Sun Identity Manager Deployment Reference

Attestor Rule

Every user entitlement that is created in a pending state must be attested by someone. During an access review, Identity Auditor passes each User view to the Attestor rule to determine who gets the initial attestation requests.

The idmManager attribute on the WSUser object contains the Identity Manager account name and ID of the user’s manager.

You can use alternate implementations to designate both IdmManager and any Resource owners as attestors (for Resources included in the view). This rule takes the current User view and a LighthouseContext object as inputs, so you can use any data known to Identity Manager.


Accepts the following arguments:

You must specify the following for a custom Attestor rule:






During access scan; after evaluating all audit policies, but before dispatching the user entitlement 


A list of zero or more Identity Manager attestor names (users responsible for attesting a particular user entitlement) or NamedValue pairs.

  • If the result is a string, it must resolve to an Identity Manager account ID. If delegation is enabled for the access scan, the access scan will use the delegation settings of the Identity Manager user returned by the code.

  • If the result is a NamedValue, it assumed to be a bound delegation pair [Delegator, Delegatee], and the access scan will not resolve any further.

    Note –

    If the rule returns NamedValue pair elements, they are passed on without validation.

  • If the result is not a valid Identity Manager user name, the rule appends errors to the scan task results, but the scan thread continues.

  • If the result is a zero-length list, the attestation request remains in pending state because nobody will process the request.

  • If the result is neither a string or a NamedValue, an exception results and the scan thread aborts.

Predefined Rules 

Default Attestor 


Compliance > Manage Policies > Access Scan > Attestor Rule