You can manage attestation requests from the Identity Manager Administrator or User interface. This section provides information about responding to attestation requests and the duties involved in attestation.
During a scan, Identity Manager sends notification to Attestors when attestation requests require their approval. If attestor responsibilities have been delegated, the requests are sent to the delegate. If multiple attestors are defined, each attestor receives an email notification.
Requests appear as Attestation work items in the Identity Manager interface. Pending attestation work items are displayed when the assigned attestor logs in to Identity Manager.
View attestation work items from the Work Items area of the interface. Selecting the Attestation tab in the Work Items area lists all the entitlement records requiring approval. From the Attestations page, you can also list entitlement records for all of your direct reports and for specified users for which you have direct or indirect control.
Attestation work items contain the user entitlement records requiring review. Entitlement records provide information about user access privileges, assigned resources, and policy violations.
The following are possible responses to an attestation request:
Approve. Attests that the entitlement is appropriate as of the date recorded in the entitlement record.
Reject. The entitlement record indicates possible discrepancies that cannot be currently validated or remediated.
Rescan. Requests a rescan to re-evaluate the user entitlement.
Forward. Enables you to specify another recipient for review.
Abstain. Attestation for this record is not appropriate, and a more appropriate attestor is not known. The attestation work item is forwarded to the Review Process Owner. This option is available only if a Review Process Owner has been defined in the Access Review task.
If an attestor does not respond to a request by taking one of these actions before the specified escalation timeout period, notice is sent to the next attestor in the escalation chain. The notification process continues until a response is logged.
Attestation status can be monitored from the Compliance -> Access Reviews tab.
You can avoid rejecting user entitlements by:
Marking an entitlement as needing to be fixed by requesting a fix from another user (Request Remediation). In this case, a new remediation work item is created and assigned to one or more specified remediators.
The new remediator can then choose to edit the user, either by using Identity Manager or independently, and then mark the work item as remediated when satisfied. At that point, the user entitlement is rescanned and evaluated again.
Requesting a reevaluation of the entitlement (Rescan). In this case, the user entitlement is rescanned and evaluated again. The original attestation work item is closed. A new attestation work item is created if the entitlement still requires attestation according to the rules defined in the access scan.
If defined by the access scan, you can route a pending attestation to another user for remediation.
The Dynamic Entitlements option on the Create or Edit Access Scan pages enables this feature.
Select one or more entitlements from the list of attestations, and then click Request Remediation.
The Select and Confirm to Request Remediation page appears.
Enter a user name, and then click Add to add the user to the Forward to field. Alternatively, click ... (More) to search for a user. Select the user in the search list, and then click Add to add the user to the Forward to list. Click Dismiss to close the Search area.
Enter comments in the Comments field, and then click Proceed.
Identity Manager returns to the list of attestations.
Details of the remediation request appear in the History area of the individual user entitlement.
If defined by the access scan, you can rescan and reevaluate a pending attestation.
The Dynamic Entitlements option on the Create or Edit Access Scan pages enables this feature.
Select one or more entitlements from the list of attestations, and then click Rescan.
The Rescan User Entitlements page appears.
Enter comments about the rescan action in the Comments area, and then click Proceed.
You can forward one or more attestation work items to another user.
Select one or more work items in the attestation list, and then click Forward.
The Select and Confirm Forwarding page appears.
Enter a user name in the Forward to field. Alternatively, click ... (More) to search for a user name.
Enter comments about the forwarding action in the Comments field.
Click Proceed.
Identity Manager returns to the list of attestations.
Details of the forwarding action appear in the History area of the individual user entitlement.
You can set up digital signing to handle access review actions. For information about configuring digital signatures, see Signing Approvals. The topics discussed there explain the server-side and client-side configuration required to add the certificate and CRL to Identity Manager for signed approvals.