Attestation Process

Attestation is the certification process performed by one or more designated attestors to confirm a user entitlement as it exists on a specific date. During an access review, the attestor (or attestors) receives notice of the access review attestation requests through email notification. An attestor must be an Identity Manager user, but is not required to be an Identity Manager administrator.

Attestation Workflow

Identity Manager uses an attestation workflow that is launched when an access scan identifies entitlement records requiring review. The access scan makes this determination based on the rules defined in the access scan.

A rule evaluated by the access scan determines if the user entitlement record needs to be manually attested, or if it can be automatically approved or rejected. If the user entitlement record needs to be manually attested, then the access scan uses a second rule to determine who the appropriate attestors are.

Each user entitlement record to be manually attested is assigned to a workflow, with one work item per attestor. Notification to the attestor of these work items can be sent using a ScanNotification workflow that bundles the items into one notification, per attestor, per scan. Unless the ScanNotification workflow is selected, notification will be per user entitlement. This means an attestor could receive multiple notifications per scan, and possibly a large number depending on the number of users scanned.

Attestation Security Access

These authorization options are for work items of authType AttestationWorkItem:

• The Work Item owner

• A direct or indirect manager of the Work Item owner

• An administrator who controls an organization in which the Work Item owner belongs

• Users who have been validated through authentication checks

By default, the behavior for authorization checks is one of the following:

• Owner is User attempting the action

• Owner is in Organization controlled by user attempting the action

• Owner is a subordinate of user attempting the action

The second and third checks are independently configurable by modifying these form properties:

• controlOrg — Valid values are true or false

• subordinate — Valid values are true or false

• lastLevel — Last subordinate level to include in the result; -1 means all levels

The integer value for lastLevel defaults to -1, meaning direct and indirect subordinates.

You can add or modify these options in the following:

UserForm: AccessApprovalList.

If you set security on attestations to organization-controlled, then the Auditor Attestor capability is also required to modify another user’s attestations.

Delegated Attestation

By default, the access scan workflow respects delegations, for work items of type Access Review Attestation and Access Review Remediation, created by users for attestation work items and notifications. The access scan administrator may deselect the Follow Delegation option to ignore delegation settings. If an attestor has delegated all work items to another user but the Follow Delegation option is not set for an access review scan, then the attestor, not the user to which delegations have been assigned, will receive attestation request notifications and work items.