Attestor Rule
Every user entitlement that is created in a pending state must be attested
by someone. During an access review, Identity Auditor passes each User
view to the Attestor rule to determine who gets the initial attestation requests.
The idmManager attribute on the WSUser object
contains the Waveset account name and ID of the user’s manager.
-
If you define a value for idmManager, the
Attestor rule returns idmManager as the attestor for the
user represented by the entitlement record.
-
If the idmManager value is null, the Attestor
rule returns Configurator as the attestor.
You can use alternate implementations to designate both IdmManager and any Resource owners as attestors (for Resources included in
the view). This rule takes the current User view and a LighthouseContext object as inputs, so you can use any data known to Waveset.
Inputs:
Accepts the following arguments:
You must specify the following for a custom Attestor rule:
AuthType
|
AccessScanRule
|
SubType
|
ATTESTORS_RULE
|
Called
|
During access scan; after evaluating all audit policies, but before
dispatching the user entitlement
|
Returns
|
A list of zero or more Waveset attestor names (users responsible
for attesting a particular user entitlement) or NamedValue pairs.
-
If the result is a string, it must resolve to an Waveset account
ID. If delegation is enabled for the access scan, the access scan will use
the delegation settings of the Waveset user returned by the code.
-
If the result is a NamedValue, it assumed
to be a bound delegation pair [Delegator, Delegatee], and
the access scan will not resolve any further.
Note –
If the rule returns NamedValue pair elements,
they are passed on without validation.
-
If the result is not a valid Waveset user name, the
rule appends errors to the scan task results, but the scan thread continues.
-
If the result is a zero-length list, the attestation request remains in pending state because
nobody will process the request.
-
If the result is neither a string or a NamedValue,
an exception results and the scan thread aborts.
|
Predefined Rules
|
Default Attestor
|
Location
|
Compliance > Manage Policies > Access Scan > Attestor Rule
|