Search. A results table appears with the attestation processes that match your search criteria. Only those attestation processes are displayed that the logged-in administrator is allowed to view based on permissions, or by virtue of being a member of the Process Owner group. This page does not show any deleted processes. The results table contains the columns listed in the following table:
| Column | Description |
|---|---|
| Process Names | Specifies the name of the process. |
| Process Code | Attestation process code. |
| Data Type | Identifies the type of data being attested. |
| Scope | Indicates whether the attestation scope is by manager, group, organization, or resource. |
| Last Start | Specifies the last time an attestation process was executed. |
| Last Completion | Specifies the last time an instance of this process was completed. |
| Next Start | Specifies when the process is scheduled to run next. |
| Status | Indicates whether the attestation process is active or disabled. |
In the results table on the Attestation Search page, click the link of the process name you want to manage. The Attestation Process Detail page appears.
This rest of this section discusses the following topics:
To edit an attestation process:
On the Attestation Process Detail page, click Edit.
The Edit Attestation Process page appears.
On the Edit Attestation Process page, make the desired changes to the attestation process and click Save.
The fields on the Edit Attestation Process page are same as those displayed in the Creating Attestation Processes wizard.
A Disable button appears when a process is active. You can disable an active process.
To disable an attestation process:
On the Attestation Process Detail page, click Disable.
Note that the Disable button only appears when a process is active.
The Disable Attestation Confirmation page appears.
On the Disable Attestation Confirmation page, click Confirm Disable.
An attestation process can only be enabled if its next start time is in the future and if the process is disabled.
To enable an attestation process:
On the Attestation Process Detail page, click Enable.
Note that the Enable button only appears when the process is disabled.
The Enable Attestation Confirmation page appears.
On the Enable Attestation Confirmation page, click Confirm Enable.
Editing, disabling, and deleting an attestation process can only be done by process administrators with required permissions.
To delete an attestation process:
On the Attestation Process Detail page, click Delete.
The Delete Attestation Confirmation page appears.
On the Delete Attestation Confirmation page, click Confirm Delete.
This feature enables you to run unscheduled attestation processes. To run an attestation process click Run Now on the Attestation Process Detail page. This initiates the attestation process independent of the attestation schedule.
Only users in the process owner group can initiate unscheduled attestation processes.
The tasks of adding, deleting and updating Administrative Groups for Attestation processes are similar to the tasks of adding, deleting and updating administrative groups for users and organizations.
To manage an attestation process's administrators, select Administrators from the Additional Details box on the Attestation Process Detail page. The Attestation Process Details >> Administrative Groups page appears. You can use this page to add and remove administrators for an attestation process and update administrator permissions.
The permission model for attestation process definition is as follows:
To view the Attestation Process Definition, the user must be either of the following:
A member of a group that has the appropriate read permissions in the Administrators
A member of the group that is the process owner
To edit the Attestation Process Definition, the user must be a member of a group that has the appropriate write permissions in the Administrators.
To delete the Attestation Process Definition, the user must be a member of a group that has the appropriate delete permissions in the Administrators.
To view an attestation process's execution history, select Execution History from the Additional Details box on the Attestation Process Detail page. The Attestation Process Details >> Attestation Process Execution History page appears.
The following are the columns in the Attestation Process Execution History table:
| Column | Description |
|---|---|
| Request Id | Id for the attestation process instance that was run |
| Scope Parameter | Parameter value chosen for the attestation scope selection |
| Reviewer | Name of the reviewer for the attestation process. |
| Initiated On | Date and time when the request was initiated |
| Completed On | Date and time when the request was completed. If the request is still pending, it shows Not Completed. |
You use the Attestation Dashboard to view the state of any attestation processes that are owned by any group of which you are a member. To use the Attestation Dashboard, expand the Attestation link and click Attestation Dashboard. The Attestation Dashboard page appears and displays a table listing the state of any attestation processes that are owned by any group of which you are a member. The Attestation Dashboard table contains the columns listed in the following table:
| Column | Description |
|---|---|
| Process Code | Attestation process code. |
| Process Names | Specifies the name of the process. Clicking on the link for an attestation process name link takes user to the Attestation Process Detail page |
| Last Completion | The date and time when the instance executed before the latest one was completed. If it doesn't exist, then the value should be None. It is a link that will take the user to the Attestation Request Detail page for the appropriate Attestation Request. |
| Current Request Date | The date and time when the last instance of this Process was executed. If it has never been run, then the value is New. It is a link that will take the user to the Attestation Request Detail page for the appropriate Attestation Request. |
| Current Completion | The date and time when the last instance executed was completed. If it hasn't been completed, then the value is Pending. |
| Total Records | Identifies the total number of entitlements identified for attestation and covered by an attestation task as part of the last process instance. |
| Certified | Specifies the number of entitlements certified in the last attestation process instance. |
| Rejected | Specifies the number of entitlements rejected in the last attestation process instance. |
| Declined | Specifies the number of entitlements declined in the last attestation process instance. |
| Delegated | Specifies the number of entitlements delegated in the last attestation process instance. |
The drill-down page accessed from the Attestation Dashboard page displays the attestation details of all entitlements covered by a particular run of the Attestation Process. To view attestation request details:
Click the link for the Last Completion or Current Request Page fields listed in the table on the Attestation Dashboard page.
The Attestation Request Detail page displays the request details for the selected attestation process, along with a table that contains the following columns:
| Column | Description |
|---|---|
| User | The user whose entitlement is being attested. The data is a link that pops up the user profile page showing user details as on the Attestation Date. |
| Resource | The resource that is the basis for the entitlement being attested. The data is a link that pops up a page with the process form data of the entitlement as on the Attestation Date. |
| Descriptive Data | The descriptive data field for the provisioned resource instance. |
| Attestation Result | The response that was finally provided for the attestation. |
| Reviewer | The user that provided the response. The data is a link that pops up the user profile page showing current user details. |
| Delegation Path | If the attestation of an entitlement goes through any delegation, then you can use the View link in this column to see the Delegation Path Detail page. If no delegation happens, then it says None. |
| Comments | This shows reviewer comments. Long comments are truncated and a rollover tool tip shows the entire comment |
Any attestation requests that require delegation include a link in the Delegation Path column.
Clicking the link displays a Delegation Path page that provides information on the attestation request's delegation path.
The Data Attested field shows details of the entitlement being attested to. It constructs the value by putting together user information, the resource name, and descriptive data in the following format:
<<User First Name>> <<User Last Name>> [<<User ID>>] - <<Resource Name>> - <<Descriptive Data>>
The table contains the following fields:
| Column | Description |
|---|---|
| Reviewer | The reviewer to whom the entitlement for attestation is assigned. The data is a link that pops up the current user profile data. |
| Attestation Result | Action supplied by the reviewer. Except for the first record, it will always be Delegated. |
| Attestation Date | The date and time of the attestation response of the reviewer. |
| Comments | Reviewer comments. Long comments are truncated and displayed in full as a rollover tool tip. |
As part of the attestation process, the attestation engine sends email to concerned parties at various stages. You can configure email content, using email templates of type General in the Oracle Identity Manager Email Definition store. In the templates, the form user is defined as XELSYSADM. You can change it another user. Make sure that email address is defined for the user selected to use these templates. Otherwise, the system may not be able to send out notifications.The following email notification templates are available:
Notify Attestation Reviewer: Used for sending email when an attestation task is assigned to a reviewer.
Notify Delegated Reviewers: Used for sending email to reviewers when an attestation task is delegated to them.
Invalid Attestation Reviewers: Used for sending email to users in the Process Owner group if attestation task generation results in invalid reviewers.
Notify Declined Attestation Entitlements: Used for sending email to users in the Process Owner group if a reviewer declines any entitlements.
Attestation Reviewers With No Email Defined: Used for sending email to users in the Process Owner group if an email address is not defined for any of the reviewers.
A system scheduled task called Initiate Attestation Processes is responsible for examining the Attestation Processes defined in Oracle Identity Manager and creating the necessary attestation tasks in the system. Salient features of this scheduled task are:
Out of the box, scheduled tasks are set to run every 30 minutes by default. Users can change this to suit their needs
It examines all active attestation processes.
It initiates a call to the Attestation Engine to initiate the any attestation process that needs to be run (its next scheduled start time is in the past).
